Wednesday 17 May 2017

Ransomware Protection Test - April 2017

During the last decade, ransomware (cryptolockers) show sustainable growth that can be explained by an effective business model that incorporates an anonymous payment system (Bitcoin) and network (TOR). This allows attackers to go untraceable and unpunished in their criminal activities.

In this regard, antiviruses and backup solutions come to protect you against ransomware and eliminate infection consequences. However, based on our incidents investigation experience, most of the ransomware infections in organizations happened with an antivirus installed and turned on. This can be explained by the fact, that the new ransomware variants employ polymorphic encryption with code obfuscation [1], broken PE headers [2], and scripting languages [3, 4]. All these help attackers bypass antivirus signature-based protection giving a chance for behavior blockers and anti-ransomware solutions to come into play. Therefore, it is essential to test security solutions by simulating the real-world ransomware attacks.

First, we tried the RanSim ransomware simulation software made by KnowBe4 [5] to verify if an antivirus can block a ransomware attack. However, RanSim has several limitations. The most principal one is that antiviruses block the RanSim executables underway using simple blacklists before the actual test scenarios are run. The question then arises as to how to bypass antivirus signature protection to run ransomware test scenarios that will test the antivirus behavior blocker or anti-ransomware protection only.

To solve the problem of testing anti-ransomware solutions, we looked into the successful real-world ransomware attacks to find out the techniques that help malware to go unnoticed. As a result, we created the ransomware testing framework called NioCryptoSim [6] written mostly in Python. The test suite includes three false positive tests and 15 tests simulating the base cryptolocker functions as well as complete models imitating the behavior of some real-world ransomware.

As a result, we tested 22 top antiviruses and one backup solution with the anti-ransomware solution from Acronis using the NioCryptoSim testing framework.

See the full report by the link.

Monday 15 May 2017

WannaCry 2.0: Indicators of Compromise

WannaCry (WannaCryptor) is becoming probably the most popular cryptolocker in the history of ransomware. It has nothing new in terms of files encryption (RSA + AES using MS CryptoAPI) but uses MS17-010 (a.k.a. ETERNALBLUE named by NSA) vulnerability to propagate itself through local networks using the Server Message Block (SMB) protocol as a network worm resulting in thousands of infections of Windows machines that have not been updated so far.

Tuesday 2 May 2017

Targeted attack against the Ukrainian military

One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.