CONTENTSPreface3About Ransomware4Damage by Ransomware4Encryption of corporate and personal documents and data5Secondary and tertiary damage (encryption of file servers)5Disclosure of confidential or proprietary informationduring restoration attempts5Severity of Ransomware5Ransomware Response Part 1: Identify Attack Mechanisms6Infection via web6Infection via email8Ransomware Response Part 2: Implement Expert Security SolutionsEmail security solutionNetwork security solution9910Why FireEye Works12Conclusion12W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S2

P R E FAC EThe M-Trends 2016 Annual Threat Report1 indicates that Mandiant investigatorsresponded more often to clients dealing with digital blackmail schemes. Mostcases cited impacts to either the confidentiality or availability of data. Targetedorganizations were threatened with the public release of sensitive data whiletargets of opportunity were typically infected with commodity ransomware suchas TorrentLocker or CryptoWall. In a particularly high-profile case, the HollywoodPresbyterian Medical Center in Los Angeles was attacked on February 5, 2016. 2This hospital lost access to electronic patient records and email, and its businessoperations and administrative functions were significantly affected, causing thehospital to reportedly pay a ransom equivalent to approximately 17,000.Ransomware operators have infected victims worldwide using their native languages.This type of malware has primarily affected Windows operating systems, but inrecent years, ransomware has been developed to affect other operating systems,such as Android (Simplocker)3 and Mac OS X (KeRanger).4 Organizations have apressing reason to exercise caution against ransomware due to its expanding andwidespread distribution and popularity5 among malicious actors.12345Mandiant, a FireEye company. “M-Trends 2016.” February 2016Los Angeles Times. “Hollywood hospital pays 17,000 in bitcoin to hackers; FBI investigating.” February 18, “ESET Analyzes Simplocker – First Android File-Encrypting, TOR-enabled Ransomware.” June 4, “New Mac ransomware appears: KeRanger, spread via Transmission app.” March 7, “The Growing Threat of Ransomware.” April 13, 2016.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S3

The impact of ransomware is immediate, compared tostealthier malware used in advanced attacks.About RansomwareRansomware is a type of malware that renders the victim’s computer or specificfiles unusable or unreadable, and demands a ransom from the victim in returnfor a cryptographic key which can be used to restore the computer or decryptthe encrypted files.Once it infects a target system, modern ransomware encrypts a targeted group ofcritical files, making them unavailable to the user. It then displays instructions forpayment required to restore access to the files. Online virtual currencies such asPayPal and Bitcoin are preferred methods of payment because they are not easilytraceable.The impact of ransomware is immediate, compared to stealthier malware suchas those used in an advanced threat attacks. There is growing concern about thecomplex effects of ransomware on organizations, which include monetary damageand business downtime.Damage by RansomwareThere are three main types of damage caused by ransomware.F I G U R E 1 . T Y P E S O F DA M AG E C A U S E D B Y R A N S O M WA R E .Encryption of corporate and personaldocuments and dataWeb exploitSecondary and tertiary damage(encryption of file servers)Disclosure of information duringrestoration attemptsShared PCSpam mailInternetPrimaryvictim’s PCFile serverCorporate sharedserver Ransomware is introduced via routesincluding email and web, and encryptscorporate/personal documents/dataCompetitor File servers / shared PCs are exposedto secondary/tertiary damage vianetwork drives, etc.File restorationservice Confidential documents could getleaked via file decryption serviceproviders4

Encryption of corporate and personal documents and dataRansomware encrypts important documents and data on a system to render theminaccessible to an organization or individual. Since the encrypted files cannotbe restored with off-the-shelf security solutions, the victim must either pay theransom to the attacker or use pre-existing backups to restore the files. In limitedcases, flaws in ransomware encryption implementation can also be identified andused to recover data. However, many popular ransomware families only encryptfiles after receiving a response or public RSA key from the attacker’s commandand control server. This trend means that blocking control server traffic mayprevent encryption.In many cases, complete recovery is nearly impossible without the attacker’sdecryption key. Once a computer gets infected with ransomware, damage isalmost always instantaneous and unavoidable because data on that computer is, atleast temporarily, unusable.Secondary and tertiary damageRansomware can cause secondary or tertiary damage through equipment such asfile servers or network share devices. If the initial victim’s computer is connected tosuch devices, the ransomware will often encrypt the entire shared resource.In ransomware campaigns malicious actors can spread ransomware to new victimswithin infected organizations. Popular tools used to download ransomware alsosteal email credentials, and attackers use compromised email accounts to furtherdistribute ransomware.Through these two proliferation mechanisms, a single infected PC can introduceransomware to an entire enterprise and cause significant damage.Disclosure of confidential or proprietary information during restoration attemptsMalicious actors may try to steal data from (or otherwise abuse) systems thathave been affected by ransomware. In multiple cases, threat actors have beenobserved deploying ransomware alongside capabilities that steal data. Infectionswith fraud-enabling malware often serve as a foothold for the attacker toperform a variety of monetization actions.Severity of RansomwareThe volume and variety of ransomware is growing and causing more damage.Attackers are also becoming more flagrant, threatening to corrupt confidential filesor publish them online if the ransom is not paid by a specified time.FireEye regularly identifies and announces the discovery of new variations ofransomware. FireEye Threat Intelligence has observed ransomware such asCryptoWall generate illegal gains of 1 million over a six-month period in 2015.FireEye also estimates that the TeslaCrypt hackers took home 76,522 USDbetween Feb. 7 and Apr. 28, 2015.Five examples ofransomware variationsFireEye detectsCryptoWall – Appearing a fewmonths after the discoveryof CryptoLocker, CryptoWallshowed behaviors similarto CryptoLocker. During sixmonths in 2014, the ransomwareearned an estimated 1 million.CTB-Locker - First discovered in2014, CTB-Locker distinguisheditself from peers at that timethrough features such as a Torbased control server and autogenerated Bitcoin addressesunique to each victim. Theransomware continues to besold to cyber criminals.TorrentLocker – Emerged in2014 following the takedown ofCryptoLocker and is likely linkedto the same actors.Locky – Began spreading inearly 2016 using the same massdistribution channels as theDridex credential theft malware.TeslaCrypt – First discoveredin Feb. 2015, this ransomwareencrypts various types of files,including online games. Themalware uses multiple tacticsto reduce victims’ chances ofblocking or easily remediatinginfections. These includeencrypting files regardless ofwhether a connection to thecontrol server can be established,and deleting local “shadowcopies” that can be used for dataor system recovery.Cyber attacks that use ransomware are expected to increase in the next few years.They are fairly easy to deploy even for novice computer users worldwide.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S5

Ransomware Response Strategy 1: Identify Attack MechanismsThere is no single solution to the increasing threat of ransomware. The victimtypically either pays the ransom and hopes the problem stops there or riskssignificant business disruption while they attempt to self-recover.Paying attackers for decryption is not a real solution. Paying them not only createsa financial burden on the victim organization but also directly rewards attackerswith money and motivation for further attacks. Law enforcement agencies makeno recommendations when it comes to dealing with a ransomware demand.Instead, their advice emphasizes prevention and contingency planning.6Generally speaking, preventing ransomware infections requires updating theOS and application programs to the latest versions and exercising caution whenaccessing news, advertisement and other websites with security loopholes.Enhancing email security to block phishing emails can stop many attacks beforethey occur. In the event of an infection, regular backups can help mitigate damageand accelerate recovery time.Organizations should intensify efforts to identify the exact intrusion mechanismsof ransomware and implement expert security solutions that could protect criticalcorporate information from ransomware attacks. A sound security strategy mustthoroughly analyze the attack mechanisms of ransomware and assess securitymeasures that could mitigate ransomware damage.Ransomware is introduced through two main paths: web and email.Infection via webRansomware can attack through websites with exploits. This often occurs witha “drive-by download” exploit kit that takes advantage of vulnerabilities presentin major web browsers or applications. The attacker infects a legitimate websiteor hacks an advertising network to insert code that redirects the victim toanother website that hosts an exploit kit. Exploit kits such as Angler and RIGdetect vulnerable software such as older versions of Java or Flash on the visitor’scomputer. They then lure the visitor to download and run the malicious payload.Once the visitor’s computer is infected, the ransomware connects to a commandand control server that allows the attacker to collect valuable information.6 “Ransomware on the Rise.” January 20, 2015.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S6

F I G U R E 2 . H O W R A N S O M WA R E I N F E C T S V I C T I M S V I A T H E W E B .Normal webpageLanding pageExploit pageMalicious codedistribution sourceCallback serverEncrypted malicious code is introducedActivated malicious code triggers callbackI N F E C T I O N U S I N G W E B E X P LO I T Infection involves multiple levels of exploits. The ransomware is introduced in encrypted format. Once infected, the infection information is sent tothe command and control serverUserIn the case of web-based infections, the exact infection path cannot be identifiedwithout analyzing the multi-level flow that redirects the user from a normalwebsite to the malicious code distribution source. Malware can go undetected byordinary security software because it is introduced to the victim’s computer inencrypted format.Behavior-based analysis is needed to identify the encrypted malicious code.To minimize damage, connections to the command and control server must beblocked so additional malicious code is not received and sensitive information isnot sent out.Four activities can help effectively mitigate the damage caused by ransomwareintroduced via the web: A thorough analysis of the entire infection process, from the normal website thatthe user accessed first, to the redirected page and the site of final infection. Disabling execution of scripts running in the browser Behavior-based analysis of the malicious code to determine its actualmaliciousness and system infection indicators. Blocking access to the command and control server.Ransomware damage can be minimized if any of these four activities areimplemented successfully.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S7

Infection via emailRansomware can also infect systems via email. In fact, most reported ransomwareinfections were introduced via email. According to a report by the Cyber ThreatAlliance (CTA),7 CryptoWall 3.0, which caused 325 million damage worldwide, wasdistributed through phishing attacks via email (67.3%) and exploit kits (30.7%).When introduced via email, ransomware is delivered through attachments such ascompressed files, document files and html files or through links in the email messageor a document attachment. Attackers often get the user to execute the file or clickon the link through social engineering techniques rather than system vulnerabilities.Behavior-based analysis is effective against email-delivered ransomware.Behavior analysis makes it possible to proactively block avenues of attack tominimize damage or infection.F I G U R E 3 . H O W R A N S O M WA R E I N F E C T S V I C T I M S V I A E M A I L .Ransomware distributorCallback serverActivated malicious code triggerscallbackI N F E C TI O N U S I N G E M A I L Infection attempts using file attachments,malicious links, etc. Infection attempts using various file types Getting user to activate code using socialengineering techniquesUser7 Cyber Threat Alliance. “Lucrative Ransomware Attacks: Analysis of the Cryptowall Version 3 Threat.” October 2015.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S8

Ransomware Response Strategy 2:Implement Advanced Security SolutionsEmail security is the first line ofdefenseSecurity firms are quickly launchingsolutions designed to fight theincreasing impact of ransomware.However, many “best of” solutions8focus on file backups or detectingspecific strains of ransomware.They generally do not provide clearinformation on how attacks find theirway to a target’s computer, or how toeffectively block the attacks.An email security solution detects andblocks ransomware that is distributedthrough email attachments andembedded malicious links.FireEye security solutions provide visibilityover the ransomware attack process. Theypresent a security strategy for effectiveresponse based on the ransomware’sintrusion path (web or email).one email to activate ransomware andlock valuable assets.The majority of ransomware entersan organization using email as avehicle, usually in the form of spearphishing. Spear phishing is one of thepreferred attack strategies becauseit is difficult to detect. It’s relianceon social engineering gives it a highrate of success – it can fool evensecurity professionals and high leveltechnology managers. All it takes isFireEye email security solutionscan block these malicious emails byexecuting and analyzing suspiciousemail file attachments and inlineURLs. FireEye Email Security canbe implemented either on premisewith EX Series appliances, or via thecloud with Email Threat ProtectionCloud (ETP). When the FireEye emailsecurity solutions are deployed inlineto SMTP traffic, they can automaticallydetect and block ransomware beforeit reaches the end user, preventingmalicious data encryption. (Fig. 8)F I G U R E 8 . H O W F I R E E Y E E M A I L S E C U R I T Y D E T E C T S A N D B L O C K S E M A I L - B A S E D R A N S O M WA R E AT TAC K S .Ransomware distributorCallback serverAnti-spamPreventing further command and controlaccess by blocking ransomware introductionFireEye Email Securityappliance (MTA mode)User8 Techworld. “The 7 best ransomware removal tools – how to clean up Cryptolocker, CryptoWall and extortionmalware.” October 8, 2015.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S9

Network security stops the spreadA network security solution identifies the distribution and infection path ofransomware and blocks the ransomware to minimize damage.F I G U R E 4 . H O W F I R E E Y E N E T W O R K S E C U R I T Y D E T E C T S A N D B L O C K S W E B - B A S E D R A N S O M WA R E AT TAC K S .Normal webpageLanding pageExploit pageMalicious codedistribution sourceExploit executionmulti-flowCallback serverEncrypted malicious code is introducedActivated malicious code triggers callbackFireEye NetworkSecurity applianceUserWeb-based ransomware attacks can be prevented by accurately identifyingdistribution sites spreading ransomware and blocking them. (Fig. 4)Ransomware intrusion involves three main stages: initial infection, file encryptionand command and control server access.Initial infectionIn this stage, the victim is redirected from a normal webpage to the malicious codedistribution site and then the exploit is activated. The overall web flow must beanalyzed to identify and block the distribution site.FireEye network security solutions can identify the attack process attemptedover web traffic. This allows organizations to know which websites are used asransomware distribution sites and apply active blocking policies.In a recent case, users who searched for the keywords ‘Park Byeong-ho posting’and accessed certain online news pages on a Korean portal were redirected toexploit sites, where their computers became infected with ransomware. Customersusing FireEye network security solutions had correctly identified initial infectionattempts. FireEye followed through with the following recommendations andW H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S10

actions. First, customers were to block the exploit landing page address andonline news site if they were not associated with business. This would preventadditional host compromise by the ransomware. FireEye summarized and sharedindicators of compromise (IOCs) for the ransomware with customers to investigatethe possibility of additional compromise. Finally, to prevent web-based exploits,targeted companies were to update all their web technologies (Flash, Java,Silverlight and others) to the latest versions.File encryptionIn this stage, ransomware-infected systems may begin to exhibit unusual behavior. Ifthe ransomware managed to avoid detection during initial infection but is detectedin this stage, FireEye network security solutions perform a detailed analysis ofthe malicious code and use indicators of compromise to block the ransomware,establish response measures and identify infected hosts. For example, if ransomwaredemonstrates the ability to disable the window restoration feature or encrypts files,the FireEye solution analyzes those behaviors and provides detailed trace indicatorsto the user. This not only helps detect the same attack against other users, but mayprevent the spread of ransomware throughout connected systems.Command and control server accessIn this stage, the ransomware sends infection information to command and controlservers or receives encryption key values from them. FireEye network securitysolutions detect and block access to command and control servers. If ransomwarecannot communicate with its command and control servers, it cannot encrypt filesor cause other types of damage.F I G U R E 5 . E X A M P L E : H O W F I R E E Y E N E T W O R K S E C U R I T Y C O M B AT S W E B - B A S E D R A N S O M WA R E AT TAC K SSearching onweb portalSearching specific keywords on portalAccessing onlinenews articleAccessing online news siteExploit pageRedirection to exploit site and exploitexecutionMalicious codedistribution siteW H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S11

F I G U R E 6 . E X P L O I T E X E C U T I O N P R O C E S S F L O W I N F O R M AT I O N P R OV I D E D B Y F I R E E Y E N E T W O R K S E C U R I T Y.Why FireEye WorksAt the core of all FireEye network andemail security solutions is the FireEyeMulti-Vector Virtual Execution (MVX) engine which executes andanalyzes files in a virtual environment.It operates far beyond the capabilitiesof common sandboxing technology.The MVX engine uses a proprietary,custom-built hypervisor for multilevel detection to analyze suspiciouscode within multiple combinationsof operating systems, applicationprograms, web browsers and plugins to detect and block cyber threatsin real time. The technology provideseffective and impactful analysis anddetection even for previously unknownpatterns, or zero-day threats. In fact,as of June 2016, FireEye had detected28 of 46 zero-day threats identifiedby cyber security companies. Withreal-time visibility over virtually theentire lifecycle of a ransomware attack,from intrusion to infection, the MVXengine allows the user to establish fast,effective responses.Damage from ransomware attacks israpidly increasing because it is difficultto identify distribution sites. FireEyecombines its technology and decadesof security expertise to reliably identifyharmful websites and gives customersthe information and support neededto deter both web- and email-basedattacks that use these sites.ConclusionThe threat of ransomware attacks ismore real than ever. Incidents involvingransomware continue to grow, alongwith ransomware-caused damagesuch as direct financial costs andbusiness downtime. Ransomwarecreators continue to pursue newtactics and develop new variations oftheir malicious code. And the countlessvariations of ransomware often goundetected by antivirus software.Once infected with ransomware,organizations should expect significantdamage. Advanced detection andprevention is the best defense. Youhave an advantage in battle if youknow yourself and know your enemy.This is also true for cyber security.To reduce the chance of a ransomwareattack, organizations need visibility intotheir internal system security levels anda strong understanding of the attackertools, tactics and procedures.For information about FireEyeprotection and response solutions usedby thousands of government agenciesand enterprises of all sizes aroundthe world, visit orcontact your local sales representative.W H I T E PA P E R / E F F E C T I V E R A N S O M WA R E R E S P O N S E S12

For more information on FireEye, visit:www.FireEye.comFireEye, Inc.1440 McCarthy Blvd. Milpitas, CA 95035408.321.6300 / 877.FIREEYE (347.3393) / [email protected] 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.All other brands, products, or service names are or may be trademarksor service marks of their respective owners. WP.ERR.EN-US.062016

FireEye regularly identifies and announces the discovery of new variations of ransomware. FireEye Threat Intelligence has observed ransomware such as CryptoWall generate illegal gains of 1 million over a six-month period in 2015. FireEye also estimates that the TeslaCrypt hacker