Table of contents
Guidelines for Emergency Response Methods
1. Quarantine the infected server/host
3. Determine the type of ransomware and conduct traceability analysis
4. Restoring data and services
Enterprise-level Endpoint Defense
Introduction to Ransomware
Ransomware is a virus Trojan horse that accompanies the rise of digital currency, and it is mainly spread in the form of mail, program Trojan horse, and web page hanging horse. This virus uses various encryption algorithms to encrypt files, and ransomware generally uses a combination of asymmetric encryption algorithms and symmetric encryption algorithms to encrypt victim files. The vast majority of ransomware cannot be decrypted by the infected person, and it is possible to crack it only after obtaining the decrypted private key.
Once the ransomware file enters the local area, it will automatically run and delete the ransomware sample to avoid killing and analysis. Next, the ransomware uses the local Internet access authority to connect to the hacker's C&C server, then uploads local information and downloads the encrypted private key and public key, and uses the private key and public key to encrypt the file. Except for the virus developer himself, it is almost impossible for others to decrypt.
After the encryption is completed, the wallpaper will be modified, and a ransom note file will be generated on an obvious location such as the desktop to guide the user to pay the ransom. And the variant type is very fast, and it is immune to conventional antivirus software. The attack samples are mainly exe, js, wsf, vbe and other types, which is a great challenge to conventional security products that rely on feature detection. According to Huorong monitoring, ransomware spreads mainly through three channels: loopholes, emails, and advertising.
Common types of ransomware
WannaCry
The WannaCry ransomware virus spreads through the MS17-010 vulnerability. After the virus infects the computer, it will implant a blackmailer virus into the computer, causing a large number of computer files to be encrypted. After the victim's computer is locked by the attacker, the virus will prompt that a corresponding ransom must be paid before it can be decrypted.
Common suffix: wncry;
Propagation method: "Eternal Blue" vulnerability;
Features: It will connect to a non-existent URL (Uniform Resource Locator, Uniform Resource Locator) at startup; create system service mssecsvc2.0; release path is Windows directory .
Globelmposter
Globelmposter ransomware is mainly spread through phishing emails. The main target of the attack is the server with remote desktop service enabled. The attacker brute force cracked the server password, launched a scan on the intranet server and manually launched a ransomware virus, resulting in encrypted files that cannot be decrypted temporarily.
Common suffixes: auchentoshan, animal name +4444, etc.;
propagation methods: RDP brute force cracking, phishing emails, bundled software, etc.;
features: released in %appdata% or %localappdata%.
Crysis/ Dharma
The Crysis/Dharma ransomware attack method is to use the remote RDP brute force method to implant into the server for attack. Crysis uses AES+RSA encryption method, which cannot be decrypted.
Common suffixes: [id] + ransom email + specific suffix.
Propagation method: RDP brute force cracking.
Features: The location of the ransom letter is in the startup directory, and the sample location is in the %windir%\system32, startup directory, and %appdata% directory.
Attack characteristics
In the process of encrypting files, attackers generally no longer use the C2 server, which means that the current ransomware does not need to return the private key when encrypting.
The encryption process of C2 serverless encryption technology is roughly as follows :
- Randomly generate a new encryption key pair (asymmetric public and private keys) before encryption;
- Encrypt the file with the newly generated public key;
- The newly generated private key is encrypted with the attacker's pre-buried public key, and stored in an ID file or embedded in an encrypted file.
The decryption process of the non-C2 server encryption technology is roughly as follows :
- Submit the encrypted private key in the ID string or encrypted file by mail or online submission (generally, the attacker will provide tools to extract the private key);
- The attacker uses the reserved private key corresponding to the embedded public key to decrypt the private key submitted by the victim;
- Deliver the decryption private key or decryption tool to the victim for decryption.
Through the above process, it can be realized that each victim's decryption private key is different, and at the same time, it is avoided to return the private key to the Internet. This means that there is no need to connect to the Internet, and the ransomware can also encrypt the terminal, and even encrypt files and data in an isolated network environment.
Guidelines for Emergency Response Methods
How to judge the ransomware virus?
- The business system cannot be accessed
- The file suffix has been tampered with
- Extortion letter display
1. Quarantine the infected server/host
Isolate the server/host that has been blackmailed offline, and protect the server/host that has not been blackmailed.
method:
- Physical isolation is mainly to disconnect the network or power, turn off the wireless network and Bluetooth connection of the server/host, disable the network card, and unplug all external storage devices on the server/host;
- Access control mainly refers to the strict authentication and control of the authority to access network resources. The common operation method is to add policies:
- Use a firewall or terminal security monitoring system;
- Avoid exposing the remote desktop service (RDP, the default port is 3389) to the public network and close unnecessary ports such as 445, 139, 135;
- Change the login password: immediately change the login password of the infected server/host; change the login password of other servers/hosts under the same LAN; change the login password of the highest-level system administrator account.
2. Check the business system
After completing the judgment and temporary disposal of the ransomware virus incident, check other machines in the LAN to check whether the core business system is affected, whether the production line is affected, and check whether the backup system is encrypted, etc., to determine the scope of the infection.
For servers/hosts that have not been blackmailed: globally close port 3389 on the network border firewall, or port 3389 is only open to specific IP addresses; open the Windows firewall, and try to close unused high-risk ports such as 3389, 445, 139, 135; each server Set a high-strength and complex password for the host; install the latest anti-virus software or server reinforcement version to prevent attacks; update the system with patches; block the virus transmission route; if the on-site equipment is in a virtualized environment, it is recommended to install virtualization security Management system to further enhance security protection capabilities such as anti-malware and anti-violent cracking.
For servers/hosts that are not clear whether they have been blackmailed: implement policy isolation or disconnection isolation for the server/host, and enable the check after ensuring that the server/host is not connected to the network.
3. Determine the type of ransomware and conduct traceability analysis
During the inspection process, suspected samples can be extracted, and the threat intelligence platform can be used to analyze whether the samples are malicious samples, or contact professional technicians to analyze the samples to confirm the virus type, propagation characteristics and other malicious behaviors of the samples.
After the ransomware virus infects the server/host, the attacker usually leaves a ransom note message. You can first look for the ransomware prompt information from the encrypted disk directory. Some prompt information will contain the logo of the ransomware virus, so you can directly determine which type of ransomware virus is infected this time, and then use the ransomware virus disposal tool to check whether it can decrypt.
Traceability analysis generally needs to check the logs and samples kept on the server/host. Use the log to determine the method by which the ransomware virus may invade the server/host . If the log is deleted, you need to find relevant virus samples or suspicious files on the server/host, and then use these suspicious files to determine the virus’s intrusion path.
For the operating system, check from the system and log levels
系统层面It mainly includes whether there are suspicious accounts, suspicious processes, abnormal network connections, suspicious task plans, suspicious services, and suspicious startup items, and confirms whether encrypted files can be decrypted; mainly includes whether there are brute force cracking records in the security log, abnormal IP address login 日志层面records, and Infected servers/hosts conduct source tracing analysis, connect abnormal login IP addresses in series, and finally locate the breakthrough point of the attack.
4. Restoring data and services
Restoring business by restoring from backup data
5. Cleaning and strengthening
After confirming the ransomware incident, it is necessary to clean up the ransomware in a timely manner and perform corresponding data recovery work, and at the same time strengthen the security of the server/host to avoid secondary infection
Virus cleaning and hardening
1. Close port 3389 globally on the network border firewall, or port 3389 is only open to specific IP addresses;
2. Open the Windows firewall, and try to close unused high-risk ports such as 3389, 445, 139, 135;
3. Each machine is set uniquely Login password, and the password should be a high-strength complex password;
4. Install the latest anti-virus software, and perform security scans and virus killings on the infected machine;
5. Update the system with patches to block the virus transmission route;
6. Combine backup 7. Use full-flow devices (such as Sky Eye) to analyze threats
in the entire network and troubleshoot problems.
Infected file recovery
1. Recover infected files through decryption tools;
2. Pay ransom for file recovery.
6. Ransomware defense methods
Personal Endpoint Defense
Automatic Backup Technology:
Qi Anxin applies it to the function module of Document Guardian. As long as the documents in the computer are tampered with, this function module will automatically back up the documents in the isolation area and protect them at the first time, and the user can restore the files at any time
The automatic backup triggering conditions of Document Guard mainly include two points: first, the document is modified for the first time after booting; second, there is a suspicious program that modifies the document. , PowerPoint, PDF and other formats, and a prompt message will appear after the backup is successful. Users can also choose to add more file formats that need to be backed up in the settings. For example, if the photos in the user's computer are very important, they can add image formats such as JPG to the protection range. In addition, Document Guard also integrates the "file decryption" function, which is safe for security experts
. It can perform reverse analysis on some ransomware families to realize various types of file decryption
Comprehensive ransomware anti-virus technology:
The protection software sets trap files everywhere in the computer system. When a virus tries to encrypt a file, it will first hit the set trap, thereby exposing its attack behavior. In this way, security software can quickly and non-destructively discover various malicious programs that try to encrypt or destroy files
Enterprise-level Endpoint Defense
Cloud immune technology:
Through the terminal security management system, the cloud directly issues immunity policies or patches to help users protect or apply patches
Password protection technology:
Enhancing password protection should mainly start from three aspects:
- It uses weak password verification technology to force administrators to use complex passwords
- It uses anti-brute force cracking technology to strictly control the login location and login times of users with unfamiliar P addresses
- It uses VPN or two-factor authentication technology, so that even if the attacker steals the administrator account and password, he cannot easily log in to the enterprise server