Шифрование данных
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)
Примеры процедур |
|
Название | Описание |
---|---|
Maze |
Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.(Citation: FireEye Maze May 2020) |
Bad Rabbit |
Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.(Citation: Secure List Bad Rabbit) |
ThiefQuest |
ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.(Citation: wardle evilquest partii) |
APT38 |
APT38 has used Hermes ransomware to encrypt files with AES256.(Citation: FireEye APT38 Oct 2018) |
Ragnar Locker |
Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020) |
JCry |
JCry has encrypted files and demanded Bitcoin to decrypt those files. (Citation: Carbon Black JCry May 2019) |
Babuk |
Babuk can use ChaCha8 and ECDH to encrypt data.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Medium Babuk February 2021)(Citation: Trend Micro Ransomware February 2021) |
REvil |
REvil can encrypt files on victim systems and demands a ransom to decrypt the files.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee REvil October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020) |
Diavol |
Diavol has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with ".lock64". (Citation: Fortinet Diavol July 2021) |
Cuba |
Cuba has the ability to encrypt system data and add the ".cuba" extension to encrypted files.(Citation: McAfee Cuba April 2021) |
LockerGoga |
LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)(Citation: Wired Lockergoga 2019) |
DEATHRANSOM |
DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.(Citation: FireEye FiveHands April 2021) |
EKANS |
EKANS uses standard encryption library functions to encrypt files.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS) |
ProLock |
ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.(Citation: Group IB Ransomware September 2020) |
HELLOKITTY |
HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.(Citation: FireEye FiveHands April 2021) |
BitPaymer |
BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending |
WannaCry |
WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis) |
FIN7 |
FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.(Citation: CrowdStrike Carbon Spider August 2021) |
DCSrv |
DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.(Citation: Checkpoint MosesStaff Nov 2021) |
WastedLocker |
WastedLocker can encrypt data and leave a ransom note.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) |
Pysa |
Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.(Citation: CERT-FR PYSA April 2020) |
During C0015, the threat actors used Conti ransomware to encrypt a compromised network.(Citation: DFIR Conti Bazar Nov 2021) |
|
MegaCortex |
MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.(Citation: IBM MegaCortex)(Citation: mbed-crypto) |
SynAck |
SynAck encrypts the victims machine followed by asking the victim to pay a ransom. (Citation: SecureList SynAck Doppelgänging May 2018) |
FIVEHANDS |
FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021) |
Conti |
Conti can use |
Xbash |
Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.(Citation: Unit42 Xbash Sept 2018) |
Pay2Key |
Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020) |
Egregor |
Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cybereason Egregor Nov 2020) |
Indrik Spider |
Indrik Spider has encrypted domain-controlled systems using BitPaymer.(Citation: Crowdstrike Indrik November 2018) |
NotPetya |
NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
SamSam |
SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.(Citation: Sophos SamSam Apr 2018) |
APT41 |
APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.(Citation: FireEye APT41 Aug 2019) |
Ryuk |
Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Wizard Spider October 2020) |
Avaddon |
Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.(Citation: Arxiv Avaddon Feb 2021) |
Netwalker |
Netwalker can encrypt files on infected machines to extort victims.(Citation: TrendMicro Netwalker May 2020) |
KillDisk |
KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.(Citation: KillDisk Ransomware) |
Clop |
Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.(Citation: Mcafee Clop Aug 2019)(Citation: Unit42 Clop April 2021)(Citation: Cybereason Clop Dec 2020) |
TA505 |
TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.(Citation: Proofpoint TA505 Sep 2017) |
XCSSET |
XCSSET performs AES-CBC encryption on files under |
Seth-Locker |
Seth-Locker can encrypt files on a targeted system, appending them with the suffix .seth.(Citation: Trend Micro Ransomware February 2021) |
Shamoon |
Shamoon has an operational mode for encrypting data instead of overwriting it.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018) |
RobbinHood |
RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.(Citation: CarbonBlack RobbinHood May 2019) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Behavior Prevention on Endpoint |
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. |
Data Backup |
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. |
Data Encrypted for Impact Mitigation |
Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) In some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP) |
Обнаружение
Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. In some cases, monitoring for unusual kernel driver installation activity can aid in detection. In cloud environments, monitor for events that indicate storage objects have been anomalously replaced by copies.
Ссылки
- US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.
- NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
- Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
- Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
- Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
- Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
- Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
- CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
- Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
- Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
- Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
- Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
- Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
- Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
- Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
- Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
- Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
- Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
- Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
- CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
- Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
- ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.
- Gietzen, S. (n.d.). S3 Ransomware Part 2: Prevention and Defense. Retrieved April 14, 2021.
- Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
- Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
- Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
- CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
- Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
- Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
- Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.
- Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
- ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021.
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.