By Luis Debs-Mallar of Infostream.
If you watch or read the news you have heard of CryptoLocker, one of the most notorious of the Ransomware type of malwares that have recently popped up in our modern digitally connected society, and the trend-setter of the type that encrypt files until a payment is made in exchange for the private key. Though CryptoLocker is no longer active and not able to infect any new PCs it has spawned literally hundreds of imitators including the re-use of the name “CryptoLocker”, some badly written ones such as CryptoDefense, which by some accounts morphed into the infamous CryptoWall which is in its third iteration.
Articles that discuss the malware and its behavior abound -see end of this article for information on how to receive related links- and though very interesting to see how each variation does its malice, this article you are reading now is about prevention of any known and unknown Ransomware type malware. Please be aware that I am not a cryptovirology expert, but have dealt with many Ransomware including CryptoLocker and CryptoWall, have helped several clients recover files from backups, and sad to say, helped some clients make payments to recover files, though this has not been necessary while at Infostream; if your backups are monitored and well maintained there will be no need to pay the ransom.
Some of you may have come across Ransomware, and asked why did my anti-virus (AV) program not catch it? The answer this time is simple, and here is why…
The majority of the AV programs use virus signatures to identify and stop a virus. There are two major flaws with this technology: The virus has to surface first before a signature can be created; hence someone somewhere probably got infected. The corollary to this is not only does a signature need to be available, but each computer or user of a computer has got to download the new signature from the AV program vendor when available for the AV program on the subject computer for it to work. The second and just as serious problem is some virus/malware can mask themselves in a variety of ways so signatures normally do not work on this type of virus/malware on a consistent basis. Even with these flaws, signature based scans are still one of the most used ways to catch and stop viruses and malware.
So if virus signatures are not 100% accurate and effective, then what? You ask and the answer is heuristic and/or behavioral analysis. Heuristic virus engines have been around longer, but behavioral are more effective, and sometimes both are used. Yet these types of scans are also prone to problems. Heuristic scanners look for patterns in code and/or virtualize execution of the code in question to determine the programs logic or intent. Again, like signature based scanners heuristic scanners need to know about program patterns and logic, and so if a new virus or malware runs under new logic or has a new code pattern, a heuristic scanner will fail. And though it is able to find new previously unseen viruses or malware, Heuristic scans can also lead to many false-positives; the identification of a non-virus or non-malware as such.
On the other hand, with the newer technology using behavioral scanners the scans are more accurate, less false-positives, but more dangerous because before it can actually stop the virus or malware, the virus or malware has to be engaged in a subject computer doing its “thing”. Its “thing”, whatever it may be, is how a behavioral scan can tell a program is actually a virus or malware. BUT heck you say! The virus or malware is already in the computer and trying to do damage!!
Sooo heuristic and behavioral analysis type scans are also not 100%. I will substitute “gosh darn” for what we really want to say. It is obvious that an anti-virus or anti-malware program is not going to protect you completely so let’s look at a gateway level scanner and how it may or may not be more effective. Before PUPs (potentially unwanted programs i.e. viruses and malware) can do any damage they need to get on a computer or device. Today this means getting in the LAN via an Internet connection, and this is where a router/gateway can do the most damage to a PUP.
By using scanners at the edge of a network, nothing can get in without being scanned first, right? RIGHT?? Well, there are problems here too. Gateway scanners are subject to the same issues we have already mentioned for server/desktop scanners. An additional complexity is that many types of traffic can be encrypted from source-to-source thus eliminating the ability for gateway scanners to intercept and analyze the payload. Just as file encryption technology has traditionally been used for legit purposes, network traffic encryption has been used for valid and legit purposes, but this fact has not stopped criminals from using either encryption technology for their purposes as in Ransomware type malware. Many PUPs are now using encryption to sneak in to a LAN undetected. To combat this PUP technique router/gateway vendors4 have added technology that allows the equipment at the edge to unencrypt the traffic and therefore analyze the payload before allowing it to get to the LAN, and thus ultimately to the computer. So we have a solution you say. Nope! Not many companies implement these features since they are cutting-edge, difficult to configure, and can cause traffic problems and delays.5 So again, for all the reasons mentioned router/gateway scanners are also not 100% effective.
Is there anything else? Well, besides the variances in core technologies such as cloud-based AV scanners, we also have the most sophisticated devices, or more commonly known as “users”. Yes, wait let me finish please. Users, regardless of how much we rag on them, are vital to the protection of a network. Well trained users, even though still not 100% effective, will come across virus/malware installers and depending on their training and awareness, will stop the threat or activate it. When you realize that viruses and malware do not infiltrate the LAN always from the Internet, now after the epiphany you see user training IS important. Besides, once a user is trained, enforcement of consequences for not following procedures is more practical. Not directly related to this article are tactics related to network hardening which are extremely helpful when it comes to coercing users to follow security procedures.
I am weary, exhausted, and drained from reading, give me the final be-it-all solution please… So here goes, the final be-it-all solution is all of it. Yep, you need it all. Server and desktop AV programs, gateway scanners, and well trained users to watch out for and cautiously react to PUPs. The hope here is that even though any one solution is not 100% effective, all solutions combined may statistically reach a high stop effectiveness.
Article by: Luis Debs-Mallar of Infostream
Sentinelone: Anatomy of CryptoWall 3.0 – a look inside ransomware’s tactics
Webroot: Why relying on antivirus signatures is simply not enough anymore
Symantec: Behavior Blocking: The Next Step in Anti-Virus Protection
Dell: Best Practices to protect against CryptoWall and CryptoLocker (SW12434): 6. DPI-SSL Client Inspection
DSLReports: I thought SSL Traffic couldn't be inspected?
NSS Labs: NSS Labs Research Finds SSL Traffic Causes Significant Performance Problems for Next Generation Firewalls
Juniper: Inspection of SSL Traffic Overview
NetworkWorld: SSL decryption may be needed for security reasons, but employees are likely to 'freak out'
GCN: Firewall for secure networks inspects SSL-encrypted data
Fortinet: Why you should use SSL inspection
WSTA: Don’t Let Attacks Pass You By: Strategies for Inspecting SSL Traffic
RSA Conference 2014: Is Security Industry Ready for SSL Decryption