The Rise of Ransomware - Tips on prevention, response and evading extortion

Ransomware, a malware that prevents or in some cases limits users from accessing their data has been on the rise. Last year, 2015 saw a considerable increase with Crowti (also known as CryptoWall) and FakeBSOD being the two instances that affected more than 850,000 systems between June and November. In the first quarter of 2015, ransomware saw a 165% increase compared to the previous year. In the second quarter of 2015, 4 million samples of ransomware were identified indicating 58% ransomware growth. Ransomware is expected to grow in 2016 considering that more than half of malware attacks in 2015 also carried ransomware.

The main function of ransomware is to prevent the user (or users if it infects a server) from using that particular system. It does this by encrypting the files that it finds stored in the filesystem and connected drives. Usually, ransomware also tries to prevent certain applications and services from running.

Malicious files

These malicious files are called ransomware because they demand a payment (a ransom) in order to allow the users to decrypt their files; the attacker provides the decryption key in exchange for the payment. Some of these types of malicious files try to convince individuals that they have done something illegal in an attempt to scare them into making the payment (ransomware acting as scareware). In order to be more believable, some ransomware payment demands pretend to be from a law enforcement agency. The ransom usually starts at a few US dollars to hundreds of dollars or its Bitcoin equivalent.

Browse Safely & Tools for Looking up Potentially Malicious Websites

The following list contains free online tools for looking up a potentially malicious websites. Some of these tools will lookup their own historical data for a particular website, while others perform live tests. The URLs are in alphabetical order. 

Even though these websites allow you to initiate an online check on-demand, it is not the most convenient way for everyday use, especially when you jump from one website to the next. In that case, I strongly suggest the use of a browser plug-in (extension) that will do this for you automatically. On that note, know that there are several extensions that will do this check for you in real-time. 

I tested a bunch of them and to be completely honest the most lightweight and effective one I found was the Avira Browser Safety. This is a tiny extension that will not only lookup and check each website you visit for any malicious content but it will also list all trackers on the website. Also, the Avira Browser Safety extension allow you to select which trackers would you like to turn off by flipping a switch next to each tracker listed. Combining this with you favourite extension that blocks ads makes visiting website a little bit less scary process. 

Please note that I am referring to legitimate websites that have been breached with the only purpose to deliver malware to its visitors. In many cases, this breach stays undetected for days or weeks before it is picked up by the developers or the security team. Also, the reason why I am suggesting an ads blocker is because there have been many cases where ads have been compromised, and contain malicious JavaScript that infects visitors. (see: Malvertising) 

• AVG LinkScanner Drop Zone: Analyzes the URL in real time for threats
• BrightCloud URL/IP Lookup: Presents historical reputation data about the website
• Cisco SenderBase: Presents historical reputation data about the website
• Comodo Web Inspector: Examines the URL in real-time
• Cyscon SIRT: Provides historical data for IP addresses, domains and ASNs.
• FortiGuard lookup: Displays the URL’s history and category
• Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
• IsItPhishing: Assesses the specified URL in real-time
• KnownSec: Presents historical reputation data about the website; Chinese language only
• Malware Domain List: Looks up recently-reported malicious websites
• MalwareURL: Looks up the URL in its historical list of malicious websites
• McAfee Site Advisor: Presents historical reputation data about the website
• McAfee TrustedSource: Presents historical reputation data about the website
• MxToolbox: Queries multiple reputational sources for information about the IP or domain
• Norton Safe Web: Presents historical reputation data about the website
• PhishTank: Looks up the URL in its database of known phishing websites
• Quttera ThreatSign: Scans the specified URL for the presence of malware
• Reputation Authority: Shows reputational data on specified domain or IP address
• Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
• Trend Micro Web Reputation: Presents historical reputation data about the website
• Unmask Parasites: Looks up the URL in the Google Safe Browsing database
• URL Blacklist: Looks up the URL in its database of suspicious sites
• URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
• URLVoid: Looks up the URL in several website blacklisting services
• VirusTotal: Looks up the URL in several databases of malicious sites
• vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
• WebPulse Site Review: Looks up the website in BlueCoat’s database
• Wepawet: Analyzes the URL in real time for threats
• Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

If you think you know of a site that can do something similar but it is not on this list, let me know and I will be happy to add it. 

Temporary & Disposable Email / SMS List

Sometimes it is very useful to have a temporary email address which you will be only using briefly. I admit it, I personally use these disposable email providers because I need to download for example a free whitepaper or register to an online form that I know I won't be using again in the future for a very long time and I don't want to get bombarded with advertising material afterwards (or have my email shared with undisclosed third-parties).

Before I move on telling you about the temporary/disposable email addresses, let me point out another interesting online service that sometimes might come in handy. These are temporary mobile numbers to receive actual text messages (aka SMS). There are websites which allow you to receive an SMS online and won't parse or modify the content. (Yes, this means you can do XSS if you manage to fit your JavaScript code within one SMS.) Basically, the only thing you need to do is to look for the country you want the SMS to be sent to, and pick an available number from the list. 

I am surprised to see that major companies in the information security community don't maintain a black-list of these temporary emails and public phone numbers for SMS messages, at least the same way Google does. Google knows these temporary/disposable email addresses and publicly accessible phone numbers for SMS, and won't allow you to use them when registering for a new gmail account. 

So, I have done the hard work for you. Instead of listing the websites where you can go get a temporary/disposable email (for example, see here or use a search engine), I am listing all the domains being used by these websites that offer temporary/disposable email addresses. (its too much work to list all the phone numbers as well and by the way, these are modified/change too often to put them in a static list similar to the temporary/disposable email domains).

This information is fully up-to-date today (19/Jan/2016) and I will try to update it again as often as it is possible. Of course, if you find any domain used for such purpose which is not on my list, feel free to contact me and I will be happy to update the list. I believe this list is good to be shared among the infosec community, so anyone who might have a domain or domains to add, will be able to do so. 

You can find all these hundreds of domain names in this PDF File. Follow me on Twitter (@drgfragkos) and let me know if you found this list useful. 

A serious bug with SSH that requires immediate action

Two issues have been identified in OpenSSH (CVE-2016-0777 and CVE-2016-0778). Theo de Raadt in a mailing list posting gave us a heads up earlier today. 

More or less, you will need to add the option UseRoaming no to your /etc/ssh/ssh_config (or your user's ~/.ssh/config) file, or start your SSH client with -oUseRoaming=no included on the command line. Adding the option to the config file can be done with a single command:

# echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

This is a basically a workaround until you are able to patch all affected systems. 

First Patch Tuesday for 2016

The new year brought a set of new patches for the vulnerabilities identified in the Microsoft product family. I know there is no point saying it once more but for those who need to hear it, make sure you patch your systems as soon as possible! :

See here: https://technet.microsoft.com/en-us/library/security/mt637763.aspx

MS16-010	Security Update in Microsoft Exchange Server to Address Spoofing (3125573)	Microsoft Exchange
MS16-008	Security Update for Windows Kernel to Address Elevation of Privilege (3124605)	Microsoft Windows
MS16-007	Security Update for Microsoft Windows to Address Remote Code Execution (3124901)	Microsoft Windows
MS16-006	Security Update for Silverlight to Address Remote Code Execution (3126036)	Microsoft Developer Tools & Software
MS16-005	Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584)	Microsoft Windows
MS16-004	Security Update for Microsoft Office to Address Remote Code Execution (3124585)	Microsoft Office
MS16-003	Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540)	Microsoft Windows
MS16-002	Cumulative Security Update for Microsoft Edge (3124904)	Microsoft Edge & Microsoft Windows
MS16-001	Cumulative Security Update for Internet Explorer (3116180)	Internet Explorer & Microsoft Windows