Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 1 of 14
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 31
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 2 of 14
`
`W H I T E PA P E R
`
`Ransomware Tactics &
`Detection Techniques
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 3 of 14
`
`Contents
`
`Ransomware Evolution ........................................................................................................... 3
`
`Infection Vectors ....................................................................................................................... 4
`
`Email ...............................................................................................................................................4
`
`Email Attachment ........................................................................................................................4
`
`Email Links ....................................................................................................................................5
`
`Drive-by Infections Using Exploit Kits ..................................................................................5
`
`Direct Web Downloads .............................................................................................................5
`
`Wormable Exploits......................................................................................................................5
`
`Trojan Downloaders...................................................................................................................5
`
`Ransomware Encryption Process ......................................................................................... 5
`
`Encryption .....................................................................................................................................5
`
`Decryption ....................................................................................................................................6
`
`Cyphort’s Ability to Detect Ransomware ............................................................................ 6
`
`Object Analysis Pipeline ..........................................................................................................6
`
`Network Analysis Pipeline .......................................................................................................7
`
`Use Cases ...................................................................................................................................7
`
`Email Attachments ......................................................................................................................7
`
`Example ..................................................................................................................................8
`
`Exploit Kits .....................................................................................................................................9
`
`Example ..................................................................................................................................9
`
`Direct Web Downloads ........................................................................................................... 10
`
`Wormable exploits ................................................................................................................... 10
`
`About Cyphort ..........................................................................................................................12
`
`2
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 4 of 14
`
`Although
`ransomware is not
`new, it has grown
`exponentially in
`the past few years
`given the success
`some of the
`campaigns have
`enjoyed. The table
`below shows that
`we have gone from
`almost nothing in
`2012 to a plethora
`of ransomware
`in 2017.
`
`Ransomware Evolution
`
`Ransomware is one of the most pervasive and destructive threats that organizations and
`
`individuals face today. It is malware that takes your computer or its data hostage and demands
`
`the payment of a ransom to return control of the computer or restore the data.
`
`Over the years, ransomware evolved to take many forms, the goal being the same: extort a
`
`ransom from the victims.
`
` ⊲ Application-level Lockers: Some ransomware prevents victims from using their computer.
`
`Reveton, for instance, prevents users from logging in and displays a note purporting to be from
`
`a law enforcement agency and demands payment of a “fine” to unlock the computer. Others,
`
`such as the Manifesto or Ransom Locker, display a ransom note and prevent the user from
`
`doing anything else on their computer. Other ransomware can hijack the browser and make it
`
`look like you cannot browse to any other site until the ransom is paid.
`
` ⊲ System-level lockers: Some ransomware like Petya or PetrWrap will overwrite the Master Boot
`
`Record with its own mini kernel and render the computer useless except for dealing with the
`
`ransom. Other ransomware in this category include HDDCryptor, GoldenEye and Satana.
`
` ⊲ File encryptors: This category has become the most widespread of all ransomware and
`
`is today the method of choice for cyber criminals. It consists of encrypting user files and
`
`demanding a ransom for the encryption key. There are many notable examples in this category,
`
`like Cryptowall, TeslaCrypt, Cerber, TeslaCrypt, Radamant, KeRanger and WannaCrypt0r.
`
` ⊲ Fake ransomware: This type doesn’t actually encrypt data or hold any resource captive while
`
`asking for a ransom. Instead, it rides on the popularity of other ransomware and uses scare
`
`tactics to trick its victims into paying.
`
`Although ransomware is not new, it has grown exponentially in the past few years given the
`
`success some of the campaigns have enjoyed. The table below shows that we have gone from
`
`almost nothing in 2012 to a plethora of ransomware in 2017.
`
`Year
`
`Count of ransomware
`families
`
`2012
`
`2
`
`2013
`
`8
`
`2014
`
`15
`
`2015
`
`35
`
`2016
`
`174
`
`Most prominent
`ransomware
`
`Rannoh,
`Reveton
`
`CryptoLocker,
`Kovter,
`Urausy
`
`CryptoWall,
`CryptoLocker,
`CBT-Locker
`
`TeslaCrypt,
`DMA-Locker,
`Cryptonite
`
`Cerber, Locky,
`CryptXXX
`
`The continued growth of ransomware is driven by several key factors:
`
` ⊲ Efficacy of the threat. Many victims depend on the data that’s taken hostage to run the day
`
`to day operations of their business. If the victim has no backup, their only remedy is to pay the
`
`ransom and hope they can recover the data.
`
` ⊲ Time pressure. In most cases, time is on the side of the attacker. A hospital or airline, for
`
`example, may not be able to sustain a non-functional IT infrastructure for too long. To make
`
`matters worse, many ransomware attacks rely on clever tactics to push victims to pay quickly:
`
`ransom amounts may double after some time, files may start getting deleted every hour, all files
`
`deleted after a certain deadline.
`
`3
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 5 of 14
`
` ⊲ Success rate of previous campaigns. According
`
`to many sources, the ransomware economy has
`
`reached $1B in 2016. CryptoLocker alone has
`
`raked more than $390M in 2016 by infecting an
`
`average of 90,000 victims a day.
`
` ⊲ Availability of CryptoCurrency. It is important
`
`for cyber criminals to launder their proceeds
`
`from the ransoms and crypto currency makes
`
`it somewhat easier. Bitcoin is the currency of
`
`choice and even though transactions on Bitcoin
`
`wallets are public, it’s almost impossible to track
`
`the parties to a transaction.
`
` ⊲ Exploit Kits. The availability of very successful exploit kits, mainly Angler, Nuclear, Neutrino and
`
`RIG made it relatively painless for ransomware actors to deliver their payloads over proven
`
`infection methods.
`
`Infection Vectors
`
`Email
`
`Email remains the number 1 method of delivery of ransomware. Using a very convincing message,
`
`cyber criminals may get a victim to open an email attachment or click on a link that ultimately
`
`leads to the infection.
`
`Email Attachment
`
`Usually these attachments take the form of a Word document purporting to be a shipment
`
`notification, which in fact contains malicious obfuscated Visual Basic script. The VB script will
`
`either embed the ransomware binary in its own data and proceed to decrypt it and write it to
`
`disk then launch it, or it will reach out to a web site to download the ransomware binary then
`
`execute it.
`
`The Locky campaign was particularly successful at attaching a malicious JavaScript code inside
`
`a zip file to emails. The script files will have file extensions that seem to be documents to entice
`
`the victim to open them. The script would then download the ransomware from the internet and
`
`launch it.
`
`Sometimes, the attachments will attempt to take advantage of a vulnerability in the handler
`
`application. For example, a malicious PDF could attempt to exploit an unpatched or zero-day
`
`vulnerability in Adobe Acrobat Reader, drop the ransomware binary, then execute it. The same
`
`goes for Microsoft Office documents. This approach has nonetheless diminished lately due to the
`
`low number of known vulnerabilities that are unpatched.
`
`Sometimes the Office or PDF attachments contain nothing but links to a website which hosts
`
`the ransomware. This method is rarely used because it requires the user to interact with the
`
`downloaded file and agree to execute it, which raises suspicion of the victim.
`
`4
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 6 of 14
`
`A user who
`visits a website
`can fall victim
`to ransomware
`without any
`interaction
`required.
`
`Email Links
`
`Although mostly used for phishing attacks, links have also been used to download ransomware
`
`with limited success.
`
`Drive-by Infections Using Exploit Kits
`
`In this method of infection, a user who visits a website can fall victim to ransomware without any
`
`interaction required. The threat actors will either compromise a web site and inject code to redirect
`
`the user to the exploit kit, or resort to malvertising. In both cases, the user’s browser is redirected
`
`towards an intermediate site that contains javascript that will identify vulnerabilities either in the
`
`browser or its plugins and deliver a payload that will trigger the exploitation. The exploit is either in
`
`Javascript, flash or silverlight depending on the versions installed in the browser. Once an exploit is
`
`successful, the exploit kit downloads a ransomware binary and executes it.
`
`Direct Web Downloads
`
`Ransomware can also be downloaded directly from the web when the user falls victim to a social
`
`engineering tactic. When the user thinks they are downloading a nifty new text editor or a PC
`
`cleaner, it might actually be ransomware in disguise.
`
`Wormable Exploits
`
`The WannaCry mass infection of May 2017 put the spotlight another method of infection, namely
`
`exposed vulnerabilities on the web. It gave birth to Ransomworms which can attack computers
`
`directly from the Internet using a vulnerability in the SMB file-sharing protocol and dropping
`
`ransomware in the form of an encrypted DLL.
`
`Trojan Downloaders
`
`Ransomware can also be downloaded by other malicious Trojans like Upatre, Bedep and
`
`Nemucod. Upatre and Nemucod are usually spread through email attachments and it is critical
`
`they be detected so the infection can be stopped at the earliest kill chain phase possible.
`
`Ransomware Encryption Process
`
`A typical ransomware encryption process will use a combination of public key algorithms and
`
`private key algorithms. The private key algorithm is used to encrypt the files themselves while the
`
`public key algorithm is used to encrypt the file encryption keys.
`
`The operation proceeds as follows:
`
`Encryption
`
`1. When the ransomware is run, it reaches out to its C&C server with some identification of the
`
`victim’s computer.
`
`2. The C&C server generates a pair of public and private keys specific to the victim’s computer
`
`and responds with the public key. The corresponding private key is safely stored on the
`
`C&C server. It is worth noting here that some ransomware bypasses these first two steps by
`
`including the public key in the ransomware binary itself, which is custom-built on the fly for
`
`the intended victim.
`
`5
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 7 of 14
`
`3. The ransomware enumerates all the files it needs to encrypt using a hardcoded list of data
`
`file extensions.
`
`4. It then generates locally a set of private symmetric keys to be used for encrypting the files.
`
`Symmetric keys are used for both encryption and decryption. In some cases one key per
`
`file is generated, in other cases it could be one key per file extension or just one key for the
`
`entire set. It all depends on how paranoid the malware author is.
`
`5. The ransomware uses the private key algorithm and the symmetric private keys generated
`
`in the previous step to encrypt the files.
`
`6. Then the private encryption keys themselves are encrypted using the public key from step
`
`two. The result is stored in the victim’s computer’s key store.
`
`7. The ransom note is displayed, sometimes with an incentive to pay quickly.
`
`Decryption
`
`1. Once the malware operator receives payment, the private key from the C&C server is sent
`
`to the ransomware decryptor code.
`
`2. This private key is then used to decrypt the symmetric private keys used earlier to encrypt
`
`the files and which were stored in the local key store.
`
`3. The symmetric private keys obtained are used to decrypt and recover the original data files.
`
`Earlier versions of ransomware like CryptoWall 2.0 were not as sophisticated and used the
`
`public key directly to encrypt data files. Cryptowall 3.0 evolved to the process above combining
`
`public/private keys and symmetric keys. Cerber uses a combination of RSA public/private keys
`
`and RC4 keys. Typically, a combination of AES and RC4 encryption algorithms are used with
`
`varying ciphers.
`
`Cyphort’s Ability to Detect Ransomware
`
`Detecting ransomware can be doe using network-based detection or endpoint-based detection.
`
`We will focus on network-based detection and more specifically how Cyphort detects these
`
`advanced threats.
`
`Cyphort’s advanced detection fabric includes multiple detection and analytics capabilities, which
`
`work together to quickly identify advanced targeted attacks like ransomware. These capabilities
`
`are summarized below.
`
`Object Analysis Pipeline
`
`All files analyzed by Cyphort go through a multi-stage detection pipeline within the SmartCore
`
`analytics angine, which is comprised of the following components:
`
` ⊲ Static AV Engine - leverages top-tier Anti-Virus technology with very frequent signature
`
`updates to detect known viruses.
`
` ⊲ Reputation Engine - provides reputation-based detection, where file hashes, signers and
`
`other meta-data about the file and the context around its source are compared to our threat
`
`intelligence knowledge base.
`
`6
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 8 of 14
`
` ⊲ Behavioral Engine - performs dynamic analysis of the object’s behavior in a sandbox
`
`environment and applies machine learning models to the observed behavior.
`
` ⊲ Emulation Engine - emulates files containing scripts as an alternative to full behavioral analysis.
`
` ⊲ Yara Engine - allows application of Yara rules to files as well as memory dumps obtained during
`
`behavioral analysis.
`
`Network Analysis Pipeline
`
`Traffic visible to Cyphort also goes through a couple of steps before files are extracted
`
`for analysis:
`
` ⊲ Snort rules - all traffic is subjected to snort rules from Cyphort Labs as well as third
`
`party sources.
`
` ⊲ Chain Heuristics - flags suspicious traffic and submits it to a browserp-based dynamic
`
`analysis environment where heuristics rules are applied to identify malicious traffic like
`
`exploit kits redirects.
`
`Use Cases
`
`The detection methods for ransomware are usually tailored to the delivery mechanism. Let’s
`
`review each delivery mechanism above and discuss what methods of detection Cyphort uses in
`
`each case.
`
`Email Attachments
`
`Cyphort can monitor email traffic using either a journaled account or Bcc mailbox. In both cases,
`
`Cyphort extracts all email attachments and submits them to SmartCore’s Object Analysis Pipeline,
`
`where it extracts all links (including links inside attachments) and submits them to SmartCore’s
`
`reputation engine. Cyphort integrates with Office365 and Gmail to provide seamless remediation
`
`capability by blocking or quarantining malicious emails.
`
`If ransomware is being delivered via a PDF, Office document, malicious Javascript or
`
`executable file attached to an email, Cyphort uses all elements of the Object Analysis Pipeline
`
`to identify the threat.
`
`Locky was a prominent example of ransomware downloaded by an email attachment. The
`
`attachment itself is either a Javascript file inside a zip file or a Word document with a VBA macro
`
`claiming to be an invoice or a shipment notification.
`
`Cyphort detects the Javscript zipped attachments as Exploit.Script.
`
`7
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 9 of 14
`
`Cyphort detects the Word documents as TROJAN_NEMUCOD.DC or TROJAN_DONOFF.DC.
`
`If the email contains a link to the ransomware, Cyphort submits the link to SmartCore’s reputation
`
`engine which has the capability to:
`
` ⊲ Perform a reputation lookup of the URL or domain and assess the risk.
`
` ⊲ Perform a crawl of the URL and assess the risk based on the content returned.
`
` ⊲ Perform predictive analysis based on past history of the site or URL to estimate how likely is
`
`the site going to be malicious in the future.
`
`Example
`
`Phishing email purporting to be from Microsoft alerting the recipient on a suspicious activity and
`
`enticing them to visit their recent activity page.
`
`Email SHA256: 5b18f7f958a39cc37b36f9766bfe2c12d5d28854695ba8c14f598f1070ad9cf6
`
`This phishing email has a link to “http://voperforseanx[.]top/site/
`
`chrome_update.html” which leads to downloading a Cerber Ransomware
`
`(5855d6b239620e53c8c60acee3d0960b84fbb75f2f9b20b2ccf721a8fc5a88a2)
`
`8
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 10 of 14
`
`Cyphort detects this threat and classifies it as a Phishing incident.
`
`Exploit Kits
`
`Usually, exploit kits redirect users through a series of web pages designed to assess which
`
`component of the browser is vulnerable and deliver the appropriate exploit. The final payload
`
`may be totally encrypted.
`
`Example
`
`Source: http://www.malware-traffic-analysis.net/2017/03/20/index2.html
`
`A user visits simply-vegan.org, a site which has been compromised with an iframe injection by the
`
`pseudo darkleech campaign.
`
`The iframe redirects the user to mobilalibey.com which hosts the RIG landing page. The landing
`
`page JavaScript assess the user’s environment and detects a vulnerable version of Adobe Flash
`
`player. The browser is instructed to download the proper Flash exploit, which in turn downloads
`
`the final payload which is Cerber ransomware.
`
`9
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 11 of 14
`
`In this case, Cyphort detects and correlates between two components of the attack: the
`
`redirection to the RIG exploit kit is detected as an IN event and the download of the Flash exploit
`
`is detected as a DL event. Both are combined in a single incident as EXPLOIT_RIGV.CY.
`
`Figure: Detection of RIG exploit kit delivering ransomware.
`
`Direct Web Downloads
`
`Source: http://www.malware-traffic-analysis.net/2017/05/17/index.html
`
`In this example of direct download, the threat actors use some social engineering tactics to make
`
`the user of Google Chrome believe the web site they are visiting requires a new font that the
`
`browser does not have. They prompt the user to download the font in the form of an executable
`
`font installer for Chrome. Once downloaded and launched, the ransomware springs into action.
`
`In this case, several elements of the Object Analysis pipeline are able to detect this threat as
`
`RANSOM_GENASOM.DC as seen below.
`
`Wormable exploits
`
`The WannaCry pandemic brought to the general public’s attention the devastating effects of a
`
`worm that leverages a vulnerability to spread like wildfire and deploy advanced ransomware. In
`
`this case, the vulnerability in the Windows File sharing protocol SMBv1 was exploited via what is
`
`known as the EternalBlue exploit. This exploit was allegedly developed by the NSA as a cyber
`
`weapon and stolen by the Shadow Brokers group, then disclosed to the public. Even though a
`
`patch was already available before the vulnerability and exploit were made public, many systems
`
`remained unpatched and therefore fell victims to the WannaCry attack.
`
`10
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 12 of 14
`
`Over the network, the ransomware WannaCrypt0r was transferred as an encrypted DLL.
`
`Cyphort detects this attack in the Network Analysis pipeline as EXPLOIT_ETERNALBLUE.CY.
`
`Detection of EXPLOIT_ETERNALBLUE.CY
`
`As ransomware attacks continue to evolve, their specific strategies, tactics, and technology
`
`components will evolve as well. Cyphort Labs will continue to monitor and analyze these
`
`developments to ensure that Cyphort detection technologies are continually enhanced and
`
`optimized to help protect customers against these attacks in the future.
`
`In order to protect against the threat of ransomware, we recommend you take the
`
`following measures:
`
` ⊲ Patch your systems early. Threat actors prey on the window of opportunity between the time
`
`a vendor discloses fixes for a particular vulnerability and the time computers are patched.
`
`With automation, some cyber criminal groups have become very quick at integrating new
`
`capabilities into their exploit kits.
`
` ⊲ Back up your data frequently and test the backup periodically to avoid unpleasant surprises
`
`the day you need to restore.
`
` ⊲ Invest in staff training on social engineering tactics used by cyber criminals to avoid opening
`
`the wrong attachments or clicking on a bad link.
`
` ⊲ Do not rely exclusively on prevention methods which tend to lag behind new threats given
`
`the speed at which they need to make an assessment. Make sure you deploy detection
`
`methods to root out any advanced threat already in your network which could be “hired” to
`
`install ransomware.
`
` ⊲ Provide your SOC team with a platform that allows correlation of incidents across multiple
`
`security devices. Alert fatigue is a major reason why a backdoors remain undetected for a
`
`long time.
`
`11
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 13 of 14
`
`About Cyphort
`
`Cyphort, Inc. is a security software company providing mid- and large-size enterprise customers
`
`with innovative security analytics for advanced threat defense. The solution is built with an open
`
`architecture that integrates with existing security tools to discover and contain the advanced
`
`threats that bypass the first line of security defense in an organization. Based in Santa Clara,
`
`California, the company was founded in 2011, is privately-held, and distributes its software through
`
`direct sales and channel partners across North America and international markets. Learn more at
`
`www.cyphort.com.
`
`12
`
`White Paper: Ransomware
`
`

`

`Case 3:17-cv-05659-WHA Document 171-26 Filed 07/27/18 Page 14 of 14
`
`5451 Great America Pkwy, Suite 225, Santa Clara, CA 95054
`
`P 1.408.841.4665 | F 1.408.540.1299 | info@cyphort.com
`
`Cyphort, Inc. is a network security company providing mid- and large-size enterprise customers with the innovative Adaptive Detection Fabric, a scalable software
`solution designed to integrate with existing security tools to discover and contain the advanced threats that bypass the first line of security defense in an organization.
`Based in Santa Clara, California, the company was founded in 2011 and distributes its software through direct sales and channel partners across North America and
`international markets. Learn more at www.cyphort.com. Copyright 2017 Cyphort, Inc. All rights reserved. Part#M1024-001US
`
`