ransonware - sequestro de dados - deepguard_whitepaper - curitiba
TRANSCRIPT
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
1/13
DEEPGUARDProactive on-host protection against
new and emerging threats
Updated: 14 June 2016
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
2/13
This whitepaper explains the trends and developments in computing that have made host-basedbehavioral analysis and exploit interception necessary elements of computer security and provides anoverview of the technology and methodology used by DeepGuard, the Host-based Intrusion PreventionSystem (HIPS) of F-Secures security products. DeepGuard offers dynamic proactive behavioral analysistechnology that efficiently identifies and intercepts malicious behavior. When used in tandem with other
components of a multi-layered security approach, DeepGuard provides lightweight and comprehensiveendpoint protection with minimal impact to the user experience.
Key Featuresy Updateable scanning engine uses the latest
detections to protect against emerging threats.
y Continued application monitoringprotects against delayed malicious actions.
y Exploit interception module recognizes andblocks exploit attempts, including document-based attacks.
Benefitsy Provides immediate on-host protection against
known and zero-day threats.
y Intercepts exploit attacks against programsinstalled on the machine.
y Recognizes and blocks suspicious activity.
y Reduces potential loss of sensitive data orprivacy due to malware infection.
CONTENTS
The case for proactive behavioral analysis . . . . 2
Multi-layered protection . . . . . . . . . . . . . . . . . . 4
More about DeepGuard. . . . . . . . . . . . . . . . . . . . 5
How DeepGuard works . . . . . . . . . . . . . . . . . . . . 6Exploit interception . . . . . . . . . . . . . . . . . . . . . . . 8
False positive prevention. . . . . . . . . . . . . . . . . . 10
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SUMMARY
DEEPGUARD
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
3/13
3Proactive on-host protection against new and emerging threats DEEPGUARD
THE CASE FOR PROACTIVE BEHAVIORAL ANALYSIS
One of the most demanding challenges security programs have had to address in the last few years has been theincreasing diversification of attack vectors through which malware can arrive onto a host machine, especially as more
applications, networks and services become hosted on or accessible over the Internet. This has been of particularconcern with the growing popularity of online-based attacks that exploit vulnerabilities in applications installed on amachine in order to run malicious code.
Some of the difficulties involved in dealing with modern attacks stem from major changes in the threat landscape thathave taken place in the last ten years or so, including:
Exponential growth in malware
Since the mid-2000s, when malware creation kits thatautomated the process of producing malicious programsfirst became widely available, the numbers of malware
samples seen by antivirus labs have grown exponentially,with hundreds of thousands of new or variant strainsbeing created and propagated every month. In additionto the overwhelming numbers, many of these variantsare designed to live only for a short time, sometimesonly days or hours, in a deliberate attempt to overwhelmantivirus programs by sheer volume.
Attacks move online
The days when malware was most commonly distributedvia e-mail attachments are long gone. Today, the most
common attack vector is through a silent drive-bydownload during a visit to a compromised legitimate siteor a malicious website that hijacks traffic from searchengines or compromised sites.
By moving distribution from direct delivery to thetarget machines to the nebulous online world, malwaredistributors and attackers not only increase their targetaudience but also make it much harder to preventinfections. Without a mechanism to identify the attack siteand prevent users from visiting it, the users machine canbe successfully exploited without any overt sign that anattack has occurred.
Malware becomes a cyber crime tool
The consequences of an infection have also changed asorganized criminals increasingly engage in cyber crime.Data and identity theft and monetary fraud are all criminal
activities that have in recent years been facilitated bymalware, in some cases in staggering amounts.
For example, the United States Federal Bureau ofInvestigation (FBI) reported in June 2015 that the lossesincurred by victims affected by a single ransomware[1]family had totalled over USD18 million[2]. With mostreal-world authorities lacking the resources or politicalwill to prosecute cyber crimes, there is strong monetaryincentive for cyber criminals to continue and improvetheir online activities.
Popular software is heavily targeted
Although almost any software can contain vulnerabilities,of particular interest to cyber criminals and otherattackers are vulnerabilities in popular applications, suchas Adobe Flash Player, Microsoft Office and web browsers.These programs typically have millions of users, makingthem prime targets for attack. Many of these applicationshave multiple known vulnerabilities, and though mostare fixed by security patches released from the vendors,the time needed to develop and deploy these fixes to allaffected machines still leaves an interval in which the users
are vulnerable.
DISCLAIMERS
y The purpose of this document is to help customers better understand how F-Secure products function, and thebenefits F-Secure DeepGuard provides. This document is not designed to be a legally binding agreement thatdefines the content of products and services provided by F-Secure Corporation.
y F-Secure DeepGuard, as with any of our other products and services, is a constantly evolving set of software,
systems and processes. This document may become partly inaccurate as this evolution takes place. F-SecureCorporation will update this document every time major changes are made to our products,systems orprocesses. The latest version will always be available on F-Secures website.
y Any metrics or diagrams presented in this document are valid at the time of publication. Metrics or diagramsmay change over time. Presented metrics should therefore be interpreted as approximate figures.
3
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
4/13
4 DEEPGUARDProactive on-host protection against new and emerging threats
MALWARE IS CONSTANTLY EVOLVING,
WITH NEW TRICKS AND FEATURES. BUT ONE THINGREMAINS CONSTANT MALWARE WILL ALWAYSEXHIBIT MALICIOUS BEHAVIOR.
Additionally, new or zero-day vulnerabilities areperiodically found for which no patches are yet available,leaving the users wide open for exploitation.
Exploit kits make attacking easierThe advent of commercial-grade exploit kits such asAngler, Neutrino or Magnitude, which automate theprocess of scanning and exploiting a users machine withinseconds of a visit to an attack website, have significantlylowered the level of technical expertise needed for cybercriminals to successfully infect new victims with malware.
Exploit kits have transformed vulnerability exploitationfrom a niche activity into a common attack vector. Theyhave also become one of the most popular ways formalware distributors to spread their wares. For example,
in April 2016, F-Secure Labs observed the followingmalware - a mix of ransomware and trojans - beingdistributed by notable exploit kits:
The popularity of such exploit-based methods forspreading threats has in turn led to a need for on-hostsecurity solutions that are able to identify and blockattempts to exploit vulnerabilities in installed programs.
Targeted attacks make detection harder
More focused targeted attacks can involve more obscureexploits and delivery mechanisms. These attacks typicallyuse document or executable files carefully crafted to fitthe profile of the intended victim, taking into accounttheir topics of interest, preferred operating system andany security programs they may be using.
Identifying clean programs becomes morecritical
The number of clean or non-malicious applicationsglobally available today runs into the millions, far morethan the normal user is likely to be familiar with at any onetime. The abundance of programs, their easy accessibilityover the Internet and the need to stay abreast of constantprogram updates all makes it cumbersome for securitysolutions to depend solely on local user-driven white- andblack- listing to provide adequate protection.
The majority of programs seen on a typical machine areclean, so correctly identifying non-malicious softwareis a significant step towards pinpointing truly harmfulprograms for further attention. Eliminating false positiveson clean files is also critical in optimizing a securityprograms performance and of course, minimizinginterference with the users experience.
Mika StahlbergChief Technology Officer,F-Secure Security Research& Technologies
Given the various challenges presented by todays more complex computing realities and more fluid threat landscape,file scanning engines are now just one layer of a multi-tiered approach to endpoint security. Cloud-based file and webreputation checking, behavioral analysis and a Host-based Intrusion Prevention System (HIPS) have all become integralcomponents of the modern proactive protection system.
EXPLOIT KITS
Angler Nuclear Magnitude Neutrino
TeslaCrypt
Locky Cryptowall
Cerber
BedepDNA LockerGootkit
Ursnif
TeslaCrypt Cerber GootkitCryptXXX
CryptXXXMobef
PAYLOADS OF NOTABLE EXPLOIT KITS IN APRIL 2016
PAYL
OADS
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
5/13
5Proactive on-host protection against new and emerging threats DEEPGUARD
DEEPGUARD
BROWSING PROTECTION
FILE SCANNING ENGINES
FILE REPUTATION ANALYSIS
BEHAVIORAL ANALYSIS
EXPLOIT INTERCEPTION
F-SECURES MULTI-LAYERED
APPROACH TO SECURITY
DeepGuard 1.0 introducesbehavioral analysis tocomplement existing file
scanning technology. Programs thatshow no features or behavior matchingknown malware are allowed to
execute as normal; those with tell-talecharacteristics or malicious routines areblocked from execution
Heuristic analysistechnology introduced
MULTILAYERED PROTECTION
F-Secures multi-layered approach to security iscomprised of the following modules, each designed to
address a particular aspect of the threat landscape andwork together to provide a complete solution:
As mentioned before, most attacks and malwaredownloads today take place online. Ideally, protectionshould begin even before the machine environment isreached, by preventing exposure to possible infectionpoints - and so, enter Browsing protection.
To prevent usersfrom inadvertentlyvisiting compromised
legitimate or outrightlymalicious sites,Browsing protectionprovides criticalassessment of awebsites security.If the site is knownto be malicious, orcontains features thatrender it suspect,the user is cautionedagainst entering it. Todeal efficiently with
the millions of sites available on the Internet and theirconstantly fluctuating changes in security, Browsingprotections functionality is based on lookup queries toF-Secures Security Cloud (see page 6), which includes adatabase of known safe and malicious files and websites.The entries are updated automatically in real-time basedon rules maintained by F-Secure Labs analysts.
Though Browsing protection is able to prevent most visitsto known malicious sites, its always possible to stumbleonto an unrated or newly compromised or malicious site,or for malware to be introduced onto the host machine
some other way, perhaps on removable media. If a suspectfile does successfully arrive on the machine, it is then
subjected to multiple layers of security checks.
Whenever a file arrives on a machine, is installed ormodified, it is first scanned using a file scanning engineto determine if it is a known threat. File scanning enginesuse custom, family, generic and heuristic detections,which respectively identify specific malware, familiesof malware with similar features, and broad ranges ofmalicious physical features and behavior patterns. If the
files characteristics matchthose of previously seenmalware, it is blocked.
Though often overlookedin favor of moresophisticated technology,file scanning engines arestill an effective method ofidentifying and blockingthe vast majority ofmalware seen to date,protecting users againstlingering threats such asDownadup[3] or Sality[4],which debuted and
peaked years ago but are still present in the wild, wherethey continue to infect new victims.
If the file isnt identified as a known threat, a query is sentto F-Secures cloud infrastructure to gather the latestmetadata available for the file. Analysis is subsequentlyhandled by DeepGuard, which collectively handlesall the behavioral analysis, process monitoring andexploit interception of suspect files, both at the point ofapplication launch and during execution.
THE ROAD TO DEEPGUARD
In addition to file scanning,DeepGuard 2.0 queries theSecurity Cloud for an almost
instantaneous check of a suspect filesreputation. F-Secure Labs analystsconstantly monitor and update the filereputation database, providing crucialhuman intelligence to the automatedprocess.
DeepGuard 3.0 includes acomponent that uses a filesmetadata - e.g., the files
rarity, when it was first seen, relatedobjects, and more - to gauge its threatpotential. This feature allows malware
to be identified using reputation-based factors such as whether thefile was downloaded from a knownmalicious site, without needing furtherexamination of its features or behavior
First AV product to incorporatecloud lookups
File metadata used inDeepGuard detection logic
2006 2008 2010
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
6/13
6 DEEPGUARDProactive on-host protection against new and emerging threats
DeepGuard 4.0 revises the file scanningengine to use updateable detections
and beta detections for falsealarms reduction.It also improves the prevalence
logic used to identify files that areboth rare and malicious, a featurethat proves decisive in winning both
AV-Comparatives 2011Product of the
Yearaward and AV-Tests 2012 BestProtection Award [5]
Malware infections facilitated by exploitstargeting vulnerabilities in common
applications have become afavored attack vector. DeepGuard5.0 introduces enhanced
behavior-based detection logic, includinga module that monitors the runtimebehavior of commonly targeted programsand potential attack files. This broadbehavioral analysis approach allowsDeepGuard to identify and interceptexploit-based attacks, regardless of thespecific vulnerability targeted
With the introduction of DeepGuard6.0, behavioral detections are further
streamlined via algorithmoptimizations and by utilizingmodern operating system
features. On-the-fly behavioral analysisis performed more accurately and withlower system impact.
MORE ABOUT DEEPGUARD
Given the short-lived nature of most malware variants,the detections created for file scanning approaches tendto lose effectiveness rather quickly. In contrast, behavioraldetections can effectively identify malware over a muchlonger time period, as malware behavior is much lessmutable.
DeepGuard observes an applications behavior andprevents any potentially harmful action from successfully
completing. The apparently simple nature of this taskbelies its importance however, as this proactive, on-the-fly monitoring and interception serves as the final andmost critical line of defense against new threats, eventhose targeting previously unknown vulnerabilities.
Behavior-based analysis addresses the Achilles heelof file scanning approaches: the need for analysts tohave an actual sample of the malware in order to createthe signature to identify it. Given the huge numbersof malware constantly being created and distributed,new samples must be acquired and analyzed prior todetections being created.
Prevalence logic increaseseffectiveness against rare files
Enhanced protection againstexploit-based attacks
Performance andprecision improvements
Behavior-based detections cover that crucial gapbetween the first appearance of new malware and adetection being issued for the threat. By moving thefocus from structural to functional characteristics of asample, DeepGuard can identify and block programsperforming harmful actions, even before an actualsample has been acquired and examined. For example,in April 2016, DeepGuard detected and blocked files thatattempted to encrypt stored files. Subsequently, signaturedatabases were updated to flag these files (chart above)as Locky ransomware, but for users facing new threats,DeepGuards proactive analysis provided immediateprotection against infection.
In 2011, an entirely rewritten DeepGuard engine wasintroduced that included (among numerous otherimprovements) a switch from using hard-coded scanninglogic to an updateable detections database. F-SecureLabs analysts constantly monitor the threat landscapeand analyze the latest threats to determine the best wayto identify malicious behavior. Being able to update theengine with the results of this research keeps DeepGuard
consistently effective against the latest threats.
0
10
20
30
40
50
DEEPGUARD VS FILE SCANNING
Detecting Locky ransomware in April 2016
DeepGuardFile scanning
DETECTION
COUNT
DAYS, April 2016
2011 2013 2016
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
7/13
7Proactive on-host protection against new and emerging threats DEEPGUARD
Also in 2011, DeepGuard was updated to use prevalencerate checks in its detection logic [6]. This feature was
a logical corollary of the fact that legitimate softwareare usually found installed by a large percentage of ourcustomer base - that is, they are highly prevalent. Thesefiles also change relatively infrequently, making themeasy to whitelist and track in a clean file database. Incontrast, files that have low prevalence quite often turnout to be malware. According to statistics generated fromF-Secures internal systems monitoring known threats,in a random sample of malicious programs found in thefirst four months of 2013, 99.7% of the threats were rarelyseen in our user base. DeepGuards prevalence rate checkhelps filter out known clean files from suspicious unknown
ones, improving both performance and accuracy.
DeepGuards updateable detection logic is especiallyuseful in countering attacks that exploit vulnerabilitiesin installed programs in order to run malware on amachine. In such cases, the dropped malware itself canbe spotted and blocked by file scanning engines. To haltthe attack at an even earlier stage however - that is, atthe point of exploitation - F-Secure Labs analysts examinethe exploit mechanism for tell-tale actions or behaviorpatterns, and then incorporate the research results intoDeepGuards scanning engine. It is then able to pinpointand block suspicious actions that bear the hallmarks of avulnerability exploit attempt, preventing malware frombeing dropped on the machine at all.
By taking into account characteristic exploitationmechanisms as well as the features and behavior ofmalware being dropped on the system, DeepGuard caneffectively identify and block threats on the fly, evenwhen faced with totally new malware targeting zero-dayvulnerabilities.
HOW DEEPGUARD WORKS
DeepGuards behavioral analysis is activated by twoevents. When a program is launched for the first time,
DeepGuard analyses it to determine if it is safe to run.Subsequently, DeepGuard continues to monitor theprogram while running.
1. Pre-launch analysis
When a program is first executed, regardless of howit is launched (the user clicks the file icon, an e-mailattachment or program initiates it, etc.), DeepGuardtemporarily delays it from executing in order to performthe following checks:
1.1 File reputation checkIf an Internet connection is available, DeepGuard sendsa query to the Security Cloud (below) to check for thelatest information on the programs reputation in theclean file database, which contains the latest securityevaluations for a vast catalog of commonly usedapplications. This database is maintained and constantlyupdated by F-Secure Labs analysts. Programs that havebeen rated as clean in the database are allowed to bypassadditional checks and launch immediately, whereasknown malicious files are blocked at once.
For the user, the clean file cloud lookup functionalityoffers a number of advantages. Being able to use thesecurity verdict for a known file from the clean filedatabase not only removes the burden of identifyingunknown or unfamiliar programs as legitimate ormalicious from the user, it also means unnecessarysecurity checks on clean files can be avoided. At thesame time, by reducing to a manageable level the volumeof software that needs to be individually evaluated, theability to still white- or black-list selected programsbecomes more meaningful.
Security CloudIn operation since 2008, the Security Cloud (formerly known as the Real-Time Protection Network) is F-Secures cloudnetwork, housing the various databases and automated analysis systems that support and enhance the performanceof F-Secure security products installed on client machines. The infrastructure for this network is hosted on servers inmultiple data centers around the world.
Client machines that connect to the Security Cloud are able to retrieve the most up-to-date details of threats seen in thewild by other protected machines, making response far more efficient and effective. When a new object, such as a fileor URL, is encountered on one client, the product communicates with the Security Cloud using the strongly encryptedObject Reputation Service Protocol (ORSP) to query for the objects reputation details. Anonymous metadata about theobject, such as file size and anonymized path, are sent to the Security Cloud. These queries are completely anonymous
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
8/13
8 DEEPGUARDProactive on-host protection against new and emerging threats
1.2 Prevalence rate check
DeepGuard includes a module that focuses ona files prevalence rate. Clean files typically havethousands or millions of users, making themhighly prevalent. In contrast, malware samples arecomparatively rare.
Rare or new files are automatically consideredmore suspect and subjected to greater scrutinyduring the subsequent process monitoring stage.
Judgement on execution
Based on the files reputation and behavior duringemulation, DeepGuard makes one offour possible judgements:
A. The file is malicious and blocked
B. The user is given the option to allow or denythe launch
C. The file is clean and allowed to execute
D. The files status as clean or malicious is stillunknown
If the file is blocked from launching, a notification
message is displayed (right) providing additionaldetails and an option to whitelist the program, if sodesired.
If the status of the file is still unknown, DeepGuardallows the file to execute but continues to monitorit during the subsequent process monitoringstage.
IMAGE: DEEPGUARD BLOCKS A HARMFUL APPLICATION
and the IP address is not stored, maintaining the clients privacy.
By evaluating the metadata sent, together with information drawn from the in-house databases and various othersources, the Security Clouds automated analysis systems (which make up to 8 million decisions per day) can providea fully-informed, up-to-date risk assessment for the object during DeepGuards pre-launch security evaluation stage,immediately blocking a threat that has been previously seen by any other machine connected to the Security Cloud. Thisalso removes the need to perform further analysis of the object on the client, reducing impact on the users experience.
The Security Cloud also allows F-Secure Labs analysts to provide critical human intelligence and judgment to complementthe automated systems and on-host scanning technology. In addition to creating and maintaining the rules that underpinthe databases and automated analysis systems, analysts actively monitor the threat landscape and research malwarecharacteristics and behavior patterns to find the most effective ways to identify truly malicious programs. Once a threathas been confirmed (or a known files reputation is modified), the updated details take 60 seconds to replicate across allproducts connected to the Security Cloud, ensuring up-to-date protection.
2. During application execution
Even after a program has successfully passed pre-launchanalysis and is executed, DeepGuard continues to monitorits behavior as a precaution against delayed maliciousroutines, a common tactic used by malware to circumventruntime checks. This form of quiet vigilance also allowsDeepGuard to provide constant protection for the userwithout visibly intruding on their experience by displayingexcessive prompts.
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
9/13
9Proactive on-host protection against new and emerging threats DEEPGUARD
2. Monitoring for document exploits
Some document types, such as Microsoft Word or AdobePDF, are commonly used to deliver exploits. Thus, any
software used to open these types of documents isalso subject to greater attention by the second exploitinterception method, which scrutinizes these programsclosely for suspicious behavior caused by maliciousdocument files.
This exploit interception module addresses the mostcommon form of targeted attack, which involvessending carefully crafted, exploit-loaded documents tothe intended victim or organization. This was the typeof attack carried out by the threat actors behind suchcampaigns as the 2013 Red October campaign[7]and the
2014 attacks against Ukrainian targets reported in ourBlackEnergy & Quedagh whitepaper [8].
This type of attack is particularly effective if the exploitsused target a zero-day vulnerability. In a more recentexample, in 2015 the cyber espionage group knownvariously as Sofacy, Pawn Storm or APT28 used exploitstargeting zero-day flaws in Microsoft Office (CVE-2015-2424) and Java (CVE-2015-2590) in order to install adropper on the affected machine [9].
In all these cases, booby-trapped document files wereused to exploit either known or new vulnerabilities in
installed programs. By focusing on detecting maliciousactions originating from document files however,Deepguards exploit interception module is ableto provide significant breadth of coverage againstdocument-based exploits, regardless of the files physicalfeatures or the specific vulnerability being targeted.
2.1 Process monitoring
Applications are monitored for a number of suspiciousactions, including (but not limited to):
y Modifying the Windows registry
y Editing files in certain critical system directories
y Injecting code in another processs space
y Attempting to hide processes or replicatethemselves
As legitimate programs will also perform such actionsfrom time to time, DeepGuard does not red-flag aprogram on the basis of a single action but insteadwatches for multiple suspicious operations. Once a criticalthreshold of suspect actions is reached, DeepGuard will
block the process from continuing.
If available, file reputation and prevalence ratinginformation from the Security Cloud is taken intoaccount to determine this critical threshold. For example,DeepGuard treats files with a low-prevalence ratingmore aggressively by lowering the critical threshold ofsuspicious actions that can be performed before the file isblocked.
EXPLOIT INTERCEPTION
Starting in 2013, DeepGuard also employs two exploitinterception methods that extend the dynamic protectionof on-host behavioral analysis by focusing specifically onmonitoring the processes of programs that are commonlytargeted for exploitation and on document file typescommonly used to deliver exploits.
1. Monitoring exploit-prone programs
The first method focuses on frequently exploitedprograms such as Adobe Flash Player, Microsoft Office,web browsers and so on. These programs are kept under
especially close watch and are blocked more aggressivelyif malicious behavior is detected.
Of course, which programs become favored targetsis unlikely to stay fixed. For example, it was only in thelast couple years that Adobes Flash Player supersededOracles Java Runtime Environment (JRE) as the mosttargeted software; in the future, another program mayassume that unenviable distinction. The specific programschosen by DeepGuard for closer attention can be updatedby F-Secure Labs analysts when necessary, a responsiveapproach that allows DeepGuard to adapt to changes inthe threat landscape.
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
10/13
10 DEEPGUARDProactive on-host protection against new and emerging threats
CASE STUDY
detecting crypto-ransomware
Ransomwareis a type of malicious program that usesdeceptive and alarming messages to extort money from avictim. Crypto-ransomwareis a type of ransomware that
encrypts files stored on the users computer or mobiledevice, essentially taking them hostage. A ransom demand(right) is then shown to the user demanding payment for adecryption key that can be used to restore the affected files.Because the encryption used to scramble the files is usuallyextremely difficult to break, crypto-ransomware infectionscan be severely disruptive, especially if they successfully infectcomputers in major corporations or organizations such ashospitals [10].
Like any other malware however, crypto-ransomware exhibitscharacteristic behavior that betrays its nature, making it
possible for DeepGuard to spot and intercept the threat.
Detecting crypto-ransomware behavior
We can best see DeepGuard in action against crypto-ransomware by looking at the telemetry data reported bymachines with installed F-Secure products (also known
as clients). In the charts above, we track the count ofdetections reported by clients in April 2016 for the Cerberand TeslaCryptcrypto-ransomware families. The countof detections are divided between those reported by theDeepGuard component in the clients, and those from thefile scanning engines.
The charts demonstrate DeepGuards effectiveness inidentifying and blocking the malware, in many cases beingthe first component to do so. This is best seen in the chartfor TeslaCrypt, where DeepGuard was clearly responsiblefor the majority of the detections reported. Especially for
new variants of these ransomware families, DeepGuardwas the last and best line of defense preventing themfrom infecting the machines.
While DeepGuard kept the clients directly protected,the other elements of F-Secures multi-layered securityapproach were active in other ways. The first clients
that encountered the ransomware shared their detailsto the Security Cloud, giving all other connected clientsadvance warning and effectively immunizing themagainst a threat they had not yet encountered. It alsoallowed F-Secure Labs analysts to update the file scanningengines. As they started detecting the malware beforeDeepGuard could be triggered, detection counts for theengines increased while those for DeepGuard declined, asexpected.
This data from real-world clients illustrates howDeepGuards on-host behavioral analysis effectively
counters even severe threats such as crypto-ransomware.In addition, by using DeepGuard in tandem with the othercomponents in a multi-layered security strategy, F-Secureproducts can share critical details so that all clients areprotected against even the latest threats.
IMAGE: RANSOM DEMANDS MADE BY CERBER& TESLACRYPT CRYPTORANSOMWARE
0
10
20
30
40
50
60
0
10
20
30
40
50
DAYS, April 2016
DETE
CTIONCOUNT
CERBER TESLACRYPT
DETECTION COUNT REPORTED BY CLIENTS FOR CERBER & TESLACRYPTCRYPTORANSOMWARE, APRIL 2016
DeepGuard
File scanning
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
11/13
11Proactive on-host protection against new and emerging threats DEEPGUARD
CONCLUSION
F-Secures security products use a multi-tiered approachcomprised of multiple components that address
challenges presented by threats seen in the real world.The behavioral analysis and process monitoring functionsperformed by DeepGuard are critical in identifying andblocking the most sophisticated malware prevalent today.
DeepGuard provides immediate, proactive on-hostprotection against new and emerging threats by focusingon malicious application behavior, rather than throughstatic identification of specific known threats. This shiftin focus allows DeepGuard to identify and block evenpreviously unseen malware based on their behavior alone,neatly providing protection until security researchers
are able to analyze and issue a detection for that specificthreat.
Through lookups to F-Secures Security Cloud, DeepGuardis also able to use the latest file reputation informationavailable for any previously encountered object to fine-tune its security evaluations, reducing the risk of falsepositives or redundant analyses that can interfere with theusers experience.
DeepGuards on-host behavioral analysis also extends tointercepting attacks attempting to exploit vulnerabilitiesin popular programs in order to install malware ontothe machine. DeepGuard is able to identify and blockroutines characteristic of an exploit attempt, preventingexploitation and in turn, infection. Exploit interceptionsafeguards users from harm even when vulnerableprograms are present on their machine.
DeepGuard combines sophisticated scanning enginetechnology with the technical expertise of F-SecureLabs analysts to perform accurate, fine-grained on-hostbehavior- and reputation-based analysis that ultimatelysignificantly improves the users security.
FALSE POSITIVE PREVENTION
A separate beta detections module that was addedto DeepGuard in 2011 facilitated an understated but
important improvement to the accuracy of the scanningengines performance.
Beta detections contain the full detection logic neededto identify and block exploit attempts, but are insteadconfigured by F-Secure Labs analysts to simply notify theSecurity Cloud each time the detection would have beentriggered by a file being analyzed.
This beta-testing process provides F-Secure Labs analystswith crucial information on the effectiveness of thesedetections, allowing them to fine-tune the logic to
prevent potential false positives before actually releasingthem for real-world use.
References
1. F-Secure Labs: Article: Crypto-ransomware;https://www.f-secure.com/en/web/labs_global/crypto-ransomware
2. Federal Bureau of Investigation; Public Service Announcement: Criminals Continue to Defraud and Extort Funds from VictimsUsing CryptoWall Ransomware Schemes; published Jun 23 2015;http://www.ic3.gov/media/2015/150623.aspx
3. F-Secure Labs Threat Description: Worm:W32/Downadup;https://www.f-secure.com/v-descs/worm_w32_downadup.shtml
4. F-Secure Labs Threat Description: Virus:W32/Sality;https://www.f-secure.com/v-descs/virus_w32_sality.shtml
5. AV-TEST; AV-Test Award 2012; published 28 Jan 2013;http://www.av-test.org/en/test-procedures/award/2012/
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
12/13
12 DEEPGUARDProactive on-host protection against new and emerging threats
Availability
DeepGuard is an integral component of various F-Securesecurity products, including SAFE, Client Security, Internet
Security and Protection Service for Business (PSB).
In these products, DeepGuard is activated with defaultsettings, but can also be turned off separately.
6. F-Secure Weblog; Whats The Deal With Prevalence; published 8 Jun 2016;https://labsblog.f-secure.com/2016/06/08/whats-the-deal-with-prevalence/
7. F-Secure Weblog; Every Month is Red October; published 15 Jan 2013;http://www.f-secure.com/weblog/archives/00002486.html
8. F-Secure Weblog; BlackEnergy 3: An Intermediate Persistent Threat; published 25 Sep 2014;https://www.f-secure.com/weblog/archives/00002747.html
9. F-Secure Weblog; Sofacy Recycles Carberp and Metasploit Code; published 8 Sep 2015;https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/
10. Arstechnica; Sean Gallagher; Hospital pays $17k for ransomware crypto key; published 18 Feb 2016;http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/
-
7/25/2019 Ransonware - Sequestro de Dados - Deepguard_whitepaper - Curitiba
13/13