• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Ransomware and the "Dark Web"

By OpenDNS Security Research
Posted on March 9, 2016
Updated on October 15, 2020

Share

FacebookTweetLinkedIn

The Back Story
From infected hospitals to utilizing new platforms, we have seen a recent uptick in media coverage of ransomware attacks. By now we assume most of you are familiar with ransomware but we have published a primer in the past.
At OpenDNS and Cisco we have published numerous blogs, papers, and webcasts on the subject. We’ve also presented on ransomware since early 2012 — most recently on the emergence of Ransomware as a Service. If you want a refresh on some of our content, here are links to our most read materials:
Easy, Cheap and Costly: Ransomware is Growing Exponentially
Tracking the Footprints of Ransomware
Cryptolocker
Bedep Lurking in Angler’s Shadows
Sophistication Increases
With ransomware attacks, we have seen a plethora of techniques that range from infecting users through email lures to piggybacking on exploits and other infections such as Angler. Equally as sophisticated, attackers have built resilient infrastructures for their platforms. We have seen several techniques over the years, including the use of Domain Generated Algorithms (DGA), infecting good web properties, and using TLDs, CCTLDs, and GTLDs.
With the most recent Apple OS X version of ransomware, attackers infected the Transmission clients software with their own code to avoid detection and get installs. Although this attack was not prevalent for a variety of reasons, it does highlight the rise in sophistication.
The Dark Web
As mentioned above, in this particular version the attackers infected a client that utilized the Tor network for routing their users. While the Tor network is a powerful tool that allows users to avoid eavesdropping and possible surveillance for lawful citizens, unfortunately, it is also sometimes abused by criminal enterprises — such as the ransomware folks — to avoid detection. In this case the IP address we outlined in our video is the IP of a Tor proxy. It’s important to note that this is *not* the location of the hosting service but a location that acts as a gateway to the information. The IP addresses that the domains resolve to are simply proxies that take you to the ultimate destination.
After some investigation of the indicators from a recent Palo Alto Networks article on a piece of malware coined “KeRanger,” we noticed the attackers are using the TOR network. What we found particularly interesting is what lurked on the same infrastructure that the attackers were using to host their data.
Among other items on the same network — as Palo Alto’s blog outlined — we discovered: Ransomware as a Service (RaaS) sites, instructions for end-users on how to pay for decryption, credit card and other credentials for sale, online black hat carding forums, hacker training contents, and illegal drugs for sale. We have included some screenshots of these sites below along with some screenshots of the Tor proxy pages:
Screen Shot 2016-03-07 at 2.07.31 PM
Screen Shot 2016-03-07 at 2.16.38 PM
Screen Shot 2016-03-07 at 2.27.12 PM
Screen Shot 2016-03-07 at 3.08.57 PM
Screen Shot 2016-03-07 at 3.11.42 PM
Screen Shot 2016-03-07 at 3.19.25 PM
Screen Shot 2016-03-07 at 2.22.58 PM
Screen Shot 2016-03-09 at 10.53.36 AM
Screen Shot 2016-03-09 at 10.52.38 AM

Protecting your Enterprise: Effectively Simple
Throughout the years OpenDNS has done an amazing job at protecting customers from the various versions of ransomware by detecting the infrastructure that the attacks utilize to connect, control, and transfer the keys to evoke the encryption. Arguably the simplest and most effective way to prevent your files from being encrypted is to configure your recursive DNS to our infrastructure. Additionally, our Investigate product allows you to not only pivot through the infrastructure to validate the context of an Indicator of Compromise (IOC).
Below is a quick screen share video of our Investigative product looking at the most recent version of KeRanger.

Protecting against Encryption
The most sophisticated criminals are continually testing new infection methods and evasion techniques. One example of this is the use of encryption on the network. In this particular case the addition of an endpoint is critical in defense. In the above example, if the encryption was invoked then Cisco’s AMP for Endpoint product works as a great additional layer of both visibility, retrospection, and enforcement for ransomware. For the particular case of OS X, AMP had endpoint protection for customers, as evident by this screenshot:
Screen Shot 2016-03-08 at 6.36.36 AM
Moving Forward
With the advent of Ransomware as a Service it is likely we will see more groups involved in this technique of extorting money from companies, and a rise in the sophistication of their infection vectors,  infrastructure, and business models. Items such as trickling or selective encryption, data awareness, and target awareness are all likely to surface. With that, no company should be without a strategy to prevent, detect, and respond to these attacks as they are the combination of sophisticated and well-resourced adversaries, and are impactful to running your business.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella