Anti-Malware and Anti-phishing

APWG and M3AAWG Survey Finds ICANN WHOIS Changes Impede Cyber Investigations

The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups.
From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec is significantly impeding cyber applications and forensic investigations and allowing more harm to victims.
The "Temp Spec" has introduced delays to investigations and the reduced utility of public WHOIS data is a dire problem. The loss of timely and repeatable access to complete WHOIS data is impeding investigations of all kinds, from cybercrime activities such as phishing and ransomware, to the distribution of fake news and subversive political influence campaigns.
The report contains a detailed analysis of the sets of questions asked to an targeted audience of cyber security practitioners, anti-abuse service providers and law enforcement officers, who were contacted by primary using APWG and M3AAWG mailing lists, augmented with trust collaboration mailing lists used by operational security and law enforcement to share threat intelligence data. The analyses are complemented with comments submitted by survey respondents. Many of these are quite insightful.
From the analyses, the APWG and M3AAWG make the following findings:
  1. Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  2. The mitigation or triage of cyber incidents cannot be accomplished in a timely manner.
  3. WHOIS has become an unreliable or less meaningful source of threat intelligence.
  4. Requests to access non-public WHOIS by legitimate investigators for legitimate. purposes are routinely refused.
  5. Those who protect Internet resources are also making more coarse blocking or mitigation decisions in the absence of what was formerly reliable data. 
  6. The utility of WHOIS has been severely damaged.
  7. The redaction of WHOIS data is excessive.

APWG and M3AAWG make a number of recommendations as well:

  1. There must be an accredited access mechanism, providing tiered or gated access to qualified security actors.
  2. ICANN should not allow redaction of the contact data of legal entities.
  3. ICANN should adopt a contact data access request specification that will ensure consistency across all accredited registrars and gTLD registries.
  4. ICANN should ensure that the accredited access to redacted WHOIS data does not introduce delays in collecting or processing WHOIS data, and further, that the access not be encumbered by per request authorizations.
  5. ICANN should reconsider the current redaction policy.
  6. We ask that ICANN publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

In their final comments, the Working Groups encourage ICANN to improve the current, difficult condition, stating:

"We recognize that ICANN is likely aware of several of these issues. We also realize that ICANN organization and Board of Directors are awaiting the Expedited Policy Development Process for answers to many issues; however, we believe that the ICANN Board of Directors and ICANN organization have the ability to update the Temp Spec to fix the problems that this survey and others have identified as most pressing or egregious while the EPDP work continues."

It's essential that ICANN  implement recommendations 2, 4, and 6 and quickly. From a public safety perspective, these are necessary adjustments. These fall within ICANN's remit to ensure security and stability of the Internet's Identifier systems. ICANN organization should further ensure that the parties involved in consensus policy development for the remaining recommendations consider the findings and analyses in this survey. This would be consistent with the organization's expressed desire to apply data to ensure informed policy deliberation. 


Download FINAL ICANN GDPR and WHOIS Users Survey 20181018.pdf (1683.6K)

What is Ransomware

Ransomware is a cyberattack (a virus) that is used to extort money. Originally, criminals used ransomware to extract payments from individuals for the recovery of personal information. Today, cyberattackers extort payments from businesses for the recovery of sensitive information. No one is immune to ransomware. Criminals have extorted payments for the recovery of medical or personal data from healthcare providers and have locked guests out of their hotel rooms. Even industrial systems may prove to be vulnerable to ransomware.

Early ransomware, called locker ransomware, prevented a victim from accessing a desktop or browser. Cyberattackers quickly evolved to a more sophisticated crypto-ransomware, which encrypts information on computers or mobile devices. Both forms post an extortion notification to the user: purchase decryption software or a decryption key or your data will be lost forever.

Anatomy of a Ransomware Attack

Ransomware_Anatomy_of_an_AttackA common form of delivering ransomware is through malicious attachments to email messages. Users are convinced against their better judgment – through social engineering – to open the attachment. The attachment is typically a form of self-installing malware, often called a Trojan or virus dropper file. Once installed, the dropper enrolls in a cyberattacker’s botnet by contacting the botnet command and control (C2). When contacted, the C2 will generate and return encryption-keying material for the ransomware dropper (and possibly additional malicious code). The ransomware dropper will use the keying material to encrypt personal files on the infected device. It then posts an extortion notification, demanding that the victim pay a ransom payment for a key that will decrypt the now inaccessible data.

Many ransomware attackers threaten victims with permanent loss of their personal files if the ransom is not paid within a 24-hour timeframe. To enhance deception, some ransomware notifications impersonate law enforcement or government agencies and represent the extortion as a fine.

Ransomware Exploits the Public Domain Name System

Ransomware droppers sometimes use hard-coded Internet Protocol (IP) addresses to connect to the C2. When droppers use statically configured IP addresses, investigators can use them to quickly identify and disconnect the ransomware botnet C2s. For evasion purposes, more advanced ransomware identifies a C2 by algorithmically generating domain names. Modern ransomware droppers use the domain name system (DNS) to resolve domain names that the cyberattacker changes frequently, thus hiding effectively from investigators.

Don't Pay the Ransom!

Law enforcement and security experts agree: don’t pay the ransom! There is no reason to trust that the cyberattacker will provide you with the means to decrypt your personal files should you pay. The cyberattacker could disappear, continue to extort you or send you decryption keys that do not work.

Proactively Defend Against Ransomware

“Back up” to defend against ransomware. By regularly archiving personal or sensitive data to an external device or cloud, you render a cyberattacker’s threats meaningless. Be particularly careful to back up files when you travel.

Next, use the Internet safely. Consider taking these measures to minimize the likelihood of ransomware infection:

  • Keep your laptop “patch current.”
  • Do not share folders.
  • Keep your antivirus up to date.
  • Use a trusted DNS resolver.
  • Disable macro execution.
  • Try anti-ransom protection.

After that, make sure that you have the means to quickly restore the operating system, applications and archived data to your device in case your device is infected with ransomware. Businesses and individuals alike should investigate what are called image recovery services.

You can protect yourself in other ways; see 22 Ransomware Prevention Tips.

If You Are Held for Ransom…

Remember: don’t pay! Contact a techie friend, a reputable computer repair service or your organization’s IT department to help you identify the ransomware. They can also help you locate trusted repositories for deleted file recovery or rescue disk software, ransomware removal kits or decryptors and online repositories of recovery keys. One such resource is, which despite its unusual appearance, is reliable.

Don’t Be a Victim

With cyberattackers using more sophisticated means to launch ransomware attacks, users need to be proactive and do everything they can to prevent these attacks from occurring. Be informed. Stay vigilant.

Originally posted 13 Mar 2017 at ICANN Blog.