Ransomware explained – how digital extortion turns data into a silent hostage

Ransomware has risen to the top of the malware pile. We look at how this has happened

Ransomware seems to be everywhere right now. If you're a home user or SME employee on the receiving end of an attack it must feel like a pretty lonely moment when the extortion message appears on the screen of an infected PC demanding a payment of somewhere between $300 and $1,000 in Bitcoins.

The ransomware will have taken control of the computer and encrypted all or most of its files after an employee clicked on an email attachment, usually a PDF or what looks like one. This computer was most likely patched and running up-to-date antivirus but this made no difference. The ransomware still got through.

Infection and C2

It sounds like a simple attack and on the surface it is. An unsuspecting end user does something they normally do every day, clicking on an attachment, and lives to deeply regret it. Unseen, the ransomware is not only encrypting local files it can find but reaching out to attached storage drives and networks shares to encrypt those as well. All of this happens quickly before the user realises what has happened.

Typically, the ransomware also contacts and command and control (C2) server as this is happening as a prelude to downloading more software and phoning home.

After that, retrieving encrypted files is a matter of paying the ransom (in untraceable Bitcoins) and hoping the criminals deliver the key or resorting to backups, assuming they've not been scrambled too.

Advanced ransomware

More recently, the MO of ransomware has evolved beyond this basic attack profile to target larger organisations. Here, simply attacking PCs one at time is no longer sufficient incentive to pay a ransom and the criminals have developed new ransomware families that can spread within an organisation to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments as was the case with something called Samas/SamSam.

As defences have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 or even working entirely from memory without the need to save files to disk.

There are now numerous families of ransomware - more are expected to appear in 2016 than in all previous years put together - and a wide range of innovations. Computerworld recently compiled a list of some of the worst recent examples and the level of innovation to avoid boosted defences is startling.

How successful is ransomware?

In terms of infection, very, although few victims in the business world ever talk about this fact and data on the number paying ransoms requires drawing inferences. Most of what we know comes from US and Canadian companies that disclose attacks to meet state-specific data protection regulations. Recent ransomware attacks have included several US healthcare providers and hospitals that have admitted paying ransoms as well as the University of Calgary which was forced to pay a $20,000 (Canadian) ransom to regain data from 100 computers.

Disturbingly, a recent survey by Ciitrix suggested that many UK firms are now quietly stockpiling Bitcoins to cope with a ransomware attack. This was especially pronounced in medium-to-large firms.

Why do organisations choose to pay ransoms?

As far organisations are concerned it is not because they don't have backups but because the time and cost or reinstating data, including on servers, is simply far greater than the cost of the ransom. The ransomware authors know this and set their demands below this cost. IT could also be the case that firms fear that merely ransoming encrypted data could soon merge with data breaches in which criminals threaten to reveal 'hostage' data.

Ransomware explained - how digital extortion turns data into a silent hostage - can ransomware be stopped?

As with most forms of malware, there doesn't seem to be any fool-proof defence although the Windows PC is clearly a major vulnerability - other platforms are far less likely to be attacked for a variety of reasons. All the same, security vendors have belatedly engineered their technology to cope with ransomware using a number of techniques.

The simplest method is to improve detection and blocking at client level, in the manner of an endpoint security product. Many now claim to do this. The second approach is to build detection directly into network infrastructure, for example advanced firewalls. The third method is to build some kind of correlation engine into a specialised appliance that feeds into a reporting console or SIEM. Most organisations will consider all three at the same time.

Correlation detection

Security startup Vectra Networks offered Computerworld UK an example of how the correlation of multiple anomalies can be used to spot ransomware which we describe purely for illustration of the principle. The following attack sequence from the common and aggressive Locky ransomware was recorded recently inside an unnamed US healthcare provider.

01: After infecting a single PC after an unspecified phishing attack Locky network detection triggered the first anomaly after security layer noticing a connection to an unusual domain.
16: Infected PC started scanning the network on port 445, used for file sharing and printers. The malware is looking for secondary targets.
11:53: Ransomware starts polling non-existent IP address range after starting to encrypt a file share. Vectra detection engine pinpoints infected PC and affected share.
12:30: PC is confirmed to have been pulled from the network and re-imaged.

Total time between infection starting and first remediation: 52 minutes.

"The detection of the malware doing its stuff was detected through three different machine learning algorithms. We have deliberately focused on new machine learning strategies," Vectra's Gunter Ollmann told Computerworld UK.

A key capability of Locky was ability to deactivate local antivirus which in this case it had most likely achieved as it was not detected. Once inside a network what ammeter was the speed of response and the ability to piece together the fragments of anomalous behaviour into a larger picture so that admins weren't overloaded with false positives, says Ollmann.

"It does take w while for network assets to be encrypted. You'll find it may be 10GB per half day that can be encrypted."

Ransomware explained - what's next?

All sorts of possibilities have popped into the minds of researchers, chief among them the idea of a large-scale ransom attack on a corporate in which attackers spend weeks or months penetrating a network in the manner of data breach attackers. Using stolen credentials, they map out not only valuable data stores (databases, code repositories, shares) but gain a detailed view of the backup routines and services. Worm-like ransomware would be used to spread the infection around a network before the detonation date.

"Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3,200 workstations are compromised; half the organization's digital assets, and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation," hypothesized Talos.

"The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like."

Such an attack could be launched for money, probably in the millions, but also conceivably for ideological reasons. In the latter case, a company might be asked to make a public statement.

It sounds far-fetched but only the most optimistic don't think it will come to pass at some point. The history of malware works this way: what can be imagined usually happens eventually. The weaker and less protected networks will be the first to succumb but as we now know that could in theory be almost anyone.

Join the PC World newsletter!

Error: Please check your email address.

Tags ransomeware attackers

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

By John E Dunn

Computerworld UK
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?