Ransomware explained – how digital extortion turns data into a silent hostage
- 20 June, 2016 21:12
Ransomware seems to be everywhere right now. If you're a home user or SME employee on the receiving end of an attack it must feel like a pretty lonely moment when the extortion message appears on the screen of an infected PC demanding a payment of somewhere between $300 and $1,000 in Bitcoins.
The ransomware will have taken control of the computer and encrypted all or most of its files after an employee clicked on an email attachment, usually a PDF or what looks like one. This computer was most likely patched and running up-to-date antivirus but this made no difference. The ransomware still got through.
Infection and C2
It sounds like a simple attack and on the surface it is. An unsuspecting end user does something they normally do every day, clicking on an attachment, and lives to deeply regret it. Unseen, the ransomware is not only encrypting local files it can find but reaching out to attached storage drives and networks shares to encrypt those as well. All of this happens quickly before the user realises what has happened.
Typically, the ransomware also contacts and command and control (C2) server as this is happening as a prelude to downloading more software and phoning home.
After that, retrieving encrypted files is a matter of paying the ransom (in untraceable Bitcoins) and hoping the criminals deliver the key or resorting to backups, assuming they've not been scrambled too.
More recently, the MO of ransomware has evolved beyond this basic attack profile to target larger organisations. Here, simply attacking PCs one at time is no longer sufficient incentive to pay a ransom and the criminals have developed new ransomware families that can spread within an organisation to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments as was the case with something called Samas/SamSam.
As defences have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 or even working entirely from memory without the need to save files to disk.
There are now numerous families of ransomware - more are expected to appear in 2016 than in all previous years put together - and a wide range of innovations. Computerworld recently compiled a list of some of the worst recent examples and the level of innovation to avoid boosted defences is startling.
How successful is ransomware?
In terms of infection, very, although few victims in the business world ever talk about this fact and data on the number paying ransoms requires drawing inferences. Most of what we know comes from US and Canadian companies that disclose attacks to meet state-specific data protection regulations. Recent ransomware attacks have included several US healthcare providers and hospitals that have admitted paying ransoms as well as the University of Calgary which was forced to pay a $20,000 (Canadian) ransom to regain data from 100 computers.
Disturbingly, a recent survey by Ciitrix suggested that many UK firms are now quietly stockpiling Bitcoins to cope with a ransomware attack. This was especially pronounced in medium-to-large firms.
Why do organisations choose to pay ransoms?
As far organisations are concerned it is not because they don't have backups but because the time and cost or reinstating data, including on servers, is simply far greater than the cost of the ransom. The ransomware authors know this and set their demands below this cost. IT could also be the case that firms fear that merely ransoming encrypted data could soon merge with data breaches in which criminals threaten to reveal 'hostage' data.
Ransomware explained - how digital extortion turns data into a silent hostage - can ransomware be stopped?
As with most forms of malware, there doesn't seem to be any fool-proof defence although the Windows PC is clearly a major vulnerability - other platforms are far less likely to be attacked for a variety of reasons. All the same, security vendors have belatedly engineered their technology to cope with ransomware using a number of techniques.
The simplest method is to improve detection and blocking at client level, in the manner of an endpoint security product. Many now claim to do this. The second approach is to build detection directly into network infrastructure, for example advanced firewalls. The third method is to build some kind of correlation engine into a specialised appliance that feeds into a reporting console or SIEM. Most organisations will consider all three at the same time.
Security startup Vectra Networks offered Computerworld UK an example of how the correlation of multiple anomalies can be used to spot ransomware which we describe purely for illustration of the principle. The following attack sequence from the common and aggressive Locky ransomware was recorded recently inside an unnamed US healthcare provider.
01: After infecting a single PC after an unspecified phishing attack Locky network detection triggered the first anomaly after security layer noticing a connection to an unusual domain.
16: Infected PC started scanning the network on port 445, used for file sharing and printers. The malware is looking for secondary targets.
11:53: Ransomware starts polling non-existent IP address range after starting to encrypt a file share. Vectra detection engine pinpoints infected PC and affected share.
12:30: PC is confirmed to have been pulled from the network and re-imaged.
Total time between infection starting and first remediation: 52 minutes.
"The detection of the malware doing its stuff was detected through three different machine learning algorithms. We have deliberately focused on new machine learning strategies," Vectra's Gunter Ollmann told Computerworld UK.
A key capability of Locky was ability to deactivate local antivirus which in this case it had most likely achieved as it was not detected. Once inside a network what ammeter was the speed of response and the ability to piece together the fragments of anomalous behaviour into a larger picture so that admins weren't overloaded with false positives, says Ollmann.
"It does take w while for network assets to be encrypted. You'll find it may be 10GB per half day that can be encrypted."
Ransomware explained - what's next?
All sorts of possibilities have popped into the minds of researchers, chief among them the idea of a large-scale ransom attack on a corporate in which attackers spend weeks or months penetrating a network in the manner of data breach attackers. Using stolen credentials, they map out not only valuable data stores (databases, code repositories, shares) but gain a detailed view of the backup routines and services. Worm-like ransomware would be used to spread the infection around a network before the detonation date.
"Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3,200 workstations are compromised; half the organization's digital assets, and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation," hypothesized Talos.
"The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like."
Such an attack could be launched for money, probably in the millions, but also conceivably for ideological reasons. In the latter case, a company might be asked to make a public statement.
It sounds far-fetched but only the most optimistic don't think it will come to pass at some point. The history of malware works this way: what can be imagined usually happens eventually. The weaker and less protected networks will be the first to succumb but as we now know that could in theory be almost anyone.