Organized cybercrime is a business just like any other legitimate business; they want to have low-risk and efficient operations in order to maximize their profits. The main caveat for criminals is that pesky problem of getting caught and spending the rest of your life in jail. Data is the currency of the 21st century – historically, cyber criminals sought after data types such as credit card numbers and personally identifiable information (PII). However, the lifecycle of stealing credit card data and other PII is incredibly risky. Each attack is a multi-step process, and each stage increases the chances of being detected. The attacker needs to find a way to gain a foothold into the network, pivot across systems and networks to find a point-of-sale machine or database of information, maintain access, and then find a way to ex-filtrate the large amount of data to a server under the criminal’s control. In cases where data is successfully stolen, there’s the riskier stage of actually monetizing the data. The attacker then has to either sell the data on the black market or use it for their own fraudulent purposes. This time, both avenues increase the risk of being caught by law enforcement. Even if the attacker is able to get the data out and has a safe avenue to sell it, the value of the data diminishes quickly due to the fact that credit cards expire and can be quickly and easily canceled. In today’s cybercrime environment, criminals need very small payloads with little to no command and control communication to infect and control their targets. The point of ransomware is to be detected, not prevented. This is why it seems like there is much more ransomware currently than other types of malware. It’s just as easy to infect a computer with ransomware as with any other type of malware. When the Verizon Data Breach Investigations Report shows that it takes hundreds of days to detect malware, we detect ransomware instantaneously by design. The rise of cryptocurrency has led us to a world riddled with ransomware. Bitcoin is a pseudo-anonymous currency, meaning it is very difficult to track. Additionally, with the minimal back and forth communication necessary for ransomware, finding the person behind the keyboard is very difficult for law enforcement. Attribution often requires weeks or months of lengthy investigative work to peel back the many layers cyber criminals are hiding behind. There are currently two high-level targets for ransomware; consumers and businesses. The only major difference is the price of the ransom demanded from the victim. Consumer targets are the low-margin market for cyber criminals. They rely on a high number of transactions with low-profit margins in order to receive a decent return on investment. Businesses are the high-margin market where the cybercriminal can charge higher ransoms for each victim but which generally sees a lower total number of infections. We have seen the hospital sector get hit hard with ransomware, but there’s no reason to think that this is not going to become rampant in every business model imaginable. With hospitals, the potential loss of life was justification for paying a premium ransom. It’s likely that the utilities sector will be targeted in the near future by leveraging the same fear of loss of life or public safety. The advantage businesses have is that they generally have well-defined backup procedures in place to recover from events such as these. The crux of having backups is the overall cost to restore data in the event of an infection. Having backups is not enough; you need to test the recovery procedures to be as efficient as possible. For a business, the decision to pay a ransom will come down to which is cheaper: restoring from backups or paying the ransom. The risk of both getting caught in the act of infecting victims with ransomware and getting paid for criminal activities is greatly reduced compared to other cybercriminal activities. Additionally, the return on investment for ransomware authors and practitioners is estimated to be over 1,400%, according to the Trustwave Global Security Report. Just recently, the CryptXXX ransomware generated over $45k in ransom payments in only three weeks. For cybercriminals, the choice to focus on ransomware is clear.
How Ransomware Works
A ransomware attack proceeds according to five distinct steps: infection, encryption, notification, payment, and decryption. The attacker needs to first find an avenue to infect the target machine. Once infected, the ransomware goes through steps to find and encrypt files. If successfully encrypted, the user must be notified to alert them to make a payment to the attacker. Then, the victim either pays for a decryption key or goes through their own recovery process to restore their files. Each cybercriminal is going to have their own set of tactics, techniques, and procedures (TTPs). However, the easiest path into a network is generally to exploit the human and get them to open an attachment or click on a link. Attackers can flood the users with phishing campaigns, changing their tactics each time to try and get users to click or open an attachment. All it takes is one to gain a foothold into the network. While defenders have to be right 100% of the time, an attacker only needs to be right once. The piece of malware is either the full payload or communicates with a command and control server to get instructions on what to do next. Once the final payload is placed on the victim’s machine, it begins searching for critical files to encrypt. Typically, attackers target documents, spreadsheets, PDFs, pictures, backup files, and anything else which may be of importance to the victim. Having encrypted file systems does little to prevent ransomware from finding valid files. It’s likely the ransomware targets those, as well. Once the list of files is indexed, the ransomware begins the process of encrypting everything. After encryption is complete, the ransomware attempts to alert the user however possible, such as changing the desktop background and placing a readme along with the encrypted files with instructions on how to pay the ransom. Once the user pays the ransom, the decryption key is provided with instructions on how to decrypt the files. The risk of paying a ransom and not receiving a valid decryption key should be relatively low. Ransomware authors want to keep a reputation for various reasons. If word gets out that paying a ransom does not decrypt the user’s files, future victims will be less likely to pay. Second, it is not uncommon to see a separation of malware authors from the cybercriminals deploying the malware to victims. If the distributors cannot trust the malware author, they may switch to another vendor.
Dealing with Infection
The mechanisms are different for each variant of ransomware, but they all search the local hard drive for files of interest. Depending on the hardware of the local PC (CPU, memory, disk speed) and the number of files being searched, this could take seconds or minutes. For some variants, the malware searches network shares, as well. This means if the infected user has elevated privileges, such as domain admin credentials, the ransomware has the potential to infect every file on every available network share. Which is why it’s important to minimize the amount of privileges users have to the lowest level required to complete their job. Even when users do not have elevated privileges, there are still files every user in the enterprise requires access to in order to do their job. Once the files are encrypted, you’re left with three options: pay the ransom, recover your files, or lose your data. In some instances, the malware creators are sloppy with their encryption implementations, such as by using weak or predictable decryption keys. If this is the case, it may be possible to decrypt the files without paying the ransom. However, cyber criminals have been learning from their mistakes, and we are seeing this less often now. In lieu of paying the ransom, users can recover from their own data backups. It’s recommended to follow the 3-2-1 backup model—have three copies of the data on two different types of medium, with one of them being offsite. Following this model reduces the likelihood that ransomware would encrypt your only copies of the backup files. Having your only backups on an attached USB drive is not a good idea. Once the files are recovered or the ransom has been paid, it’s important to determine the infection vector of the malware. Not only are the files now accessible; so is the vulnerability which let the attacker in. Most ransomware is nearly fully automated, meaning that if the user opens up the same malicious document again, the same files will be encrypted. If the malware author implemented encryption correctly, the decryption key you just paid for will no longer be valid, requiring you to pay another ransom or go through the file recovery process again. It’s possible you could attempt to get ahold of the criminal who is holding the files ransom and explain that it was just an honest mistake opening the malicious file again, but the chances of that happening are nearly zero. The best course of action are to ensure all of the application and operating system patches have been applied, all anti-malware signatures are up to date, and re-image the machine if possible.
Prevention
While there’s a lot of focus on recovering from ransomware via backups, there will always be a need for prevention. First, accepting the fact that ransomware will always get in, you’re opening yourself up to paying potentially hundreds to thousands of dollars in ransom or recovery fees for every file or link in every email you and your users are exposed to. Second, even if we can get recovery costs down to zero, criminals are going to move on from requiring a ransom to decrypt the data. We are beginning to see ransoms to prevent data from being made public, as well. We are entering a stage of ransomware where we may see victims faced with paying a ransom to not only get their files back but to also prevent them from being published online. For businesses, this could mean fines and diminished reputation from the breach. For consumers, this could mean the disclosure of private or damaging information. The goal is to stop the attack as early in the “cyber kill chain” as possible. For ransomware, this is when the malware first comes into our network. More often than not this occurs via email. For enterprises, there are a wide variety of anti-spam technologies that are very good at detecting malware and phishing emails that attempt to trick end users into clicking on or opening malicious attachments. For small- to medium-sized organizations, it’s a good idea to have a hosted email provider that has this type of technology already built into the service they are providing you. For smaller businesses, outsourcing security operations such as these are cost-effective ways to improve your security posture. In the event the ransomware gets onto the device, the first step is to minimize the chances it can execute. If possible, application whitelisting is a great option for preventing all types of malware from executing on systems. By defining a list of known good software, unknown executables, such as ransomware, will fail to launch and prevent infection on endpoints. However, even good software can be used against you in malicious ways. There are incidents where the ransomware is written in JScript, which can and should be a whitelisted executable on many endpoints. The same mechanism can be delivered with a wide array of other scripting languages, such as Python, Perl, or any number of languages that can execute on the endpoint. Should the malware execute, having a firewall that does some sort of reputation lookups is another layer in protecting against the full ransomware attack. Many pieces of malware, ransomware included, have stagers that are used for the initial infection and that then call out to a command and control server to get the full payload. By cutting off this communication, you are cutting off the brains of the attack. Since whitelisting isn’t a golden bullet against ransomware, you should adopt additional protections to layer the security. The Center for Internet Security (CIS) has several good options to protect users against a number of threats. First, are the comprehensive set of security benchmarks on how to harden and secure endpoints and servers—these recommendations go a long ways in reducing the likelihood that ransomware gets on the system and finds critical data. They also have a great set of critical security controls that can give administrators insight into the security posture of their entire organization. Ransomware is an attractive business model for criminals. People have an emotional connection to the data they create, while businesses have a financial connection. These connections are what criminals are exploiting. So, while the code being exploited and the avenues for infection will change, we have to live with the fact that ransomware will be around for a long time.
