How to Respond
Encryption is used to foil decryption tools
- By Rishi Bhargava
- Aug 01, 2017
Between 2005 and 2016, ransomware
infections were more common than data
breaches, making them the most pervasive
cyber threat of the last 11 years. Ransomware
attacks may encrypt folders and files
or even the entire hard drive, or they may
just lock the devices so that users cannot
access them. In recent years, attacks have become increasing
sophisticated; crypters can make reverse-engineering
extremely difficult, and offline encryption methods can eliminate
the need for command and control communications by
taking advantage of legitimate features.
A report from Kaspersky Lab revealed that its solutions found
ransomware on more than 50,000 computers connected to corporate
networks in 2015, which was twice the number detected
the year before. In 2016, almost $210 million was paid to ransomware
cybercriminals during the first quarter alone, and the
FBI estimated that without paying losses for the year would have
exceeded $1 billion.
Ransomware is not actually a new method of attack. The first
known instance was PC Cyborg, a Trojan distributed by Dr. Joseph
Popp in 1989. The malware would encrypt all files and hide
all folders on the computer’s hard drive. A script demanded $189
in ransom, and the computer would not function until payment
was received and the actions reversed. It did not take long for recovery
tools to reverse the effects, but newer attacks have featured
stronger encryption to foil decryption tools, making it almost impossible
for victims to unlock their own computers.
Approximately 17 years after the introduction of PC Cyborg,
a new strain called Archievus was released. Archievus was the first
ransomware attack to use RSA encryption as well as the first known
ransomware to use asymmetric encryption. It encrypted every file in
the “My Documents” directory, and it was very difficult to remove unless victims purchased the password necessary to decrypt the documents.
Attacks Focusing More
on Organizations
People had typically been the primary targets
of “scareware” schemes that warned
users their computers had been infected
with malware that could be removed only
by purchasing an antivirus software. The
antivirus software was actually fake, and
the only true threat was the warning message
that repeatedly appeared, leading
many people to pay the ransom just so the
message would go away.
By 2011, anonymous payment methods
made it easier for hackers to collect
ransoms. Most payment demands require
victims to remit payment in bitcoins, but
various anonymous cash cards are also
popular payment methods. However,
hackers can make other ransom demands.
For example, “hacktivists” might demand
that a company reduce its carbon footprint
or that an individual spread the malware
to a set number of contacts to unlock
his own computer.
As hackers have refined their skills,
they began to focus on larger organizations
with the budgets to pay substantial
ransoms for the files and systems needed
to conduct daily operations. In the past
few years, there have been several wellpublicized
ransomware attacks on major
organizations.
In 2016, Hollywood Presbyterian
Medical Center suffered a ransomware
attack that shut down its computer network
for more than a week, resulting in
mass chaos. The hospital was forced to
transfer some patients to other facilities
to ensure that they received the necessary
care. Only after the ransom—40 bitcoins
or the equivalent of $17,000—was paid
so HPMC could regain the use of its malware-
encrypted files.
In 2015, the Swedesboro-Woolwich
School District in New Jersey was the victim
of a ransomware attack. The encrypted
files were primarily staff-generated Excel
spreadsheets and Word documents. The
attack forced the district to delay its assessment
tests, but the decision was made to
not pay the ransom; the district had adequate
backups to restore the servers.
Whether the ransomware attack is a
targeted attack or a mass distribution, the
attack will follow five distinct phases. Understanding
the phases can help increase
the chance of a successful defense: infection,
Eexecution, backup removal, encryption
and cleanup.
Infection. The attack cannot succeed
unless the malware can be placed on a
computer. Many ransomware attacks
result from a phishing campaign, often
through emails with infected attachments
or compromised links. However, exploit
kits that exploit vulnerabilities in software
applications such as Internet Explorer and
Adobe Flash are the preferred method for
some malware attacks, including CryptoLocker.
Execution. An executable file will be
placed on the target’s computer, usually
beneath the user’s profile in the “TEMP”
or “APPDATA” folder.
Backup removal. Within seconds of
the execution, the ransomware finds and
removes backup folders and files that exist
on the system. On systems running Windows,
the vssadmin tool is often used to
delete volume shadow copies; this will create
event log entries that can make detection
easier.
Encryption. After removing backups,
a secure key exchange may be performed
with the C2 server. However, some ransomware
types, including the SamSam
malware, do not need to communicate
with the C2 server; the encryption can be
performed locally.
Cleanup. The final phase is to present
the demand instructions and remove the
evidence of the malware code. The presentation
of the payment demand can help
identify the strain of ransomware. For
example, Locky changes the wallpaper to
include instructions, while CryptoWall V3
stores the instructions in a HELP_DECRYPT
file.
Preparing and Responding
to a Ransomware Attack
When it comes to handling a ransomware
attack, protection and prevention are the
best and most effective defenses. There are
five critical steps in defending against a
ransomware attack: prepare, early detection,
contain the damage, eradicate the
ransomware and follow a recovery plan.
Organizations need to be proactive
about patching to eliminate vulnerabilities,
and be proactive about backing up
their system and store backup files offsite
or at least in a location other than the
server. Having a well-defined incident response
plan that includes an explicit plan
for fast action to a ransomware attack is
critical. In addition to adopting the practice
of assigning least privileges, especially
for file shares, limiting exposure can also limit the damage that a ransomware infection can cause.
Final preparation should include deployment of endpoint protection
tools that can detect early attacks and respond to them
quickly and automatically, and to educate all end users. People
are the weakest link in most organizations, so companies need to
make sure that they know what to look for and how to avoid phishing
schemes and malvertising. All users should be warned against
plugging in any portable storage devices of unknown origin.
Early detection of ransomware is key for successfully containing
and eradicating the damage. IT need to place signatures into
network devices, such as Locky and CrytoWall. Additionally, automated
tools for screening email should be in place to detect
executable or malicious attachments.
Security automation and orchestration tools can help contain
the damage significantly. The time between detection and
containment is critical to minimize lateral damage and spreading
of infection. It is also recommended to disable the connection
or try to shut down the system quickly to minimize
damage. These steps can be also automated to respond quickly
and consistently.
How to eradicate ransomware. Replacing the machines is the
best option. With all types of malware, including ransomware,
it is almost impossible to know whether there are hidden files
remaining on the system that could launch another infection.
Cleaning file shares, mailboxes and malicious messages should be
done, and companies need to be very proactive about continuing
to monitor signatures to detect signs that the attack is emerging
once more.
Once the backups are verified and clean, restoring affected files
can be accomplished in relatively little time without the need to
pay the ransom. The infection vector could be a phishing email,
an internet-based attack kit or another exploitation. Knowing
how the attacker penetrated your defenses can help prevent future
attacks. Finally, be sure to report the incident. Victims are
encouraged to report ransomware attacks to the FBI’s Internet
Crime Complaint Center.
An increasing number of organizations are suffering ransomware
attacks, and experts predict that the numbers are only going
to climb. Attackers have the potential to make large sums of
money, which means that they are sure to ramp up even more.
Regardless of its size, virtually every organization is vulnerable
to an attack, and the consequences of a successful ransomware
attack can go far beyond the payment of the ransom. Lost
business, customer inconvenience, lost productivity and negative
publicity can result as well.
This article originally appeared in the August 2017 issue of Security Today.