How to Respond - Encryption is used to foil decryption tools

How to Respond

Encryption is used to foil decryption tools

  • By Rishi Bhargava
  • Aug 01, 2017

Between 2005 and 2016, ransomware infections were more common than data breaches, making them the most pervasive cyber threat of the last 11 years. Ransomware attacks may encrypt folders and files or even the entire hard drive, or they may just lock the devices so that users cannot access them. In recent years, attacks have become increasing sophisticated; crypters can make reverse-engineering extremely difficult, and offline encryption methods can eliminate the need for command and control communications by taking advantage of legitimate features.

A report from Kaspersky Lab revealed that its solutions found ransomware on more than 50,000 computers connected to corporate networks in 2015, which was twice the number detected the year before. In 2016, almost $210 million was paid to ransomware cybercriminals during the first quarter alone, and the FBI estimated that without paying losses for the year would have exceeded $1 billion.

Ransomware is not actually a new method of attack. The first known instance was PC Cyborg, a Trojan distributed by Dr. Joseph Popp in 1989. The malware would encrypt all files and hide all folders on the computer’s hard drive. A script demanded $189 in ransom, and the computer would not function until payment was received and the actions reversed. It did not take long for recovery tools to reverse the effects, but newer attacks have featured stronger encryption to foil decryption tools, making it almost impossible for victims to unlock their own computers.

Approximately 17 years after the introduction of PC Cyborg, a new strain called Archievus was released. Archievus was the first ransomware attack to use RSA encryption as well as the first known ransomware to use asymmetric encryption. It encrypted every file in the “My Documents” directory, and it was very difficult to remove unless victims purchased the password necessary to decrypt the documents.

Attacks Focusing More on Organizations

People had typically been the primary targets of “scareware” schemes that warned users their computers had been infected with malware that could be removed only by purchasing an antivirus software. The antivirus software was actually fake, and the only true threat was the warning message that repeatedly appeared, leading many people to pay the ransom just so the message would go away.

By 2011, anonymous payment methods made it easier for hackers to collect ransoms. Most payment demands require victims to remit payment in bitcoins, but various anonymous cash cards are also popular payment methods. However, hackers can make other ransom demands. For example, “hacktivists” might demand that a company reduce its carbon footprint or that an individual spread the malware to a set number of contacts to unlock his own computer.

As hackers have refined their skills, they began to focus on larger organizations with the budgets to pay substantial ransoms for the files and systems needed to conduct daily operations. In the past few years, there have been several wellpublicized ransomware attacks on major organizations.

In 2016, Hollywood Presbyterian Medical Center suffered a ransomware attack that shut down its computer network for more than a week, resulting in mass chaos. The hospital was forced to transfer some patients to other facilities to ensure that they received the necessary care. Only after the ransom—40 bitcoins or the equivalent of $17,000—was paid so HPMC could regain the use of its malware- encrypted files.

In 2015, the Swedesboro-Woolwich School District in New Jersey was the victim of a ransomware attack. The encrypted files were primarily staff-generated Excel spreadsheets and Word documents. The attack forced the district to delay its assessment tests, but the decision was made to not pay the ransom; the district had adequate backups to restore the servers.

Whether the ransomware attack is a targeted attack or a mass distribution, the attack will follow five distinct phases. Understanding the phases can help increase the chance of a successful defense: infection, Eexecution, backup removal, encryption and cleanup.

Infection. The attack cannot succeed unless the malware can be placed on a computer. Many ransomware attacks result from a phishing campaign, often through emails with infected attachments or compromised links. However, exploit kits that exploit vulnerabilities in software applications such as Internet Explorer and Adobe Flash are the preferred method for some malware attacks, including CryptoLocker.

Execution. An executable file will be placed on the target’s computer, usually beneath the user’s profile in the “TEMP” or “APPDATA” folder.

Backup removal. Within seconds of the execution, the ransomware finds and removes backup folders and files that exist on the system. On systems running Windows, the vssadmin tool is often used to delete volume shadow copies; this will create event log entries that can make detection easier.

Encryption. After removing backups, a secure key exchange may be performed with the C2 server. However, some ransomware types, including the SamSam malware, do not need to communicate with the C2 server; the encryption can be performed locally.

Cleanup. The final phase is to present the demand instructions and remove the evidence of the malware code. The presentation of the payment demand can help identify the strain of ransomware. For example, Locky changes the wallpaper to include instructions, while CryptoWall V3 stores the instructions in a HELP_DECRYPT file.

Preparing and Responding to a Ransomware Attack

When it comes to handling a ransomware attack, protection and prevention are the best and most effective defenses. There are five critical steps in defending against a ransomware attack: prepare, early detection, contain the damage, eradicate the ransomware and follow a recovery plan.

Organizations need to be proactive about patching to eliminate vulnerabilities, and be proactive about backing up their system and store backup files offsite or at least in a location other than the server. Having a well-defined incident response plan that includes an explicit plan for fast action to a ransomware attack is critical. In addition to adopting the practice of assigning least privileges, especially for file shares, limiting exposure can also limit the damage that a ransomware infection can cause.

Final preparation should include deployment of endpoint protection tools that can detect early attacks and respond to them quickly and automatically, and to educate all end users. People are the weakest link in most organizations, so companies need to make sure that they know what to look for and how to avoid phishing schemes and malvertising. All users should be warned against plugging in any portable storage devices of unknown origin.

Early detection of ransomware is key for successfully containing and eradicating the damage. IT need to place signatures into network devices, such as Locky and CrytoWall. Additionally, automated tools for screening email should be in place to detect executable or malicious attachments.

Security automation and orchestration tools can help contain the damage significantly. The time between detection and containment is critical to minimize lateral damage and spreading of infection. It is also recommended to disable the connection or try to shut down the system quickly to minimize damage. These steps can be also automated to respond quickly and consistently.

How to eradicate ransomware. Replacing the machines is the best option. With all types of malware, including ransomware, it is almost impossible to know whether there are hidden files remaining on the system that could launch another infection. Cleaning file shares, mailboxes and malicious messages should be done, and companies need to be very proactive about continuing to monitor signatures to detect signs that the attack is emerging once more.

Once the backups are verified and clean, restoring affected files can be accomplished in relatively little time without the need to pay the ransom. The infection vector could be a phishing email, an internet-based attack kit or another exploitation. Knowing how the attacker penetrated your defenses can help prevent future attacks. Finally, be sure to report the incident. Victims are encouraged to report ransomware attacks to the FBI’s Internet Crime Complaint Center.

An increasing number of organizations are suffering ransomware attacks, and experts predict that the numbers are only going to climb. Attackers have the potential to make large sums of money, which means that they are sure to ramp up even more.

Regardless of its size, virtually every organization is vulnerable to an attack, and the consequences of a successful ransomware attack can go far beyond the payment of the ransom. Lost business, customer inconvenience, lost productivity and negative publicity can result as well.

This article originally appeared in the August 2017 issue of Security Today.

Featured

  • Unlocking the Possibilities

    Security needs continue to evolve and end users are under pressure to address emerging risks and safety concerns. For many, that focus starts with upgrading perimeter openings and layering technologies—beginning at the door. Read Now

  • Freedom of Choice

    In today's security landscape, we are witnessing a fundamental transformation in how organizations manage digital evidence. Law enforcement agencies, campus security teams, and large facility operators face increasingly complex challenges with expanding video data, tightening budget constraints and inflexible systems that limit innovation. Read Now

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

Most   Popular

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.