The Rise and Warfare of Ransomware
Originally published on Cyber Defense Magazine August 2016
What is Ransomware?
Ransomware is compiled of two words which is Ransom and Ware. As you could guess Ransom sounds like a hostage situation you see in the movies where someone is held in exchange for a large amount of money. Ware is from the term Malware (It is a term used for intrusive or disruptive software.)
Ransomware can therefore be compared to the common ransom methodology approach, where a person is held captive and only released in exchange for a sum of currency. However in the IT world this is commonly your files.
How does it work?
First an attacker would go about infecting your system with ransomware. This could be done via social engineering, breaking into your system, or by a user plugging in an already infected device. Once the ransomware gets into your system, it will then work its way through your system using cryptography to encrypt as many files as it can find. Once this is completed, a ransom message is displayed instructing you to pay bitcoins to get access to your files again. Commonly there is a counter displayed on the screen ticking down before your files are deleted.
Using companies such as Western Union and Bitcoin, where you are able to send money to others without being easily traced. Therefore attackers leverage this system of not being easily caught. Most recent ransomware commonly provide a link directly to a bitcoin payment portal.
An easier way to understand how ransomware works is by the following points:
Infect and spread
In the “infect and spread” phase the system has already been compromised and the ransomware is using its malware ability to begin its assault on your system. In its arsenal is a program which is working its way through your network looking for other devices it could connect to and infect with its payload.
Next the “Encrypt” phase begins. The ransomware encrypts all the files that meet the prerequisites set by the attacker. The private key that can decrypt your files is sent back to the attacker and deleted from the infected system..
The final phase of this attack will be to demand payment. All the victim can see at this phase is that double clicking an encrypted file launches a window demanding sums of money for files to be unlocked or they will be automatically deleted within X amount of time.
Who does this effect?
I have seen and heard of many stories were databases have been hit by ransomware. This includes payroll systems, client databases, supplier databases or even whole business file servers that hold client confidential documents.
The big question that sits on most entrepreneurs and Chief executives tongue is “Will I go out of business?” I have personally seen ransomware asking for 500 USD per file to be unlocked.
Popular ransomware Cryptowall, cost the US alone 18 million pounds. This particular ransomware demanded 200 – 10,000 USD. Cryptolocker has been documented to have made 30 million USD within 100 days. Although these statics are written according to the US, You must note:
The UK is still in the top 10 countries hit by ransomware.
Around 48% of users in the UK hit by ransomware will pay the ransom
The UK is one of the countries that get hit by higher ransoms.
Just under 55% of all spam emails in the UK now have some form of ransomware/Malware attached within it.
Ransomware attacks in the UK are growing as one of the most popular methods to attack organisations
Businesses with over 10 employees are the most common targets
The above points make it clear that black hat hackers are interested in the easy and quick cash in option. Ransomware is now on the rise as the most popular and profitable method of attack.
Most businesses do not have a strategic solution for recovery from an attack. Most attacks that lead to a system being comprised, have at least 2 days down time and lock at least 72% of employees out of their data for that period.
First we should cover the obvious points of preventing your system from being a target.
Configuring spam filters and email virus scanners will help reduce the chances of being infected by ransomware, as most ransomware is delivered through an infected email.
IT Security Policy & Privileges, users should be prevented from plugging in removable storage. This includes their mobile phones, USB drives and other devices, in case their device is infected with ransomware. Users should not be granted more privileges than needed on each system. Should ransomware use their account, then the damage would be limited to only files they have access to.
User Training is important to make employees aware of different types of attacks. Maybe even looking up and sharing a case study with employees would help them to better understand and evaluate the risk.
Data Backups should always be kept safe and offline, as you do not want to do be writing over you’re backed up data with the ransomware data. In case you are already infected, consider a recovery strategy that best suits the situation.
Anti-Virus software is important but also make sure you are running the latest anti-virus and have the latest definitions applied. Further make sure your policies are configured correctly and new devices installed on the network are also placed in the correct group so they are managed correctly.
SILO. It is a good idea to cordon parts of your network off and install firewalls between each area. This includes packet inspection and Intrusion detection systems and intrusion prevention systems. Web filtering would also be recommended. This not only helps protects your vital systems from attacks but can also prevent ransomware from spreading. Segregating your network forms a barrier that filters legitimate and non-legitimate traffic to help prevent the ransomware from spreading across the network.
What to do if I am attacked
If you have a valid offline backup, you may think it’s as easy as restoring the data.
But this is not the case when it comes to ransomware. You do not want to risk your backup also getting infected. The most important step to take is to identify the ransomware. Then implement the necessary steps to remove it from your systems. After doing so you can simply restore the data. If you do not have a backup of the file(s) to restore, then your options are to either have someone take a look at reversing the key to unlock the file or pay the ransom.
It’s best to have a look at your IT system sooner rather than later to avoid a situation like this. Meta Defence Labs have a service where they provide a “no crack no fee” service. They will take a look at the file for you to reverse engineer or provide consultancy to help clear an infected environment. Their auditing services can also help provide a better idea on weak points in your network to harden your environment.