Understanding ransomware helps organizations devise solutions
Threat intelligence and regular backup of data outside the network help stymie attackers
By Adam Meyers, Special to ThirdCertainty
Ransomware is software designed to compel a victim to pay a monetary ransom for access to their own data. A victim gets an email containing a malicious payload that can cost irreplaceable data and time.
Even more terrifying is the use of “exploit kits” that can deliver ransomware to an unsuspecting victim who visits a legitimate website that has been compromised.
Ransomware’s attraction is obvious—it provides a huge payoff for little investment. One niche player was observed making $73,000 from their ransomware campaign in three months, and they appear to only be getting started.
Ransoms often are collected in Bitcoin or a similar “cryptocurrency,” which can be used or converted to another currency. Ransomware users complicate efforts to trace funds by employing The Onion Router (TOR) hidden services, which use anonymizing capabilities to mask where the command-and-control infrastructure is housed.
Types of ransomware
Historically, there have been two primary ransomware modes: encryption-based and fear-based.
- The fear-based model attempts to scare victims into paying a ransom under threat of prosecution for software piracy, possessing pornographic/forbidden material, or losing access to the victim computer. Some fear-based ransomware accuses the user of accessing child pornography or copyrighted material and advises them they’re obligated to pay a fine.
- Encryptionbased ransomware encrypts components of the victim’s file system using cryptographic algorithms, leaving a ransom note demanding payment to decrypt files. Attackers might target automated backups to further complicate data recovery.
Modern ransomware, which encrypts the victim’s data, generally uses a cryptographic system known as asymmetric cryptography. Once the victim pays the ransom, the attacker provides access to a decryption key, to access the data.
The distribution of ransomware relies on a criminal ecosystem. Services such as pay-per-install botnets, loaders, exploit kits, and spam botnets distribute the ransomware, creating a business cost for the attacker. Bot-herders (those who operate botnets) need the ransomware actors to pay them, while these services are required to distribute ransomware to victims.
Attackers can buy ransomware as a software package, or they can build their own. A relatively unsophisticated actor can buy a ransomware package, enlisting the services of a bot-herder to distribute their payload, and a law enforcement resistant infrastructure provider to host their command-and-control systems.
Distribution of ransomware
Ransomware is typically distributed in four ways:
- Email distribution often comes with legal, financial or employment threats. Generally, a malicious file is delivered that appears to be a legitimate document, but silently installs ransomware.
- Payperinstall botnets are delivered by a variety of means, but once on a victim’s system, the botnet owner can sell access to that system to the highest bidder.
- Exploit kits capture web browsers, and subject them to tests that identify a vulnerability. Once that vulnerability is identified, a malicious payload is silently deployed.
- Targeted ransomware sees an attacker identify a victim they think will pay, compromises that victim’s enterprise, and achieves administrative access to deliver ransomware across every system.
Many organizations lack comprehensive protection, fail to ensure they maintain adequate offsite backups, and, in general, do not have safeguards or countermeasures to stop ransomware from affecting their operations. If one person in an organization infects a computer, and that computer has a shared drive or folder, the ransomware can encrypt every file in the organization.
Beginning in 2016, hospitals across the United States and Europe have been locked out of their data and forced to pay a ransom. In some cases, observers speculate that medical procedures could be delayed by these attacks.
Hospitals have paid tens of thousands of dollars to recover their data, prompting attackers to target other victims who provide critical services.
Defense against ransomware
Incremental backups that are routinely stored off the network are essential to recovering from a ransomware attack. Proactive use of threat intelligence also can help organizations mitigate the impact of ransomware.
Ransomware frequently uses a domain-generation algorithm (DGA) to create a dynamic command-and-control domain based off an algorithm to ensure that if ransomware is identified, an organization can’t block the command-and control-host, which is constantly changing. Through detailed analysis of this DGA, organizations can predict which domains ransomware may use in the future and proactively block them.
Analysis of ransomware also can illuminate potential “vaccination” opportunities. Often during the initial execution, the code will check for markers that, if present, will signal that it need not continue its routine. By proactively creating these markers, it’s possible to prevent the code from having the opportunity to encrypt the intended victim’s data.
Behavior-based security technology can detect scanning-and-file encryption, which can be used to prevent ransomware from deploying.
Ransomware is continuously being developed to improve effectiveness, reach and impact. These tools are distributed among a global criminal ecosystem. Individuals seeking to protect themselves must remain vigilant and ensure they back up their data. As long as victims continue to pay ransoms, malicious actors will continue to operate.
More stories related to network security and ransomware:
Cyber criminals use ransomware to hook big fish
Managed security services help SMBs take aim at security threats
SMBs can DCEPT attackers with free network monitoring tools