Understanding ransomware helps organizations devise solutions

Threat intelligence and regular backup of data outside the network help stymie attackers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ran­somware is soft­ware designed to com­pel a vic­tim to pay a mon­e­tary ran­som for access to their own data. A vic­tim gets an email con­tain­ing a mali­cious pay­load that can cost irre­place­able data and time.

Ed note_CloudStrike_Adam MeyersEven more ter­ri­fy­ing is the use of “exploit kits” that can deliv­er ran­somware to an unsus­pect­ing vic­tim who vis­its a legit­i­mate web­site that has been compromised.

Ransomware’s attrac­tion is obvious—it pro­vides a huge pay­off for lit­tle invest­ment. One niche play­er was observed mak­ing $73,000 from their ran­somware cam­paign in three months, and they appear to only be get­ting started.

Ran­soms often are col­lect­ed in Bit­coin or a sim­i­lar “cryp­tocur­ren­cy,” which can be used or con­vert­ed to anoth­er cur­ren­cy. Ran­somware users com­pli­cate efforts to trace funds by employ­ing The Onion Router (TOR) hid­den ser­vices, which use anonymiz­ing capa­bil­i­ties to mask where the com­mand-and-con­trol infra­struc­ture is housed.

Types of ransomware

His­tor­i­cal­ly, there have been two pri­ma­ry ran­somware modes: encryp­tion-­based and fear-based.

  • The fear-based mod­el attempts to scare vic­tims into pay­ing a ran­som under threat of pros­e­cu­tion for soft­ware pira­cy, pos­sess­ing pornographic/forbidden mate­r­i­al, or los­ing access to the vic­tim com­put­er. Some fear-based ran­somware accus­es the user of access­ing child pornog­ra­phy or copy­right­ed mate­r­i­al and advis­es them they’re oblig­at­ed to pay a fine.
  • Encryption­based ran­somware encrypts com­po­nents of the victim’s file sys­tem using cryp­to­graph­ic algo­rithms, leav­ing a ran­som note demand­ing pay­ment to decrypt files. Attack­ers might tar­get auto­mat­ed back­ups to fur­ther com­pli­cate data recovery.

Mod­ern ran­somware, which encrypts the victim’s data, gen­er­al­ly uses a cryp­to­graph­ic sys­tem known as asym­met­ric cryp­tog­ra­phy. Once the vic­tim pays the ran­som, the attack­er pro­vides access to a decryp­tion key, to access the data.

The dis­tri­b­u­tion of ran­somware relies on a crim­i­nal ecosys­tem. Ser­vices such as pay-per-install bot­nets, load­ers, exploit kits, and spam bot­nets dis­trib­ute the ran­somware, cre­at­ing a busi­ness cost for the attack­er. Bot-herders (those who oper­ate bot­nets) need the ran­somware actors to pay them, while these ser­vices are required to dis­trib­ute ran­somware to victims.

Attack­ers can buy ran­somware as a soft­ware pack­age, or they can build their own. A rel­a­tive­ly unso­phis­ti­cat­ed actor can buy a ran­somware pack­age, enlist­ing the ser­vices of a bot-herder to dis­trib­ute their pay­load, and a law enforcement­ resis­tant infra­struc­ture provider to host their com­mand-and-con­trol systems.

Dis­tri­b­u­tion of ransomware

Ran­somware is typ­i­cal­ly dis­trib­uted in four ways:

  • Email dis­tri­b­u­tion often comes with legal, finan­cial or employ­ment threats. Gen­er­al­ly, a mali­cious file is deliv­ered that appears to be a legit­i­mate doc­u­ment, but silent­ly installs ransomware.
  • Pay­per­install bot­nets are deliv­ered by a vari­ety of means, but once on a victim’s sys­tem, the bot­net own­er can sell access to that sys­tem to the high­est bidder.
  • Exploit kits cap­ture web browsers, and sub­ject them to tests that iden­ti­fy a vul­ner­a­bil­i­ty. Once that vul­ner­a­bil­i­ty is iden­ti­fied, a mali­cious pay­load is silent­ly deployed.
  • Tar­get­ed ran­somware sees an attack­er iden­ti­fy a vic­tim they think will pay, com­pro­mis­es that victim’s enter­prise, and achieves admin­is­tra­tive access to deliv­er ran­somware across every system.

Many orga­ni­za­tions lack com­pre­hen­sive pro­tec­tion, fail to ensure they main­tain ade­quate off­site back­ups, and, in gen­er­al, do not have safe­guards or coun­ter­mea­sures to stop ran­somware from affect­ing their oper­a­tions. If one per­son in an orga­ni­za­tion infects a com­put­er, and that com­put­er has a shared dri­ve or fold­er, the ran­somware can encrypt every file in the organization.

Begin­ning in 2016, hos­pi­tals across the Unit­ed States and Europe have been locked out of their data and forced to pay a ran­som. In some cas­es, observers spec­u­late that med­ical pro­ce­dures could be delayed by these attacks.

Hos­pi­tals have paid tens of thou­sands of dol­lars to recov­er their data, prompt­ing attack­ers to tar­get oth­er vic­tims who pro­vide crit­i­cal services.

Defense against ransomware

Incre­men­tal back­ups that are rou­tine­ly stored off the net­work are essen­tial to recov­er­ing from a ran­somware attack. Proac­tive use of threat intel­li­gence also can help orga­ni­za­tions mit­i­gate the impact of ransomware.

Ran­somware fre­quent­ly uses a domain-gen­er­a­tion algo­rithm (DGA) to cre­ate a dynam­ic com­mand-and-con­trol domain based off an algo­rithm to ensure that if ran­somware is iden­ti­fied, an orga­ni­za­tion can’t block the com­mand-and con­trol-host, which is con­stant­ly chang­ing. Through detailed analy­sis of this DGA, orga­ni­za­tions can pre­dict which domains ran­somware may use in the future and proac­tive­ly block them.

Analy­sis of ran­somware also can illu­mi­nate poten­tial “vac­ci­na­tion” oppor­tu­ni­ties. Often dur­ing the ini­tial exe­cu­tion, the code will check for mark­ers that, if present, will sig­nal that it need not con­tin­ue its rou­tine. By proac­tive­ly cre­at­ing these mark­ers, it’s pos­si­ble to pre­vent the code from hav­ing the oppor­tu­ni­ty to encrypt the intend­ed victim’s data.

Behav­ior-based secu­ri­ty tech­nol­o­gy can detect scan­ning-and-file encryp­tion, which can be used to pre­vent ran­somware from deploying.

Ran­somware is con­tin­u­ous­ly being devel­oped to improve effec­tive­ness, reach and impact. These tools are dis­trib­uted among a glob­al crim­i­nal ecosys­tem. Indi­vid­u­als seek­ing to pro­tect them­selves must remain vig­i­lant and ensure they back up their data. As long as vic­tims con­tin­ue to pay ran­soms, mali­cious actors will con­tin­ue to operate.

More sto­ries relat­ed to net­work secu­ri­ty and ransomware:
Cyber crim­i­nals use ran­somware to hook big fish
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats

SMBs can DCEPT attack­ers with free net­work mon­i­tor­ing tools