A High Level Guide to Ransomware
Ransomware.
Youâve heard about it, right?
Itâs in the name. âRansom.â Indicating that something is being held hostage. But what?
Your data.
Ransomware is a type of malware that encrypts data with an attached threat of perpetually blocking access or revealing secrets unless a ransom is paid.
âŚSo what do you do?
âŚHow did it get there?
âŚWhere the hell am I?
And the days go by⌠Water flowing undergroundâŚ
At this point, ransomware is so common, it passes what I like to call, âThe Grandpa Test.â If my grandpa were still alive, and I asked him if he knew what ransomware was, he would probably know and might even be able to loosely describe the idea of it. News outlets, publications, movies, and television have shown, defined, and discussed the concept of ransomware and unauthorized file encryption.
That said, itâs not a new concept. The first known malware extortion attack, the âAIDS Trojanâ, was released in 1989. This particular attack, however, had kind of a big design flaw- the victim wasnât required to actually pay the extortionist. The payload really only hid the files and encrypted the names, so a savvy user could easily reverse the attack.
Ransomware comes in three Neapolitan-esque flavors: crypto, locker, and scareware. Crypto, being the more common variant, is what most people are familiar with and involves some sort of encryption. Locker, on the other hand, doesnât encrypt files. But, rather, locks the victim out of their device, preventing them from using it. Scareware is less invasive, doesnât involve encryption, but uses creative methods to pressure the victim into paying the ransomware, making them think there system is compromised when it likely isnât.
Which bring us to our next point: The main components of ransomware are inaccessibility and extortion. The inaccessibility piece is generally driven by encryption. Most ransomware attacks use a form of asymmetric Public Key Cryptography by encrypting a victimâs files using a public key generated from another computer. That computer holds the private key which is needed to decrypt the encrypted files, and it can only be easily decrypted using that private key.
Encryption is a form of cryptography. Obviously, itâs not always used for nefarious reasons. Encryption is defined as âThe process of conveying ordinary plain text into secretive, unintelligible or âindecipherableâ text and vice-versa.â Encryption requires a cipher, a method or algorithm for performing encryption or decryption.
All of us have seen âChristmas Storyâ, right? Remember the scene where Ralphie is super excited to get his special decoder ring only for it to reveal the secret message of âBe sure to drink your Ovaltineâ?
In the movie, the Caesar cipher was used. This is a relatively easy method to crack and probably the most well-known shift cipher. Comparably, the combination of complex encryption methods in these more sophisticated attacks creates a greater âfile entropyâ and isnât as easy as matching a number to a letter. In simple terms, the file is compressed by replacing bits with shorter patterns of bits, lending to the randomness and difficulty of reversal.
In the professional world, we use encryption in a much more mature way. Most auditing and governance standards require encryption as to make sensitive data more secure and less likely to be intercepted by unauthorized viewers. The industry standard for encryption is AES-128. (Itâs not the only method, just the most common.) AES-128, for example, has a key entropy of 128 bits making it very difficult to crack.
Crackability is the quality or degree in which something is âcrackable.â Obviously, if someone is extorting you for money, they want their method to be reasonably foolproof. Not all ransomware is created equal, though the hope of the attacker is for you to concede to their requests.
The entropy in a cipherâs key (its âkey strength, in bitsâ) is thus a measure of how difficult it is to break the cipher via brute force.
If you do a quick Google search, âHow long would it take to crack AES-128?â the answer is:
So, just imagine compounding that with other methods.
Modern ransomware, such as WannaCry, Petya, and NotPetya use a hybrid encryption method: A combination of AES and RSA encryption to ensure that it is incredibly difficult to crack. This puts the victim in the position of feeling as if they need to pay the ransomware due to a sense of hopelessness. In these cases, itâs not as easy as using a ring to match numbers to letters.
Some ransomware can be cracked, some canât.
But what makes ransomware so dangerous?
If we just had one non-critical computer with this problem and it was an isolated incident, we could easily say, âOk? So what? Letâs just revert to backup, change the passwords and move on, right?â
Well, maybe. If someone is on your network, even if itâs one device, we canât be sure of what they have or donât have. Backups donât solve the immediate problem, nor do they account for exfiltration. Nevertheless, ten computers is worse than one, but one is all it takes to laterally move across a network.
Ransomware can spread in one of two ways: Automatically or manually (Aka âhuman-operated.â) Human-operated attacks are super dangerous, donât get me wrong; They just take a bit more time and effort to execute. If someone is operating manually, itâs likely theyâre working to gain higher levels of access, too. Obviously, there is optimization and a higher impact associated with automation.
The Wannacry variant of ransomware, an automatic type of attack, introduced the âwormable ransomwareâ concept, much like how a virus moves from one PC to the next. It had the capability to spread itself, rendering entire network useless. It used the EternalBlue vulnerability to spread to both internet exposed systems and systems on internal networks.
The danger is in the impact.
If the attack spreads to critical systems, this can cause outages and, potentially, data leakage. If youâre a hospital or a financial institution, depending on how far they dove into your network and what access they were able to adorn, it could mean sensitive customer was data exposed to hackers. (Up to and including personal health records, bank account information, social security numbers, and all that jazz. Bad news bears.)
Ultimately, that kind of damage could permanently ruin your reputation, cause significant financial loss, or even result in your company going out of business.
In 2020 alone, collectively, businesses lost an estimated $20 billion due to ransomware alone. The average costing most organizations around $700k per incident.
What does ransomware usually look like?
The ransom message
How your files might look
The above examples arenât all-encompassing, but with crypto attacks, youâll usually see your file extensions change and, often, an accompanying text and/or pop-up explaining the attack.
Where does it come from?
Realistically, in terms of region, itâs pretty spread out. The most common countries to launch ransomware attacks are Russia, China, Nigeria, Indonesia, and even the United States.
How does it end up on my network?
¡ Phishing
¡ Drive-by downloads
¡ Infected websites
¡ Exploit Kits targeting out of date software
¡ Lack of security controls
¡ Using an unknown USB
¡ Open RDP ports
The most common way ransomware is delivered is via phishing attacks. A phishing attack is a type of social engineering technique, usually accomplished through email, to where the attacker tricks the victim into clicking on a malicious link or downloading an infected file.
Phishingbox.com states that 94% of malware (in general) is delivered via email. Whereas, of that 94%, 65% were categorized as ransomware.
Some phishing campaigns are designed to spoof your company, others spoof common providers, vendors, or well-known, frequently used organizations like PayPal, eBay, and Facebook.
The common denominator is to convince the victim to click a link or open an attachment they shouldnât.
To see common examples of phishing attacks, visit the below link:
Phishing | General Phishing Information and Prevention Tips
What are the most common ransomware attacks?
In 2020, the most common attacks were:
¡ Maze, previously known as ChaCha
¡ REvil
¡ Ryuk
¡ Tycoon
¡ Netwalker
2020, which inarguably is going down as the worst year of all time, had a spike in ransomware activity due to COVID-19 and the work from home initiative. Moreover, various ransomware families have now become capable of stealing sensitive data through there highly sophisticated and developed techniques.
Overall, WannaCry is still, arguably, the biggest and most known ransomware attack in history. It was a global assault that affected more than 250,000 systems with an average of $300k raked in per incident.
Bad actors keep using ransomware because it works.
Many organizations adopt the mindset of, âIt wonât happen to me.â But, itâs not a matter of if, itâs a matter of when. The ostrich method of sticking your head in the sand wonât work here.
What do I do if I get ransomware?
Donât panic.
And, donât pay the ransom!
The FBI, SANS, various security vendors, and the majority of security professionals advise against paying the ransom.
Why?
Firstly, thereâs no guarantee that the attacker will give you the key once the ransom is paid.
Weâve all been in a position in our lives where a promise was broken, maybe even with people we trust. These are people we donât trust. We cannot take their word at face value.
Secondarily, like I said above, âIt works.â If we donât pay, it doesnât âwork.â Thereâs less incentive to continue.
Thirdly, if you do pay, your attack frequency will increase. That paints a target on your back that says, âThis person pays. Keep trying.â
Note: Some may suggest using cyber insurance to take care of this kind of situation, but that is another conversation. (It can be seen as âincentiveâ for attacks to continue.)
Given the expert advice, weâre left with a problem. If youâre not paying, youâve got to do something about it. But, what? How do you handle it?
You essentially have two options: You could consult a professional incident response team, OR try to get rid of it yourself.
The best case scenario is that you can afford a reputable incident response company that can isolate and eliminate the infection, provide a forensic analysis, prove the removal, aid in restoration, and better prepare you for the future.
Sometimes, thatâs really costly. Maybe less costly than the attack itself, but not every business has deep enough pockets to afford those types of services.
If you choose to go rogue and do it on your own, know that, as previously stated, itâs more than just backing up your devices. Thatâs an integral piece of the process, but it doesnât prove that the attack is gone or that the attacker didnât get away with invaluable information such as customer data or trade secrets. If you donât do your due diligence, you could be on the hook for lawsuits and other types of social, legal, and monetary repercussions.
If youâre looking to try and combat it on your own, here are a few good sources to check out:
Ransomware - What Is It and How it works? | Check Point Software
Ransom Warrior Decryption Tool - Check Point Research
How do I prevent ransomware from happening?
Looking back at our explanation of where it comes from, we can reverse engineer that to translate the most effective preventative measures.
Security isnât just a solution you get in a box, itâs also a practice and a mindset.
Having the latest and greatest endpoint and network protections wonât always be a sure-fire way to keep things like this from happening. They do help, for sure, and can be a major component in prevention under most circumstances.
Ransomware, being a type of malware, often have signature-based and behavioral protections. That is what we consider the âknown.â What about the unknown? How do we stop things we havenât yet seen or heard of?
A combination of methods, my friend!
Working from a security framework like NIST or CIS is a good start.
Pair that with implementing a robust security solution, covering all of your attack vectors: Network, cloud, endpoint, IOT, and mobile devices. (Yes, mobile phones are capable of being infected.)
Choosing a security gateway (firewall) can be a daunting task. There are many different types that boast a plethora of capabilities. Thereâs a lot to consider. The best resources to use when making your decision are to review performance tests, such as ones conducted by NSS Labs, or comprehensive evaluations, as conducted by Forrester.
In terms of endpoint protection, you would want to find a product that includes not only traditional anti-malware (Aka âAVâ) protections, but also anti-bot, anti-ransomware, and advanced sandboxing techniques to prevent exploitation as opposed to simply detecting it. Some options even offer ransomware reversal. This is done by the solution creating continuous data backups that can be reverted to in the event of an attack.
On top of that, educate your users! Every security frameworkâs final thoughts revolve around user education. Remember me mentioning the âGrandpa Testâ? Well, find a way to explain to your users the most basic safety measures. IE- âHey, donât click on links if you donât know where the go or where they came from.â
In short:
¡ Never click on unverified links or open untrusted attachments
¡ Use email filtering and content scanning
¡ Segment your network
¡ Donât allow over-permissive user profiles or local admins
¡ Try not to visit sites that donât seem âofficialâ
¡ Do not download applications youâre unsure of
¡ Avoid clicking on ads
¡ Be reserved about offering personal data
¡ Deploy network protections (Next Generation Security Gateways)
¡ Implement advanced endpoint protections (AV)
¡ Use network monitoring tools
¡ Limit access to commonly exploited ports (Such as RDP)
¡ Use VPN when connecting to business resources (Especially if WFH)
¡ Keep your systems up-to-date and patched
¡ Facilitate regularly scheduled backups and redundancy
¡ Have an incident response plan
¡ Consider investing in cyber insurance
¡ Conduct routine pentesting
¡ Educate your users!!!
The fight against ransomware may seem hopeless, but itâs not! Knowing how it spreads and what to expect are great first steps.
G.I. Joe said it perfectly, âKnowledge is power. And knowing is half the battle!â
