We are at the end of 2016, hope everyone aware of Ransomware and it’s impact on business.One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence.
Attacks are more successful when effective countermeasures are not in place. Security firms are consistently developing and releasing anti-ransomware applications and decryption tools in response to the threat.
Variants of ransomware that rely on types of strong Asymmetric encryption that remain relatively unbreakable without the decryption key, victim response is sharply limited to pay the ransom or lose the data.
Types of Ransomware
There are two main forms of ransomware in Circulation today
- Locker Ransomware
- Crypto Ransomware
Honestly both of the ransomware are designed to disturb over digital life. They were designed in order to deny the things that we required or to serve and offer to return what is rightfully ours on payment of a ransom.
Locker ransomware is typicall spread through social engineering, phishing campaigns, and Vulnerable sites. Locker ransomware simply restrict user access to infected systems by either denying access to the user interface or by restricting the availability of computing resources.
Certain capabilities, such as numeric keyboard functionality, might remain unlocked while the rest of the keys and the mouse are locked. This design increases user frustration while restricting user action to following the attacker’s instructions.
This type of ransomware is akin to the locked door in the earlier analogy. Locker ransomware usually leaves underlying files and systems unaffected; instead, it only restricts access to the interface. This design also means that locker ransomware can often be removed easily by restoring the system to a restore point or by deploying a commercial removal tool
Attackers abandoned locker ransomware in favor of its more robust counterpart, crypto ransomware. Locker variants are still developed, but they are less numerous than crypto ransomware families.
Instead of restricting user action by denying access to the user interface, Crypto ransomware targets the data and filesystems on the device. The critical system files and functionality tend to remain unaffected.
The victim can use the computer to do anything except access the encrypted files. Crypto ransomware often includes a time limit, after which the decryption key may or may not actually be permanently deleted if the victim does not pay the ransom on time.
People do not think rationally under time limits; as before, the cyber-criminals are compensating for a lack of technical sophistication by leveraging human behavior against the victim.
The victim is subject to the anxiety of the ticking clock, the fear of the consequences of making the wrong decision, and the fear of regret if the data is lost forever.
Crypto ransomware did not popularize until 2013 because attackers failed to realize that successful crypto ransomware attacks rely on current strong encryption algorithms and proper management of the accompanying cryptographic key.
According to information security researchers at Symantec, the current crypto ransomware threat landscape is still fragmented into new entrants into the market and mature criminal groups.
Both types of attackers try to employ industry-standard encryption algorithms, such as RSA, Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) with a suitably large key in their ransomware.
Crypto ransomware is often spread through Tor, botnets, or other malware. Crypto ransomware is as simple as weaponizing strong encryption against victims to deny them access to those files.
Examples of Crypto ransomware
On February 5, 2016, medical systems belonging to Hollywood Presbyterian Medical Center were infected with the Locky ransomware. Healthcare data remained unaffected but, computers essential to laboratory work, CT scans, emergency room systems, and pharmacy operations were infected.
And the hospital paid a ransom of 40 Bitcoins ($17,000) to unlock their machines.Seems the Hospital was not targeted, but occurs in result of a random malicious email.
TeslaCrypt infects systems through the Angler exploit kit, which leverages vulnerabilities in Adobe Flash (such as CVE-2015-0311). Silverlight and Internet Explorer may be exploited in absence of Adobe Flash.
The TeslaCrypt binary is compiled in Visual C++. The ransomware code is encoded within the binary. After the code is decrypted into memory, TeslaCrypt overwrites the MZ binary 13 onto itself.
Initially, TeslaCrypt used symmetric encryption; however, after researchers from Cisco’s Talos Group released a decryption tool (the Talos TeslaCrypt Decryption tool), the authors reconfigured TeslaCrypt to use asymmetric AES encryption. By late 2015, Kaspersky labs had released another decryption tool, the TeslaCrypt Decryptor.
TeslaCrypt originally targeted 185 file types related to 40 computer games (Call of Duty, Skyrim, Minecraft, etc.) on Windows systems.Victims are prompted to pay a ransom of ~$500 (in Bitcoins, PaySafeCard, or Ukash).
Cryptolocker is a crypto ransomware trojan that began infecting Windows systems in September 2013 through the Gameover ZeuS botnet, and encrypting the host data with RSA public-key encryption.
Cryptolocker installs in the user profile folder and adds a key to the system registry so that it runs at startup. Next, it connects to one of its C2 servers and generates a 2048-bit RSA key pair, stores the private key on the server, and sends the public key back to the victim machine.
This trojan encrypts document, picture, and CAD files on the local hard-drives and mapped network drives with the public key and logs each encrypted file as a registry key.
The Cryptowall family of ransomware first appeared in early 2014 and became popular after Operation Torvar dismantled the Cryptolocker network.
Cryptolocker is spread through various exploit kits, spam emails (with attached RAR files that contain CHM files), and malvertising pages.
Current variants of the malware (such as Cryptowall 3.0) use I2P network proxies to communicate with their C2 infrastructure and they use the Tor network to collect Bitcoin payments from victims. Initial variants encrypted victim files with RSA public-key encryption; however, the malware has now (Cryptowall 3.0) evolved to use the AES 256 algorithm.
Unlike Cryptolocker, the Cryptowall malware targets Windows systems globally; though, the United States (13%), Great Britain (7%), the Netherlands (7%), and Germany (6%) were the most affected.
The “Curve-Tor-Bitcoin-Locker” (CTB-Locker) is a PHP based trojan that was publicly analyzed by security researcher Kafeine in mid-2014. CTB Locker is essentially a ransomware as a service (RaaS), where the attackers outsource the spread of the malware to a number of script kiddies and botnet operators (often referred to as affiliates) for a share of the paid ransoms.
CTB-Locker is also available in English, French, German, Spanish, Latvian, Dutch, and Italian to accommodate affiliates and targets from most American and European countries.
CTB-Locker uses a combination of symmetric and asymmetric encryption to restrict victims’ access to their files. Rather than use RSA, which is based on prime number factorization, like most ransomware, files targeted by CTB-Locker are encrypted with AES and with Elliptic Curve Cryptography (ECC).
In February 2016, attackers began to use the CTB-Locker to encrypt websites hosted by WordPress. This variant of CTB-Locker is referred to as Critroni.
The attackers hack an insecure website and replace its index.php file or index.html file with different files that encrypt the site’s data with AES-256 encryption.
One of the prevalent malware mitigation strategies is a layered depth. It stands to reason that in accordance with the concept of mutual escalation, attackers will begin to “attack in layers.”
This behavior already occurs in APT campaigns and in some ransomware attacks, where for instance, the adversary launches a DDoS attack alongside a more concerning attack.
Ransomware follows the same distribution and infection vectors as traditional malware. The primary difference is that ransomware threat actors often lack the sophistication to breach modern networks.
Traffic distribution system (TDS):
Traffic distribution services redirect web traffic to a site hosting an exploit kit. Often, traffic is pulled from sites hosting adult content, video streaming services, or media piracy sites.
Some ransomware groups, especially criminals who purchase their malware instead of developing it themselves, may hire a TDS to spread their ransomware.
If the host is vulnerable to 17 the exploit kit on the landing page, then the malware is downloaded onto the system as a driveby-download.
As with a TDS, a malicious advertisement can redirect users from an innocuous site to a malicious landing page. Malvertisements may appear legitimate and can even appear on trusted sites if the administrator is fooled into accepting the ad provider or if the site is compromised.
As with most malware campaigns, phishing emails and spam email are the primary delivery method of malicious content into a network because users are culturally trained to open emails and to click on attachments and links.
Botnets are used to send spam emails or tailored phishing emails at random or to personnel within an organisation. These botnets and email services are a criminal enterprise unto themselves.
Malware is delivered onto systems through stages of downloaders to minimize the likelihood of signature based detection. Ransomware criminals pay other threat actors to install their ransomware onto already infected machines.
If the ransomware threat actor actually decrypts the system, then the ransomware infection could draw attention to the other compromise; however, it could just as easily mask the other malware by focusing the user’s attention on certain infected systems.
Malware groups who conduct widespread phishing campaigns and watering-hole attacks may be equally willing to sell access to the systems that they compromised by accident.
Popp’s AIDS trojan relied on social engineering, and human ignorance, to generate profit. The only systems infected belonged to users who ignored the plainly worded warning pamphlet.
These victims were either brash or curious. In 1989, a decent percent of the 20,000 victims probably had no choice but to pay the ransom.
Select ransomware variants contain the functionality to self-propagate through a network in a fashion similar to other malware. The majority of these samples are crypto ransomware because locker ransomware is not exceptionally popular at the moment; however, Android variants of crypto ransomware and locker ransomware have appeared in the wild.
One such variant targeting Windows is the Ransomlock (W32.Ransomlock.AO) screen locker.
Criminals will have to develop a mechanism to check whether or not a system has already been infected (such as a certificate) and a mechanism to decrypt all systems belonging to a victim who has paid the ransom; otherwise, the entire business model will be upended.
This could be accomplished by either simultaneously removing or deactivating the ransomware from all of the victim’s systems.
Targets for Ransomware
Unlike APT campaigns, financially motivated cyber threats, like ransomware campaigns, do not care about the individual target.Instead, they target the subset of society believed to be most likely to pay the ransom demand.
Ransomware is often spread in mass in the hopes that a portion of the users will pay. Ransomware, whether purchased or developed, is relatively cheap in comparison to APT malware. Delivery is virtually free.
The payment method has evolved with ransomware since the AIDS trojan in 1989.Instead, some variants, such as the 2009 Trojan.Ransomlock, ask for wire transfers and premium rate text messages while others demand that the ransom be paid with a digital voucher (CashU, MoneXy, MoneyPak, etc.) or in cryptocurrencies.
What to Do after a Ransomware Infection
- First place you need to go is nomoreransom.org (No more ransom adds immense power to globe) a site hosted by lead by by security firms and cybersecurity organisations in 22 countries.
- Next place to go is the Free Ransomware Decryption Tools provided by AVG.
- Another destination which is useful for victims is Ransomware Help and Tech Support section.
How to respond for an Ransomware Attack
Block Ransomware Communication
Many types of ransomware (but not all) require connecting with a command and control server (C&C server) to obtain an encryption key in order to function. Implementing Anti-Bot technology to block ransomware and other forms of malware from connecting and communicating with command and control servers can limit, and possibly eliminate the ability for the ransomware to function.
Contain Infections To Prevent It From Spreading, Minimizing Business Impact
While some ransomware requires communications with a C&C server to obtain an encryption key, other variants do not. Some are now bundling the public encryption key with the malware itself, encrypting files before they even reach out to their command and control networks.
But, even if the ransomware manages to encrypt files on the infected device, all hope is not lost. Anti-Bot technology can identify and quarantine malicious process and communications, and automatically lock down the infected devices.
This can dramatically reduce the damage caused by the ransomware and limit the impact on your business.
Don’t Panic, There May Be An Existing Solution
If you do become the victim of ransomware, do not panic. There may be an existing solution. Contact your IT professionals immediately, as they are best equipped to determine an appropriate response.
In some cases, you may be left only with two options – restore encrypted files from back-up or pay the ransom. In several instances, like TeslaCrypt and Shade ransomware for example, decryption keys may be available on the internet. A quick search might save your team significant time and money in dealing with the attack.
Analyze And Understand The Attack And Determine An Appropriate Response
Once you have managed to contain the ransomware, it is important to do the research necessary to fully understand it. What was the root cause? How did it get in? Was it user error? What actually happened? Doing the research is critical in order to fully understand the entire attack.
Ransomware is unfortunately on the rise. Organisations must implement measures to proactively protect their files, data, and systems. It is equally critical that they implement tools that enable their response teams to quickly contain threats and thoroughly understand all aspects of an attack.