A High Level Guide to Ransomware

OooooOooooOOoo, scary.

Ransomware.

You’ve heard about it, right?

It’s in the name. “Ransom.” Indicating that something is being held hostage. But what?

Your data.

The answer is revealed below.

Ransomware is a type of malware that encrypts data with an attached threat of perpetually blocking access or revealing secrets unless a ransom is paid.

...So what do you do?

...How did it get there?

...Where the hell am I?

And the days go by… Water flowing underground…

I hope you got this reference. 

At this point, ransomware is so common, it passes what I like to call, “The Grandpa Test.” If my grandpa were still alive, and I asked him if he knew what ransomware was, he would probably know and might even be able to loosely describe the idea of it. News outlets, publications, movies, and television have shown, defined, and discussed the concept of ransomware and unauthorized file encryption.

That said, it’s not a new concept. The first known malware extortion attack, the “AIDS Trojan”, was released in 1989. This particular attack, however, had kind of a big design flaw- the victim wasn’t required to actually pay the extortionist. The payload really only hid the files and encrypted the names, so a savvy user could easily reverse the attack.

Ransomware comes in three Neapolitan-esque flavors: crypto, locker, and scareware. Crypto, being the more common variant, is what most people are familiar with and involves some sort of encryption. Locker, on the other hand, doesn’t encrypt files. But, rather, locks the victim out of their device, preventing them from using it. Scareware is less invasive, doesn’t involve encryption, but uses creative methods to pressure the victim into paying the ransomware, making them think there system is compromised when it likely isn’t.

Which bring us to our next point: The main components of ransomware are inaccessibility and extortion. The inaccessibility piece is generally driven by encryption. Most ransomware attacks use a form of asymmetric Public Key Cryptography by encrypting a victim's files using a public key generated from another computer. That computer holds the private key which is needed to decrypt the encrypted files, and it can only be easily decrypted using that private key.

Encryption is a form of cryptography. Obviously, it’s not always used for nefarious reasons. Encryption is defined as “The process of conveying ordinary plain text into secretive, unintelligible or ‘indecipherable’ text and vice-versa.” Encryption requires a cipher, a method or algorithm for performing encryption or decryption.

All of us have seen “Christmas Story”, right? Remember the scene where Ralphie is super excited to get his special decoder ring only for it to reveal the secret message of “Be sure to drink your Ovaltine”?

The face of disappointment.

In the movie, the Caesar cipher was used. This is a relatively easy method to crack and probably the most well-known shift cipher. Comparably, the combination of complex encryption methods in these more sophisticated attacks creates a greater “file entropy” and isn’t as easy as matching a number to a letter. In simple terms, the file is compressed by replacing bits with shorter patterns of bits, lending to the randomness and difficulty of reversal.

Looks strangely edible. (r/forbiddensnacks)

In the professional world, we use encryption in a much more mature way. Most auditing and governance standards require encryption as to make sensitive data more secure and less likely to be intercepted by unauthorized viewers. The industry standard for encryption is AES-128. (It’s not the only method, just the most common.) AES-128, for example, has a key entropy of 128 bits making it very difficult to crack.

Crackability is the quality or degree in which something is “crackable.” Obviously, if someone is extorting you for money, they want their method to be reasonably foolproof. Not all ransomware is created equal, though the hope of the attacker is for you to concede to their requests.

The entropy in a cipher's key (its "key strength, in bits") is thus a measure of how difficult it is to break the cipher via brute force.

If you do a quick Google search, “How long would it take to crack AES-128?” the answer is:

Uh, that's a lot.

So, just imagine compounding that with other methods.

Modern ransomware, such as WannaCry, Petya, and NotPetya use a hybrid encryption method: A combination of AES and RSA encryption to ensure that it is incredibly difficult to crack. This puts the victim in the position of feeling as if they need to pay the ransomware due to a sense of hopelessness. In these cases, it’s not as easy as using a ring to match numbers to letters.

Some ransomware can be cracked, some can't.

But what makes ransomware so dangerous?

It cuts you deep. Like a katana.

If we just had one non-critical computer with this problem and it was an isolated incident, we could easily say, “Ok? So what? Let’s just revert to backup, change the passwords and move on, right?”

Well, maybe. If someone is on your network, even if it's one device, we can't be sure of what they have or don't have. Backups don't solve the immediate problem, nor do they account for exfiltration. Nevertheless, ten computers is worse than one, but one is all it takes to laterally move across a network.

Ransomware can spread in one of two ways: Automatically or manually (Aka "human-operated.") Human-operated attacks are super dangerous, don't get me wrong; They just take a bit more time and effort to execute. If someone is operating manually, it's likely they're working to gain higher levels of access, too. Obviously, there is optimization and a higher impact associated with automation.

The Wannacry variant of ransomware, an automatic type of attack, introduced the “wormable ransomware” concept, much like how a virus moves from one PC to the next. It had the capability to spread itself, rendering entire network useless. It used the EternalBlue vulnerability to spread to both internet exposed systems and systems on internal networks.

The danger is in the impact.

If the attack spreads to critical systems, this can cause outages and, potentially, data leakage. If you're a hospital or a financial institution, depending on how far they dove into your network and what access they were able to adorn, it could mean sensitive customer was data exposed to hackers. (Up to and including personal health records, bank account information, social security numbers, and all that jazz. Bad news bears.)

Ultimately, that kind of damage could permanently ruin your reputation, cause significant financial loss, or even result in your company going out of business.

In 2020 alone, collectively, businesses lost an estimated $20 billion due to ransomware alone. The average costing most organizations around $700k per incident.

What does ransomware usually look like?

The ransom message

How your files might look

The above examples aren't all-encompassing, but with crypto attacks, you'll usually see your file extensions change and, often, an accompanying text and/or pop-up explaining the attack.  

Where does it come from?

Realistically, in terms of region, it’s pretty spread out. The most common countries to launch ransomware attacks are Russia, China, Nigeria, Indonesia, and even the United States.

How does it end up on my network?

· Phishing

· Drive-by downloads

· Infected websites

· Exploit Kits targeting out of date software

· Lack of security controls

· Using an unknown USB

· Open RDP ports

The most common way ransomware is delivered is via phishing attacks. A phishing attack is a type of social engineering technique, usually accomplished through email, to where the attacker tricks the victim into clicking on a malicious link or downloading an infected file.

Phishingbox.com states that 94% of malware (in general) is delivered via email. Whereas, of that 94%, 65% were categorized as ransomware.

Some phishing campaigns are designed to spoof your company, others spoof common providers, vendors, or well-known, frequently used organizations like PayPal, eBay, and Facebook.

The common denominator is to convince the victim to click a link or open an attachment they shouldn't.

To see common examples of phishing attacks, visit the below link:

Phishing | General Phishing Information and Prevention Tips
Phishing.org is a resource for IT professionals and their users to keep informed about the latest phishing threats and how to avoid becoming a victim.

What are the most common ransomware attacks?

In 2020, the most common attacks were:

· Maze, previously known as ChaCha

· REvil

· Ryuk

· Tycoon

· Netwalker

2020, which inarguably is going down as the worst year of all time, had a spike in ransomware activity due to COVID-19 and the work from home initiative. Moreover, various ransomware families have now become capable of stealing sensitive data through there highly sophisticated and developed techniques.

Overall, WannaCry is still, arguably, the biggest and most known ransomware attack in history. It was a global assault that affected more than 250,000 systems with an average of $300k raked in per incident.

Bad actors keep using ransomware because it works.

Many organizations adopt the mindset of, "It won't happen to me." But, it's not a matter of if, it's a matter of when. The ostrich method of sticking your head in the sand won't work here.

What do I do if I get ransomware?

Don't panic.

The face of someone who just got crypto lockered. 

And, don't pay the ransom!

The FBI, SANS, various security vendors, and the majority of security professionals advise against paying the ransom.

Why?

Firstly, there's no guarantee that the attacker will give you the key once the ransom is paid.

We've all been in a position in our lives where a promise was broken, maybe even with people we trust. These are people we don't trust. We cannot take their word at face value.

Secondarily, like I said above, "It works." If we don't pay, it doesn't "work." There's less incentive to continue.

Thirdly, if you do pay, your attack frequency will increase. That paints a target on your back that says, "This person pays. Keep trying."

Note: Some may suggest using cyber insurance to take care of this kind of situation, but that is another conversation. (It can be seen as "incentive" for attacks to continue.)

Given the expert advice, we're left with a problem. If you're not paying, you've got to do something about it. But, what? How do you handle it?

You essentially have two options: You could consult a professional incident response team, OR try to get rid of it yourself.

Which way do I go?

The best case scenario is that you can afford a reputable incident response company that can isolate and eliminate the infection, provide a forensic analysis, prove the removal, aid in restoration, and better prepare you for the future.

Sometimes, that's really costly. Maybe less costly than the attack itself, but not every business has deep enough pockets to afford those types of services.

If you choose to go rogue and do it on your own, know that, as previously stated, it's more than just backing up your devices. That's an integral piece of the process, but it doesn't prove that the attack is gone or that the attacker didn't get away with invaluable information such as customer data or trade secrets. If you don't do your due diligence, you could be on the hook for lawsuits and other types of social, legal, and monetary repercussions.

If you're looking to try and combat it on your own, here are a few good sources to check out:

The No More Ransom Project
Ransomware - What Is It and How it works? | Check Point Software
Here we discuss what is ransomware, how it works, its evolution over the years, and how organizations can prevent the next ransomware attack.
Ransom Warrior Decryption Tool - Check Point Research
On August 8th, a new ransomware, dubbed ‘RansomWarrior’, was found by the Malware Hunter Team. Going by the ransom note shown to its victims, RansomWarrior seems to have been developed by Indian hackers, who would appear to also not be so experienced in malware development. Written in .NET, the ex…
Ransomware Decryptor Tools

How do I prevent ransomware from happening?

Looking back at our explanation of where it comes from, we can reverse engineer that to translate the most effective preventative measures.

Security isn't just a solution you get in a box, it's also a practice and a mindset.

Having the latest and greatest endpoint and network protections won't always be a sure-fire way to keep things like this from happening. They do help, for sure, and can be a major component in prevention under most circumstances.

Ransomware, being a type of malware, often have signature-based and behavioral protections. That is what we consider the "known." What about the unknown? How do we stop things we haven't yet seen or heard of?

A combination of methods, my friend!

A multi-faceted approach is needed.

Working from a security framework like NIST or CIS is a good start.

Pair that with implementing a robust security solution, covering all of your attack vectors: Network, cloud, endpoint, IOT, and mobile devices. (Yes, mobile phones are capable of being infected.)

Choosing a security gateway (firewall) can be a daunting task. There are many different types that boast a plethora of capabilities. There's a lot to consider. The best resources to use when making your decision are to review performance tests, such as ones conducted by NSS Labs, or comprehensive evaluations, as conducted by Forrester.

An example of the Forrester Wave Report for Q3 2020.

In terms of endpoint protection, you would want to find a product that includes not only traditional anti-malware (Aka "AV") protections, but also anti-bot, anti-ransomware, and advanced sandboxing techniques to prevent exploitation as opposed to simply detecting it. Some options even offer ransomware reversal. This is done by the solution creating continuous data backups that can be reverted to in the event of an attack.

On top of that, educate your users! Every security framework's final thoughts revolve around user education. Remember me mentioning the "Grandpa Test"? Well, find a way to explain to your users the most basic safety measures. IE- "Hey, don't click on links if you don't know where the go or where they came from."

Don't you dare click that link, Karen...

In short:

· Never click on unverified links or open untrusted attachments

· Use email filtering and content scanning

· Segment your network

· Don't allow over-permissive user profiles or local admins

· Try not to visit sites that don't seem "official"

· Do not download applications you're unsure of

· Avoid clicking on ads

· Be reserved about offering personal data

· Deploy network protections (Next Generation Security Gateways)

· Implement advanced endpoint protections (AV)

· Use network monitoring tools

· Limit access to commonly exploited ports (Such as RDP)

· Use VPN when connecting to business resources (Especially if WFH)

· Keep your systems up-to-date and patched

· Facilitate regularly scheduled backups and redundancy

· Have an incident response plan

· Consider investing in cyber insurance

· Conduct routine pentesting

· Educate your users!!!

The fight against ransomware may seem hopeless, but it's not! Knowing how it spreads and what to expect are great first steps.

G.I. Joe said it perfectly, "Knowledge is power. And knowing is half the battle!"