Ransomware - The scenario
You unlock the factory office, sit down in front of your computer, ready for the month end financial administration and payroll cycle. But it is not your book keeping software that greets you, but a message banner requiring a ransom payment of $ 200. You do not know who it is, you only know that your data is encrypted and cannot be accessed. More importantly, the message includes a threat that it will be deleted within 24 hours if you do not pay up. If this sounds like fiction to you, let me introduce you to the very real world of Ransomware. The Ransomware epidemic is up 128% in first half of 2016 compared to 2015, with one single ransomware campaign netting $121 million. But what is Ransomware exactly, how does it infect its target and more importantly, how do you protect against infection?
What is ransomware
In short, Ransomware is defined as computer malicious software (malware) that installs itself on a victim's computer, encrypts all data on the machine, and demands a ransom payment to decrypt it. It is grouped under the denial-of-access attack family as it prevents the user from accessing data files on the computer. Once the ransom is paid, the victim might receive a decryption key to decrypt the data files in order to restore access. The ransom normally varies between $50 to $500. Targeted attacks aimed at corporations and businesses will result in larger ransom demands. Some Ransomware variants will delete files irrespective of payment. What is fascinating is that this approach is turning out to be the proverbial poisoned chalice for Ransomware. Strangely, there has to be a trust relationship between the victim and the criminal extorting payment. If it becomes the norm that payment of the ransom will not result in recovery of the data, victims will not pay the ransom anymore. It will be interesting to see how the Ransomware community will deal with this potentially business terminating possibility.
Origin
The origin of ransomware can be traced back to the late 1980s. It was developed by a biologist with a PhD from Harvard. He called the software "AIDS" (also known as "PC Cyborg"). The user was asked to pay US$189 to "PC Cyborg Corporation" to obtain a repair tool. He was arrested but never prosecuted as he was declared mentally unfit to stand trial for his actions. He did however commit to donating his ill-gotten gains to Aids research. Today, we have roughly 1.3 mil ransomware variants recorded, belonging to 6 ransomware families.
The targets
Initially, Ransomware started targeting individuals. It soon became apparent that the business model lends itself to all types of targets, including companies and organisations of all sizes. Companies and businesses are currently targeted based on their IT security profile. It is relatively easy to get a feel for the amount a company or business is investing in security technology and hardware, and the less they spend, the juicier the target becomes. It is a common known fact that these targets have a huge dependency on Information Technology to operate on a daily basis, which means the likelihood of paying a ransom is also very high. The challenges for smaller companies are considerably higher as investment in security historically has a very low return on investment. The main take away here is if you have old systems, that are not managed, and you commit to very little IT security spend, you are the ideal target for a ransomware attack.
Attack vectors
One of the main delivery mechanisms is malware. The goal of the criminals is to indiscriminately spread a threat to as many victims as possible, a shotgun approach of you will. The mail will arrive with an attachment that contains the malicious code. The criminal will try and entice the recipient to click on the attachment in order to install the code on the computer. Normally it will be a badly formatted email, but in cases where there is targeted phishing, the attacker would have researched the potential victim and crafted the email in such a manner to trick the target to open the attachment. For instance, an ardent stamp collector will receive an email inviting him to view newly released stamps, or a sports fan might receive an invite to attend a function with his favourite sports team. This will tempt them to open up any attachments to the email.
Another option is to send mail to the target, directing him to a website in order to install the software from the internet. For example, an invite to a conference arrives via email. The link to register is attached to the email as a URL. Once you click on the URL, the website opens and once you enter your registration details, you are asked to download your entrance ticket. The malicious payload is then copied and downloaded to the local machine.
Normally, the installed program will attempt to download the actual ransomware from the Internet. Note that there is no human intervention required for this download and install to happen, and there will be no visible clues as to the operation.
The tech problem
Without a physical installation on the target computer, Ransomware is useless. There are various ways to achieve this. In the past, it was done through drive by download. The user was tricked to download malicious attachments from infected web sites. The attack has evolved somewhat. These days, it is focussed on spear phishing or targeted spear phishing, meaning the target is very specific, and the attack is crafted to match the individual target. For example, this will be done through very specific emails, or very specific drive by downloads/ enticements to download malicious attachments. There are various ways to achieve this, with the commonality here being the human factor. And therein lies the first step in protecting your systems.
The fix
The main question is whether prevention practical or achievable. Well, not really. It is open for interpretation, almost like art. Is insurance a preventative control? That will depend on the type of data. It all becomes a bit fuzzy and grey the more you delve into it.
Let’s take a step back. You need to rate your risk, and then you need to ensure youhave at least a basic level of protection to address the risk. Basic security principles will set you up to defend (at least against non-specific attacks against your infrastructure.) More on this in the next part of the series...
Watch out for the next part of this series - how to address the risk!
Glossary of Technical Terms
Decryption key
In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms.
Least privileged
The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.
Macro
A macro in computer science is a rule or pattern that specifies how a certain input sequence (often a sequence of characters) should be mapped to a replacement input sequence (also often a sequence of characters) according to a defined procedure. In some software, a sequence of instructions can be associated to a keyboard or mouse action. Macros can be very useful to software users. They simplify regularly used actions so that the productivity of the user is increased.
Malware
Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
Spear Phishing
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication
Vulnerability
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw
REFERENCES
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf
https://www2.fireeye.com/WEB-RPT-2017-Cyber-Security-Predictions.html
http://resources.flexerasoftware.com/web/pdf/Research-SVM-Vulnerability-Review-2016.pdf
Author
Carel Krogh
This article was published with the permission of Carel Krogh
