UNDERSTANDING RANSOMWARE AND MINIMIZING THE IMPACT OF THREAT
Jesse Christian – 44124317
Ransomware is a malware that installs on a computer without any acknowledgement of the users. It will remain asleep on the victim’s computer until the hacker instructs a command to lock the computer or encrypt files . A simple ransomware may lock the system which is not difficult to revert or in more advanced malware, it encrypts the victim\'s files making them inaccessible. Both simple and advanced malware will display a message requesting some ransom to unlock the computer or decryption key for the encrypted files. Unlike other malware programs that install itself computer, run in the background and steal user’s valuable information without the user\'s knowledge, a ransomware notifies the users that they have been infected. This paper will answer some questions related to ransomware such as what is a ransomware, how is the trends of ransomware today, who are the victims, and how to mitigate and countermeasure ransomware attack.
A Malicious Software, which is more commonly known as Malware, obtains access then damage its victim without knowledge of the owner to gather sensitive information or disrupt operations . Malware uses certain communication tools to disseminate such as email and instant messages, web sites, and infected downloaded files. Malware exploits systems vulnerabilities so that they can enter the system easily. Malware infection has similar characteristics with burglary which is infects and compromises computer systems. Malware enters victim’s computer with minimal detection disable which is the same way that a burglar does. Routine activities theory may be applicable for cybercrime as they share same characteristics. Malware is designed to perform certain unwanted tasks on the victim’s computer, causing damage to a device for specific goals such as financial benefit, intellectual challenge, social factor, vengeance, or curiosity . Successful hackers, however, believe that the need to share the knowledge by advertising the malware that they develop and sell on open black markets operating on-line is necessary to gain recognition and reputation of skill as a malware writer as well as to make a profit . Malware development is also able to keep growing due to other funding activities through the various types of malware like virus and worm, spyware, adware, ransomware, or any type of malicious code that enter to a computer providing monetary benefits for malware writers for instance advertising adware, stealing sensitive information, spreading email spam, or extorting money using ransomware. Ransomware is categorized as one of ten cyber-threat in 2016 followed by hacktivism, hardware, wearables, cloud services, automobile, mobile malware, attacks through employee systems, warehouses of stolen data, cyber espionage, sharing threat intelligence, payment systems, critical infrastructure, social engineering, and mobile malware .
In 2007, a new form of malware was emerged in cyberspace known as ransomware or cryptovirus. This new malware introduces serious threats to information assets protection. Ransomware hijacks files, encrypts them, and then demands some ransoms in exchange for the decryption key, usually by using online currency accounts. Ransomware is believed originated from Russia in the mid-2000s and begun expanding into other countries . Ransomware is classified into two main types namely encryption ransomware which encrypts all of computer hard drive’s files so that they’re inaccessible by the user and lock-screen ransomware which makes the computer inaccessible by showing a pop-up window on the screen that can’t be removed or disabled . In order to obtain access to the encrypted files or locked computer, victims are required to pay certain amount within certain before key will be destroyed and the damage may be irrecoverable.
Evolution of Ransomware
Misleading applications is believed to be the pioneer of existing ransomware The emergence of misleading applications in 2005 is the pioneer of ransomware. The apps present as fake spyware removal tools. They overstated the impact of unused registry and corrupted files and request for a payment to resolve the issues. At this stage, Trojan.Gpcoder family, the first crypto ransomware, was appeared in May 2005. This early version of ransomware used a weak symmetric encryption technique. In early 2006, Trojan.Cryzip appeared. It copied files into password-protected archive files and deleted the original files. The password was embedded inside the code making it easy to retrieve the password. Similar to Cryzip, Trojan.Archiveus used password-protected archive files and asked the victim to buy drugs using certain online pharmacy website. The victim will get the password to decrypt the files once they have submitted the order ID. The attackers earned some commission from the purchase which is considered as the ransom.
In between 2008 and 2009, attackers use fake antivirus programs claiming to find large numbers of security issues on the victim’s computer. The victim was asked to pay certain amount to fix them. However, this fake antivirus was ignored or removed by the victims resulting attackers found a new way by moving from showing alerts on windows screen to disabling access and control of the computer . The first of the computer-locking malware attacks users in early 2008 as Trojan.Randsom.C. This malware locked the victims’ computer and disguised as a Windows Security Center message asking the victims to reactivate a license for security software by calling a premium-rate phone number. This type of ransomware reached its peak in between 2011 and 2012. However, since 2013 to this day, the trend of ransomware was back to crypto ransomware by not using social engineering. Instead, it shows its forthright purpose and demands (Figure 1).
Figure 1 Trends of Ransomware from 2005 to 2016
Today, ransomware has reached a new level of maturity and threat. A number of ransomware groups have been equipped with advanced techniques using with stronger and sophisticated encryption procedures compared to its predecessor and capable to distribute them to millions of computers. This business model provides a goldfield for attackers to gain profit .
Factors Driving Growth
Symantec in their report stated there are four drivers of the rapid growth of ransomware. The availability of strong encryption becomes one of the main driver. Attackers use a combination of symmetric and asymmetric encryption. Using symmetric encryption victim’s files and asymmetric encryption for the symmetric key enables attackers to have more secure and fast encryption procedure.
The appearance of cryptocurrencies, a cryptography-based digital currency , has also played a role in the growth of this malware providing an alternative for ransom payment. Cryptocurrencies provide a payment method that is accessible, convertible, and untraceable. Attackers use unique wallet for each victim so that it is difficult to track down all earnings of a single attacker.
Not only developing ransomware, attackers also need to ensure that they able to disseminate the malware to many victims as possible. There are multiple ways a ransomware can infect a computer such as malicious email, Exploit Kits, malvertising, use of other malwares, third-party app stores, and so on. The availability of effective infection vectors has led the deployment of ransomware.
More advanced and new techniques available are equipped into the new ransomware. The idea behind this is to escape from detection by security products. Some ransomwares also equipped with additional features other than locking or encrypting capabilities, for instance adding a botnet to the victims’ computer. The adoption of these new techniques shows that ransomware is continuously evolving to maintain its presence and keep profitable.
A number of ransomware groups have begun using advanced attack techniques to mount targeted attacks against organizations. The level of expertise employed in these attacks is similar to that seen in many cyberespionage attacks. Attackers have managed to gain a foothold on networks by exploiting vulnerabilities in public-facing web servers and then traversing the network using legitimate tools, before identifying and infecting hundreds of computers. The time and skill required to mount such attacks is far in excess of that required for standard ransomware campaigns, but the rewards are potentially much greater.
Nowadays, to be a cybercriminal, attackers do not need to write their own malware. Everyone could be a cybercriminal by the presence of ransomware-as-a-service (RaaS) on the cybercrime underground resulting the number of ransomware in the market keeps increasing. These criminals provided toolkits for someone with less expertise to create their own ransomware or pay for it including access to track the user interfaces. The creators of RaaS seek that there are different opportunities so that they create non-sophisticated actors becoming sophisticated and make a profit by earning a percentage of the profits earned by their customers.
Victims and Business Sector Targets
57 percent of all ransomware infection cases were targeted on consumer . There is no any concrete explanation showing why the attacks are more focused on consumers site. However, consumers are often having less strong security taken in place resulting an increase of possibility to be the victim of ransomware. Based on the monthly data on Figure 2, it shows that the trend of ransomware attacks on organizations is increasing steadily.
Figure 2 Monthly Statistic of Ransomware Target Infections from 2015-2006
Most of business sectors have been affected by this malware. In their report , Symantic shows that two business sectors with the highest number of infected computers are Services and Manufacturing sector with 38 percent and 17 percent of all infections respectively then followed by Finance, Insurance, and Real Estate, and Public Administration. There is also no clear explanation why some sectors are more affected than others, however, it can be seen that the more dependent organizations to internet services, the higher exposure to malware risks. This phenomenon leads the large number of Services sector was infected.
While attacks against the Healthcare sector have been widely reported in recent months, it does not appear among the most frequently infected sectors. This is because most of the latest high-profile Healthcare infections were targeted attacks. Although highly damaging to the affected organizations, these kinds of attacks are still relatively low in frequency and overall infection statistics are dominated by ransomware variants used in wide-scale, indiscriminate attacks.
Figure 3 Percentage of Infections based on Business Sector
How Ransomware Works
SAN Institute describes there are 6 stages of ransomware attack through the most common infection vector which is malicious email – Figure 4.
Figure 4 Ransomware Attack Through Malicious Email
In the first step, attackers select their victims either using war driving or target attack technique. A war driving is an attack launched on a large scale, for instance mailing list or compromised website, containing the malware. On the other hand, a targeted attack will attack a single or group of selected targets. Once the target is selected, the attacker then drops the malware to the victim’s PC with the malware. Once the victim clicks on the link or enters the website, the infected executable is downloaded and installed to the PC. After it is installed, the ransomware will contact the command-and-control server for the encryption key. A compromised computer can be controlled by many command-and-control servers. The ransomware will try to connect to one of the command-and-control and the process is repeated until a successful connection has occurred. The attacker then uses the infected system as a ransomware launcher across the network followed by delivering the public keys to all the bots. It will prioritize to encrypt the most recent and important first before the malware activity is detected and interrupted.
IV. PREVENTION AND COUNTERMEASURE OF RANSOMWARE ATTACK
Ransomware cause of great distress to their victims. It is not only difficult to recover, but is also it is invisible. Ransomware is categorized mostly as a zero-day threat, meaning no patches or anti-virus software able to recognize and protect against this malware. Therefore, some mitigating controls should be implemented to minimize the impact.
Socialization and training of security awareness education to employees, management, and other stakeholders is one of the prevention method for ransomware threat . Savage, Coogan and Lay added that awareness education and training could be in the form of policy/procedure/regulation, access control and management, and exposure analysis and report. Information security policy should include procedure to regulate ransomware to provide a guideline for less experienced users. Implementation of this policy should get full support from management level for enforcement. A multilayer prevention solutions might be used for access control to maintain, troubleshoot and manage compliance. Authority is given to enforce the ransomware prevention policy to prevent any potential risks. Finally, report system related to of the system patches or updates should be used to regularly to protect users’ computers. Report system ensures that every computer running on the network is fully up-to-date. The main idea of these awareness is giving knowledge employees on how ransomware can directly impact them and the company. Once they understand the impact and how it affects customers, company, or even themselves, users are more likely comply with the policy, procedure, and regulations.
Other than from the people aspect, the technology aspect should also able to cope with the risk . Regularly performing backup procedure with certain recovery points allows organizations to restore the data in the event of disruption. Administrative rights of files and network share should also be well maintained. Ransomware can only able to infect files with the rights to write or modify. A minimum-security right to sensitive data should be provided to users. Access to files should be granted on a need to know basis. Lastly, application whitelisting can be an effective tool to minimize the chance of infection. Application whitelisting is installed software on end-user to recognize and intercept any software behaviour infected with malicious code, such as script-blocking plugins in the Internet browser preventing drive-by downloads attacks.
V. CASE STUDY
Symantec Incident Response recently assisted in the response to a ransomware outbreak at a large organization . The ransomware had infected hundreds of computers and encrypted the data, resulting critical systems to go offline. A full scan revealed how far is the infection and identified all compromised computers. The attackers enter the system through a public-facing web server. The attackers then exploit an unpatched vulnerability to compromise this web server which provide attackers with access on the victim’s network. By using tools attackers able to map accessible computer on the network to help to identify valuable assets.
Once the targeted computers identified, the attackers used a batch script to deploy the Malware and a public encryption key on each computer. The script prevented any files from being restored. The attackers then deployed a tool to search for any running backup processes and stopped them and deleted any backup-related files. The final step was the deployement of another batch script to start the encryption process on each computer. After the encryption was completed, the ransomware executable deleted itself and leave the encrypted files and a note on the desktop. The note instructed to visit a website and pay a ransom of 1.5 Bitcoin for each infected computer.
The files restoration then began with identification and deletion of all encrypted files then restore the unencrypted versions of the files from backups. Some files were permanently lost because the backup was stored locally rather than on the file servers, meaning they were not backed up.
During the investigation, Symantec Incident Response identified some key issues such as an unpatched vulnerability on a public-facing server, users who not following company policy by saving backup files locally resulting permanent loss of data. By getting in touch with professional immediately, in the case, Symantec Incident Response, they could identify every infected computer and prevent from any further damage.
VI. DISCUSSION AND CONCLUSION
Cybercriminals are now adopting advance techniques attacks to deploy ransomware into the target. This shows that how cybercrime is getting mature and shows how organizations are seen of cybercriminals. As the trend of ransomware rising, the encryption used is becoming stronger. The key of prevention is to prevent ransomware attacks through awareness at the all levels in the company management, IT, and end-user level. Second most effective way is enterprises and individual users should take preventative actions by performing regular back up of important data and system hardening control the damage from. This will ensure that important files will never be controlled by a malware. Enterprise should ensure that backup drive used is kept on the separated network or otherwise may become infected. Having more than one backup, offsite and onsite backup for example, will lessen the risk of having the backup compromised. Through routine backups and restricted user rights and good awareness and finally seek for professional once infected can considerably minimized the impact of ransomware.
Australian Institute of Criminology. (2005). Hacking Motives. Australian Institute of Criminology.
Glassberg, J. (2015). The Ransomware Threat. Law Enforcement Technology.
Gresham, T. (2016). Mitigating Ransomware. US: SC Magazine.
Holt, T. J., Strumsky, D., Smirnova, O., & Kilger4, M. (2012). Examining the Social Networks of Malware. International Journal of Cyber Criminology , 891.
Investopedia. (2016). Terms. Retrieved from Investopedia: http://www.investopedia.com/terms/c/cryptocurrency.asp
Luo, X., & Liao, Q. (2007). Awareness Education as the Key to Ransomware Prevention. Information Systems Security, 195-202.
McAfee Labs. (2016). 2016 Threats Predictions. McAfee Labs.
Mehmood, S. (2015). Enterprise Survival Guide for Ransomware Attacks. SANS Institute.
Microsoft. (2014). Ransomware. Retrieved from Microsoft Malware Protection Center: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx
Moir, R. (2003, October 1). Defining Malware: FAQ. Retrieved from Microsoft: TechNet: https://technet.microsoft.com/en-us/library/dd632948.aspx?f=255&MSPPError=-2147217396
Savage, K., Coogan, P., & Lau, H. (2015). The Evolution of Ransomware. Symantec.
Symantec. (2016). Ransomware and Business 2016. Symantec.
Tuttle, H. (2016, March 1). 10 Cyberthreat Predictions for 2016. Retrieved from Risk Management Magazine: http://www.rmmagazine.com/2016/03/01/10-cyberthreat-predictions-for-2016/
...(download the rest of the essay above)