The Scorpions made an excellent career pivot into cybercrime after the 80s, you see.
The Current State of Affairs
With the recent attack on Travelex in late 2019/early 2020 bringing the travel-money organisation back to pen and paper through a well-targeted ransomware attack, it's safe to say that this form of attack is en vogue at the moment. But why? How come this particular attack?
It might be surprising to hear that ransomware attacks are actually in decline through 2018 and 2019 (credit to CSOOnline.com ) - dropping from 48% of organisations in 2017 to 4% in 2018 - but this is not due to the attack falling out of favour so to speak. It's due to better targeting and the rise of cybercrime-as-a-service.
Attackers aren't just scattershotting efforts and hoping Dave from Accounts or Karen from Finance click on the picture of the cute kitten you emailed them. They do their due diligence, collecting OSINT (Open Source Intelligence) and building a picture of your system.
Then they find a way in any way they can and escalate their privileges and work out exactly where to start encrypting your data. This means organisations are chosen based on their strategic weakness - both in system security terms and organisations that can deal with downtime the least.
Those are the customers that tend to pay up - and handsomely so. It's estimated that the CryptoWall ransomware made $18 million dollars by June 2015. SamSam, another strain of ransomware that in the alleged mastermind's indictment was said to have cost their victims over $30 million in total.
As you can see, ransomware has evolved from being grab-what-you-can from whoever responded to your phishing efforts to doing your homework, picking a target that can't deal with downtime and grabbing-them-by-the-jugular and extorting them for whatever it is you're after.
Let's see how these attacks work in practice!
How Does It Work?
Ransomware comes in an array of variants, but usually the attack and the malware used to complete it works much the same way.
We'll use the Ryuk strain of ransomware as our guinea pig for this article.
In its most basic theoretical form, ransomware is a form of extortion, through which the victim is either tricked into accepting a malware payload of some description (e-mail attachments are a favourite route in for attackers) and using a cryptographic key embedded in that payload, the files on the victim's computer or device get encrypted with that key (which the victim has no way to access). Amongst those encrypted files tend to be important system-critical files and sensitive customer data and therein lies the incentive to pay.
You receive communications from your attacker demanding ransom to have your data returned or suffer it being deleted or leaked (a variant attack known as leakware). These ransoms tend to be demanded in cryptocurrency like Bitcoin or digital hard-to-trace cash equivalents like Ukash etc.
But how do they work on a technological level?
The process of cryptoviral extortion occurs over a three-way handshake process consisting of randomly generated symmetric keys.
What is a symmetric key? Symmetric encryption works by using the same key to both encrypt and decrypt the data being encrypted - or having a simple mathematical transformation from one to the other - and its this that is the key to a successful attack (pun completely intended).
1) The attacker generates a pair of keys, one private (known only to him and used to decrypt encrypted data) and one public (released to all who want it and used to encrypt data) and places the public key in their malware payload. The malware is released into the world like in one of those inspirational Facebook videos where a turtle gets released back in the ocean.
2) To carry out the actual ransomware attack itself, the malware generates another random symmetric key (completely unrelated to the first one) and encrypts the victim's data with it.
It uses the public key that the attacker hid in the malware to encrypt the random symmetric key.
This is known as encrypt-ception (it's not, I made that up, its callled hybrid encryption) and it results in a small encrypted version of the key as well as encrypting all of the victim's data.
It deletes the random key generated earlier and the original unencrypted data to prevent the victim just recovering it.
A message to the user appears that tells them "Hi , we broke in and have encrypted all your data, pay or we delete it" - typically in grandiose, patronising fashion and demanding payment in hard-to-trace cryptocurrency or e-money.
The victim sends e-money to the attacker and waits nervously, drinking more coffee than is safe for humans to consume.
3) The attacker receives the money, (ideally) decrypts the random key (from step 2) with the attacker's private key from step 1), and sends that random key used to decrypt all the victim data in the first place back to the victim. The victim decrypts their data with the key they just received, thus completing the ransomware attack.
In the words of Dave Grohl, "Done, done and I'm on to the next!"
If you're interested in the logic the Ryuk strain of ransomware uses to encrypt data, there is an amazing piece of research done by Checkpoint here. But I'll do my very best to summarise here.
Some strains of ransomware simply just mess with the Master Boot Record (used by your computer as a kind of instruction sheet on how to boot up properly everytime) and tell you that everything is encrypted - when really your computer just won't boot past the message they've set it to.
This is known as scareware and is a lot quicker to produce and distribute.
Ryuk, however uses a very similar structure in its attack flow to a previous strain of malware called HERMES - even at some point using the same marker to denote whether the attack has been successful within its code.
It uses a three-tier model to go about its business where there is a global RSA keypair held by the attackers, another per-victim RSA keypair (usually generated on-the-fly by the malware but in this case pre-embedded and the private key in this second pair pre-encrypted with the higher-tier global key.) and the last tier being a per---victim standard AES symmetric key used to encrypt the victim data.
This overall represents a pretty damn strong encryption scheme for a piece of malware and means just cracking it yourself with external hardware is more or less infeasible.
Once this is all set-up, Ryuk performs a recursive sweep (every folder and everything in every folder) of everything on the local infected computer and every network share it's connected to, and encrypting everything.
Interestingly, it specifically leaves out anything related to web browsers, presumably so you can read the ransom note.
How Does It Spread?
Ransomware spreads once inside a network by sweeping for connected network shares, and then recursively sweeping those and so on.
But the primary vector through which ransomware spreads (especially in the most recent campaigns) is through extremely targeted waves of phishing and the forwarding of those emails further and further into the victim network - those victims chosen specifically for being able to pay large funds in ransoms, and for their inability to tolerate data loss and downtime.
There's your recipe for getting someone to squeal once you breach their network boundary.
Notable Attacks
Petya
Petya is an interesting ransomware variant that was first discovered in 2016 (the year where everyone died and holes started appearing in the Matrix) and was primarily pointed at Ukraine in a global cyberattack in 2017..
Rather than encrypting files, Petya attacks the Master Boot Record to encrypt the NTFS file system that Windows uses to work at all, and literally stops Windows from booting up period until the ransom gets paid.
The heavily modified version fired at Ukraine was retrofitted to use EternalBlue (a nasty Windows SMB protocol exploit) to infect computers, like WannaCry did.
This modified version though, due to changes in its design couldn't decrypt the victim's data afterwards - potentially meaning this was more of a disruption effort rather than intended as a moneymaking exercise.
WannaCry
The BIG ONE.
In May 2017, WannaCry (a ransomware cryptoworm, meaning it propagates itself without user interaction) infected 230,000 computers in over 150 countries. It demanded payment in bitcoin in over 20 languages and affected businesses like Telefonica in Spain and took out 16 hospitals across the British National Health Service (NHS).
Rather than e-mail phishing as an initial attack vector, WannaCry used the EternalBlue SMB exploit (an old Microsoft protocol, Server Message Block, that is known for being notoriously insecure) to compromise its targets, and as it was a worm, went about its business copying and propagating as far and as wide as it could. Within a day, it had already spread internationally.
Surprisngly for such a large-scale attack, it really didn't make all that much money, raking in about $130k when all was said and done - possibly due to solid advice going out from security professionals to not pay the ransom, due to zero reports of people getting their money back once they had.
A researcher, Marcus Hutchins is credited with stopping the attack by finding a kill-switch domain hardcoded in the malware's code and registered that domain name as a DNS sinkhole (gives out a fake result or fake domain name). WannaCry only encrypted a victim's files if it couldn't connect to that domain. This allowed time for defensive measures to be deployed and patches applied.
Attribution wise, the US Department of Justice believes WannaCry to be the work of the North Korean intelligence apparatus.
SamSam
SamSam was another interesting variant on the ransomware attack found in 2016, leveraging weaknesses in Remote Desktop Protocol (used to remotely administrate devices graphically rather than over a terminal) by guessing passwords until it broke the authentication.
Once broken, the malware gets to work encrypting everything. This has been a wildly lucrative operation with a rumoured take of $6 million and $30 million in damages.
Two Iranian men are wanted by the US government on charges of distributing the SamSam malware and profiting from the operation.
Governments, healthcare providers and cities/municipalities like Atlanta were the primary victims of SamSam in recent times.
Does Paying The Ransom Even Work?
It is roundly recommended by most security professionals that if hit by a ransomware attack, you don't pay the ransom.
There is no guarantee or contract in place for the attacker to give back your data or unencrypt itfor you even if they receive the money they demand.
However, it could be argued that it is in their financial interest to do so, as if there's no point in paying the ransom, people will just stop paying them altogether.
Attack frequency may be dropping but ransom demands are getting higher and harder-to-trace.
Save your money and work on mitigation and restoration efforts.
Move to Cryptojacking Malware
There has been an interesting move from just straight-up ransomware into a new form of attack called cryptojacking.
We'll save the specifics for another explainer, but it works in much the same way.
However, the attacker as well as holding your data hostage, is also taking advantage of all the idle computing infrastructure to mine cryptocurrency and raise further funds.
Essentially, they compromise the system, encrypt all your data and ransom it back to you - all whilst using your own kit to make even more money in the meantime whilst you stew about how to fix it.
It's not hard to see why cryptojacking malware is growing wildly in popularity.
What Can You Do About It?
Much like any disease, the earlier you catch and treat it - the easier the damage is to fix.
If caught early, the ransomware can be quarantined for analysis in an isolated "sandbox" environment or removed and deleted.
This would stop further spread of the malware without recovering your encrypted data.
Other mitigations include a robust patching policy to stop the initial compromise vectors from being available.
Strong security awareness training for your users so Dave from Accounts who loves cat pictures doesn't click on ANOTHER phishing email.
Strong network segmentation and defence-in-depth security design will stop initial compromise turning into total system compromise in short order.
There are file system mitigations you can use too - Controlled Folder Access in Windows 10 will allow you to protect sensitive directories like backups etc. from ransomware attacks.
Sun Microsystems' ZFS system's process of snapshotting whole file systems multiple times an hour and allowing only administrator access to those snapshots allows for simpler rollback to previous system states.
If the attacker used very weak cryptographic software and cipher suites to encrypt your data, it could also be possible to crack the encryption on your data yourself, given enough hardware and time - but this is not a feasible option in most circumstances.
Now you've got a solid introduction to ransomware malware - what it is, how it works, how it spreads, notable examples and things you can do should you be hit. Let us know your insights below!
Comments