How does one get infected?
Fundamentally, ransomware is simply another type of computer virus, and your computer can be infected through any of the standard attack vectors. These include exploiting a new vulnerability in a web browser, tricking victims into connecting malicious flash drives, repurposing compromised websites, exploiting old bugs in outdated software, or some combination thereof. However, the most notable and increasingly common method of propagating is mass emailing potential victims spam with tales of free gift cards, Kenyan riches, or unpaid bills, exhorting users to simply open the attached files. Another familiar instance is convincing users to double-click a lolcat.scr file sent over chat because you think it’s a screenshot (the extension actually stands for script).
Due to reasons that will be discussed shortly, the level of technical skill needed for an attacker to deploy a ransomware instance has dropped considerably, to the point where tech-savvy teenagers can be prolific criminals. As a result, there has been an incredibly steep rise in email transmitted ransomware. According to a report from PhishMe, as of March 2016, 93% of malicious emails are now containing ransomware. Often, the email will request that you disable security settings (for instance, by enabling Macros in Microsoft Word) in order to be able to read the attached documents.
Currently, ransomware is by and large a Windows and Android phenomena. However, as the number of instances of ransomware is still shooting upwards, it is likely that popular strains will spread to other operating systems. Recently, there have been isolated cases of ransomware targeting Linux as well as OSX, and this trend can only be expected to grow.
Ransomware is notable in that it targets everyone and everything: from individuals to corporations to universities. Take for instance the University of Calgary, which was charged $16,000 to recover its files, or the Hollywood Presbyterian Medical Center, which was forced offline: unable to use its computers or the associated machinery until it paid a $17,000 fee. In fact, the most attractive targets are individuals, small business, and non-corporate entities, as each of these groups typically has lax security policies yet is able to afford the ransom.
What happens after infection?
Once the malware starts running, its primary goal is to encrypt as many important files as it can while simultaneously removing ways the victims could recover the files without paying the ransom. There are two distinct methods of doing this, of which the most common is the tactics used by the Locky strain. The virus will scan for all accessible network and disk drives, including flash drives including folders on OneDrive, DropBox, and GoogleDrive (if they are accessible). It then begins encrypting all files used to store information, but ignoring files used by applications and the operating system itself. By skipping these files, the ransomware takes care to keep the computer usable, in addition to decreasing the likelihood that a victim will catch it before it completes encryption. Next, it destroys every backup it can find, and displays a message stating that all files have been encrypted, and recovery is only possible through buying the decryption key.
The other tactic ransomware can use is to encrypt the entire computer. The Petya ransomware, created by Russian hackers, follows this strategy, overwriting the boot loader of the computer with custom software and then forcing a reboot, which proceeds to execute their software. Having no qualms about rendering the computer inert, the ransomware prevents access to anything on the computer until the ransom has been paid.
Victims of ransomware normally have one of three options:
1) Pay the ransom
Normally victims have a window of several days to pay before the hacker deletes the decryption key from his server forever. The affected persons would have to go onto the dark web through the Tor browser, buy an anonymous currency known as bitcoin, and then transfer the bitcoins to the hacker and hope that he upholds his end of the bargain. Fortunately (in a perverse sort of way), from a game-theory point of view it is in the best interest of the ransomware developers to not only provide the decryption keys after receiving the ransom, but also to make the entire process as streamlined as possible. This makes intuitive sense: victims will only pay up if they believe that doing so will restore their files. In fact, some ransomware developers maintain a FAQ page and chat line over which victims can ask the hackers for technical assistance in paying, or beg for a reduction in the ransom. A recent instance of ransomware has appeared which is notable for having a live chat room built into the ransomware. All in all, paying the ransom is the worst way to recover your files, but sometimes is the only option.
2) Restore from backup
If you have a copy of your important documents and pictures, then there is no need to pay the ransom!
We encourage everyone, both individuals and businesses, to keep regular offline backups. However, this comes with a caveat: be wary about leaving your backup drives always connected to the server or workstation. If deployed at an unfortunate time, ransomware can – and will – encrypt your backups, along with everything else it can see. Consider using a system wherein you have an external drive onto which backups can be written at any time, but users cannot arbitrarily modify existing files on the drive.
There is no practical reason to not backup essential information. Storage today is cheaper than ever. More importantly, the potential costs in both time and money of not having up to date backups far out shadows what it takes to get a secure and robust system set up. For the casual user, copying important documents (anything that would be problematic if it was lost) onto a flash drive once a day is much better than nothing, although evidently not as effective or scalable as a full backup system.
Like recovering from any type of malware, we strongly recommend that after regaining their data, victims either do a complete wipe and re-image of their operating system and all of their programs, or have a professional securely and permanently remove all traces of the virus. This is as malware can configure its host to reinstall the virus if it is ever removed, or can modify other applications to carry on its dirty work. For instance, victims of the CryptoLocker strain of ransomware would pay the ransom and decrypt their files, unaware that their computers were now controlled by the Gameover ZeuS botnet. In short, trusting a virus to play nice and leave once it has been beaten is a very bad idea.
3) Pwn the ransomware
One of the token rules of creating secure software is “don’t roll your own crypto”. That is, rather than attempting to implement encryption from the ground up, instead use vetted solutions created by experts and professionals. The underlying philosophy behind this rule is simply that there are so many subtle ways to have flaws in a cryptography suite. Take for instance the TLS protocol, which encrypts client-server communications for the Internet, and recently was shown to house a new vulnerability which allows dedicated attackers to decrypt encrypted communications on the web. Given the difficulty of creating good cryptographic software even for experienced teams of developers, it should come as no surprise that most scammers and hackers cannot implement flawless crypto for their own nefarious purposes. This results in a fortuitous blessing for white hats and other security engineers.
Consider the case study of the LinuxEncoder ransomware family. Once a ransomware virus begins running, before doing anything malicious, the malware will generate an encryption key, and then transmit it to the hacker’s server. Once that transaction has been completed, the virus will rampantly encrypt the user’s documents. Clearly, this system relies on the encryption key being impossible for the victim to guess. In the particular example of LinuxEncoder, the hacker chose to derive the encryption key from the current date and time. As files store the timestamp of the most recent access, it was a simple matter to use this information to re-derive the encryption key, allowing victims to recover their files without either restoring from backup or paying the malware authors a cent!
LinuxEncoder is interesting in several ways, one of which is that it is based on a trap set by Turkish security researcher Utku Sen. The researcher created a proof-of-concept ransomware known as Hidden Tear, and made the source code available on GitHub. His motivation was twofold. First, to present security professionals with a worked example of how ransomware operates. The second reason is much sneakier: to ensnare amateur hackers with little technical knowledge, known as script kiddies. His software hosts a number of subtle bugs which would easily be missed by inexperienced individuals, bugs which allow victims to recover the encryption key for free. Any hackers who based their ransomware on Mr. Sen’s model would likely include these bugs. His ploy worked: at least four different strains of ransomware emerged derived from his code, all of which were defeated through the method discussed earlier.
An entirely different sort of attack was used to defeat the Petya ransomware, which unlike the aforementioned viruses was written from scratch by a sophisticated Russian hacker group, and for months was the scourge of the Windows ecosystem. Furthermore, the ransomware employed the most elaborate method of locking files we’ve seen, and clearly was not built by dilettantes. It eventually met its demise when an intrepid individual analyzed the encryption scheme used by the malware, and created a cryptographic attack on the underlying cipher, allowing victims to recover the key in 30 seconds.
Ransomware as a Service
The case of Hidden Tear exposes another trend in malware development. Script kiddies eager to make a quick buck are perfectly willing to take a stranger’s code and tweak it in order to create their own low-effect ransomware. This has led some enterprising criminals to create ransomware bundles, which they sell to other hackers, who actually infect businesses and people with the malware. The original creator of the malware gets a 10 to 20 percent cut of every ransom, and the hackers buying the ransomware suites avoid the hassle of actually writing malware. The spike in popularity of this model has ensured that deploying serious viruses is not restricted to expert hackers, and is a major cause of the recent drastic increase in the number of ransomware incidents.
Observers have dubbed this model “Ransomware as a Service”, noting its similarity with popular Software as a Service technologies. The comparison is quite apt, although most cloud software doesn’t lock your files and force you to pay to get them back! What software suites such as Google Apps, Amazon Web Services, and the Adobe Creative Cloud all have in common is that they are migrating the actual storage and execution away from users’ workstations and onto separately owned and controlled servers. This new ransomware model similarly abstracts away many of the underlying technical challenges.
How to prevent infection
Earlier in the article we discussed what your options are once you have had your files encrypted. A preferable situation, of course, is to never be infected in the first place! To this end, we recommend layers of security at every point of entry. We have teams of experts to install, configure, and maintain each of these solutions and more. Contact an EthicalHat security professional to learn more!
- Filter incoming emails to check for spam, scams, and phishing attempts
- Verify that emails claiming to come from trusted sources really did so by employing digital signatures
- Automatically run antivirus checks on all attachments and downloads, bearing in mind that the only useful antivirus is an up-to-date one
- Prevent unknown applications wreaking havoc on the network by implement the principle of least privilege
- Disable common vectors used by viruses but not normal applications, such as Microsoft Office Macros
- Prevent web traffic to known malicious destinations
- Deploy an Intrusion Prevention System to continuously monitor running programs for suspicious behavior
- Create a honeypot file to catch ransomware in the act
I’ll expand on the last point, as it is a rather interesting concept which uses the virus’ greed against it. The central idea is that ransomware will try to encrypt as many important files as it can, so set up a few watchdog files masquerading as normal documents, and configure the operating system to take action if any of these files are changed. Whenever one of these files is modified, it is likely due to it being encrypted by ransomware! The ideal reaction once this method determines that an instance of ransomware is roaming free in the system is not, surprisingly enough, to shut down the ransomware or to turn off the computer. While that would immediately stop the virus from spreading, the virus could have configured the operating system to simply start it up again. In addition, this would render any files encrypted before this point completely inaccessible, with no way to even pay the ransom to recover them. Therefore, a better option is to hibernate the affected computer. Doing so will save the memory of every running process, which would allow a professional to directly recover the encryption key from within the body of the malware program. Unfortunately, this technique would not work against a Petya-style ransomware which forces a reboot, and only encrypts files once it has overwritten the boot loader. This reinforces that security must be layered to be fully effective, as in this case you would rely on the Intrusion Prevention System, or any layer above that, to catch the malware.
The Tor network has hordes of legitimate uses, including protecting activists and journalists, allowing researchers to explore sensitive topics without fear of prosecution, intelligence gathering by the US military, and circumventing censorship and surveillance. Similarly, strong cryptography ensures the privacy of those who need it most, and is a staple of our interconnected world. But like any other tool, it can be subverted and used for nefarious ends, of which ransomware is troubling example.
Fortunately, there are ways to protect yourself! Contact an EthicalHat security professional to learn more about how our proven security techniques can ensure a scalable safe and secure solution for your enterprise.