Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business is a potential victim. More important, to the delight of extortionists, people are paying.
Ransomware exists in several forms. The weakest can lock an Internet browsing session with intimidating warnings of government surveillance and demands for immediate payment. These rely on fear tactics and deny the user the ability to easily navigate away from the warning page, thus appearing to have locked the system. This threat can often be solved by simply closing the browser and restarting. This method is how many of the original ransomware schemes began, but it did not result in much financial gain for criminals.
The use of encryption to lock selected user files is now the most common approach. Attackers either compromise the system via exploitation or simply by persuading the user via social engineering into launching malicious software. Either way, the malware seeks specific file types and encrypts them with a public key. The malware notifies the victims that many files are encrypted and they must pay to receive the associated private key to unlock them. Users are directed to send cryptocurrency to anonymous accounts. This practice has proven very successful because the encryption strength is exceptionally strong and the targeted files are meaningful to the victims.
The third type of ransomware also leverages encryption, but targets operating system files, effectively holding the entire boot sequence hostage. The malware encrypts the master boot record, and deletes Windows shadow copies and other system-recovery capabilities.
Ransomware is a relatively new method of attack that can rarely be stopped by traditional security controls. Attack methods include phishing, maliciously configured websites and online ads, Trojans embedded in downloads, compromised devices, and poisoned email attachments. Ransomware represents a shift in tactics from traditional data breach exfiltration and website-distributed denial-of-service attacks. Ransomware undermines the integrity of specific files and systems, placing them under control of the adversary, rather than jeopardize the confidentiality or general availability of an environment. This change in tactic is troublesome for the current generation of security tools and practices, which are struggling to adapt to the new threat.
Ransomware has risen dramatically during the past couple of years. The McAfee Labs Threats Report March 2016, from McAfee, counts more than six million unique samples of ransomware in the wild. Industry experts believe ransomware will remain a major and rapidly growing threat in 2016 and beyond. The financially motivated actors relish their great triumphs with this approach and the significant sums of money being made. Research by the Cyber Threat Alliance showed one variant in 2015, CryptoWall 3, caused an estimated US$325 million in losses. This success fuels technical advancements, attracting more attackers, strengthening support infrastructures, and enhancing targeting techniques.
Cybercriminals, large and small, have fully embraced ransomware. Attackers canvas broad audiences with indirect campaigns, indiscriminately seeking easy targets. Floods of phishing emails, malicious ads that lead to infected sites, and Trojans embedded in applications infect the unsuspecting. A wide range of common file types are encrypted and a relatively low ransom is set to make the option of paying more attractive. Separately, some threat agents apply direct targeting techniques that single out specific victims. They may create customized and elaborate phishing campaigns, waterhole attacks, or directly exploit system vulnerabilities to compromise individual hosts. Attackers can target victims through the use of exploit kits—such as Angler, Magnitude, and Nuclear—to deliver ransomware payloads like CryptXXX and Locky. Exploit kits allow ransomware to run, target files most valued by that particular victim, and establish a high ransom.
Technically, the encryption algorithms and implementation techniques of ransomware have become stronger. Early variants were easily undermined by security professionals due to poor implementations, but nowadays most ransomware code is at a level that cannot be broken by anticryptographic methods or by identifying weaknesses in key management. Ransomware developers also bundle their code with more features and capabilities. Advanced malware can see whether it is running in a security sandbox, establish secure connections to control infrastructures, use unique public key infrastructure key pairs for each victim, combine multiple infection techniques, establish backdoors for later use, and destroy the system if attempts are made to evict the code. Attackers are creative and will maximize every opportunity. For example, the Petya ransomware was recently updated to include Mischa code. Petya attempts to encrypt the master boot record, but if it fails it reverts to using Mischa as a file-encrypting scheme. Ransomware also mixes with botnets to amplify its reach. The Dridex botnet is well known to spread Locky and Cerber ransomware.
For the foreseeable future, ransomware will remain a major and rapidly growing threat, fueled by anonymizing networks and payment methods. The business models and infrastructure underpinning ransomware are becoming stronger. Most of these attacks continue to use Bitcoin to anonymously transfer funds from victims to the criminals. Popular anonymous networks, such as TOR, mask the location and owners of the control servers. With so much money at stake, attackers realize they are getting a lot of attention from law enforcement agencies, and they work very hard at remaining in the shadows. Other advances include less-than-scrupulous developers who offer the software and hosting services to upstart criminals seeking to enter the ransomware arena. Ransomware-as-a-Service is now a real business opportunity. Anyone can purchase or rent such a service; the infrastructure host will handle all the back-end procedures in return for a slice of the profits. This partnership allows for specialization and the recruitment of less technical fraudsters to join in the activities.
At its core, ransomware is about extorting money. Although targeting consumers who blunder into their traps will continue, the most sophisticated threats target industries that must maintain access to crucial data and are willing to pay large sums. So far in 2016, the healthcare sector is one of several that has been aggressively targeted. Medical facilities need access to systems, care devices, and patient records. Several hospitals have been specifically targeted by ransomware, causing disruption to services. Transportation, financial, and legal sectors are other fields that share a similar profile and are now targets. New technology will also be victimized. As consumers and businesses rely on new devices and services, that reliance creates an opportunity for this type of extortion. Imagine getting into your smart car to drive home and seeing a ransomware screen. With vehicle operations blocked, you are now effectively stranded. How many people would pay a small “fee” to get their car started?
Advice for fighting ransomware
Ransomware is very challenging to combat. No one solution or practice can solve the problem. The ransomware development community is very agile in countering defenses introduced by security vendors. They will look for easy victims, targets with value, and work to exploit new technologies to keep the money flowing in their direction.
The best defense is to stop ransomware before it arrives on a system, or block an attacker’s attempts to gain access. The next best opportunity is to detect the malware and rapidly evict it before it can cause damage. Malware must be downloaded before it can launch, which provides a narrow window of opportunity to contain the threat if it can be detected in time. Rapid detection, however, is difficult because adaptive attackers are very successful at creating problems for security.
Once ransomware starts, the situation quickly gets grim. Most ransomware infections encrypt files in a way not recoverable without the private key, held by the extortionist. Even if victims pay the ransom, there is no guarantee they will get their files back, as they are dealing with untrustworthy parties.
Recovery from ransomware is painful, expensive, and time consuming. If backups are available, then the best option is to remove the infected media and start fresh. Reusing infected drives is not recommended for any severe malware infection because it is nearly impossible to know if everything is safe. It is better for everyone, especially businesses, to start with a new drive, a fresh operating system, and restored uninfected data files. For consumers, this fresh start may not be reasonable due to cost or technical challenges, leaving them with cleaning and reusing the infected drive.
Many choose to move on without the encrypted files. They may not be that important, can be recreated, or the victims choose to suffer and learn from the experience. Paying the ransom is not recommended. Cooperating with extortionists is no guarantee of decrypted files. What is certain, however, is that victims who pay will be recognized as willing to pay, making them a preferred target in the future.
Best practices to protect against ransomware
The following recommendations provide a good measure of protection against ransomware. However, as the threats constantly evolve, so must the defenses we present.
Ransomware attacks are a highly visible problem and a growing global threat to businesses, governments, and consumers. Security and technology vendors are working to undermine this new tactic by cybercriminals, but progress is difficult. Businesses and consumers should proactively take steps to minimize the risks and impacts. Those who don’t are likely to feel the sting of future ransomware attacks.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.