The majority of the information in this post will be from a white paper that I wrote on the topic of Ransomware for a customer. Alot of the research was already laid out for me by the analysts over as Kaspersky and Symantec and want to make sure that credit is given where it is due (Sources/links at bottom).
Given the recent outbreak of the WannaCry Ransomware that disrupted operations around the world, I felt that this was a very relevant and much needed topic. The white paper did not have any information on WannaCry, since it was written a few weeks before the outbreak, so I will start this post with a quick summary on the WannaCry malware.
WannaCry is a ransomware that will encrypt your data and demand a ransom of $300, in Bitcoin, to regain access to your information. Chances are, your information will remain encrypted even after the ransom is paid so a backup is the only way to recover the data. What WannaCry unique, and very dangerous, is the fact that it uses a worm-like technique to spread from system to system on a network through a Windows SMB Vulnerability. This means that the malware can infect any vulnerable machine on the network without user interaction.
What makes this outbreak so significant? The exploited vulnerabilities that allowed the spread of WannaCry were previously patched/fixed… Almost two months before the outbreak happened. The exploited techniques used to spread this malware were part of the “hacking tools” that were leaked from the NSA in early April and at that time had already been patched by Microsoft in March.
Not to beat a dead horse BUT… Update, update, update! Many, if not all, of the infected systems could have completely avoided infection if they had the latest patches from Microsoft. You can read more about the importance of updates on my previous post here.
For a detailed report and more information on WannaCry, check out Symantec’s excellent report.
Some information specific to the customer has been removed.
Ransomware currently is one of the most prominent cyber threats that both organizations and individual consumers are facing today. Over the last few years, the ransomware programmers have become increasingly mature, which in turn, increases the damage inflicted by an infection. The largest of these campaigns have been able to infect millions of computers inflicting an estimated hundreds of millions of dollars in losses.
The rapid growth of ransomware’s success since 2013 has inadvertently caused the development of an underground marketplace for the malware. Malicious coders and attackers have rushed to cash-in on this success, creating new variants of the malware so frequently that more than 100 variants can be seen per year. It is vital to any organization to stay on top of the latest trends in ransomware and to continuously review and improve their policies and procedures in order to combat this vast and evolving threat.
What is Ransomware
To put it simply, ransomware is a strain of malware that prevents access to the victims’ files or system and demands a ransom in order for them to resume access. There have been a number of styles of ransomware seen in the wild but there have been two distinct categories in which all of these variations can fall in to. The Crypto-based ransomware and the Locker based ransomware. Crypto ransomware, the most widespread type, uses a form of encryption algorithm to encrypt all files, folders and hard drives on the target system. Locker based ransomware simply locks the users out of their devices. The feature that these two categories have in common – they demand a ransom in order for the user to regain access.
Locker based ransomware was the first to be seen and, in today’s environment, is typically only seen on Android and mobile devices. Once it became clear how lucrative ransomware could be, it rapidly evolved and has become much more sophisticated as techniques advanced. These more sophisticated forms of ransomware gained popularity in 2013 and have increased every year since. The graphic below shows just how rapidly the spread of ransomware increased.
The latest variants of ransomware are using highly complex encryption algorithms and are even capable of encrypting or deleting shadow volume copies or backups as well as unmapped network drives. Ransomware also typically scrambles your file names and changes their extension, all of which can be performed offline (after infection) and will then display a message requesting payment. Creators of ransomware have also added time limits to ransom payments in order to present urgency which leads to an increase in ransom payments.
Ransomware is also becoming increasingly more difficult to detect with basic Anti-Virus protection. Many new forms of ransomware are using encrypted web communication or built-in anonymizers, such as TOR, to communicate with Command & Control (C&C) servers. They are also using anti-sandboxing techniques and employing polymorphic behavior so that each infection will be harder to detect.
Top Variants of Ransomware
As the ransomware environment continually evolves, there are always new variant of ransomware popping up. Many older variants are simply dropping off and, as some popular groups responsible for particular campaigns are shutdown, new variants can disappear as quickly as they arrived. For example; TeslaCrypt, which was one of the most successful ransomware campaigns in 2015 and 2016, suddenly disappeared and released a universal decryption key on their TOR website after the group behind the malware was caught and shutdown.
Here we will discuss some of the most common ransomware variants that have been seen in many different business environments.
CryptXXX was first seen in April 2016 and was widely used for several months after. The majority of CryptXXX infections were spread through the Angler or Neutrino Exploit kits. Angler would drop Trojan.Bedep on the target which would in turn infect with CryptXXX. CryptXXX activity began to drop off as Angler Exploit kit disappeared in June 2016. There was a spike of CryptXXX infections between June and August of 2016 with a sudden drop off of activity and a few instances seen as late as October.
After encrypting the target’s files, CryptXXX would change the background to the ransom note (below) that included the details on how to pay the ransom with bitcoin. The ransom was typically the equivalent to $500. This ransomware also had the capability of gathering the user’s bitcoin wallet data so that the attackers could potentially steal any other bitcoins the victim had.
CryptXXX was popular, mostly due to Angler’s popularity, but it had weak encryption. Security researchers were quickly able to create a decryption tool for the early variant of CryptXXX. The attackers quickly improved their encryption but the drop in popularity of Angler prevented a wide redistribution.
Locky also emerged in early 2016 and has been named one of the most prolific ransomware variants to date. Locky is spread primarily through spam campaigns, Neutrino and Nuclear exploit kits. The most notable is the use of the same spam network as the Dridex banking Trojan which allowed it to be rapidly distributed through an already successful attack vector.
It is possible that Locky activity could pick-up again since Talos Security has reported a very large surge of Locky distribution as of April 2017. Since this surge, they have reported as many as 35 thousand spam emails containing Locky attachments being distributed within a few hours.
Locky also has the capability to delete the system’s Volume Shadow Copy to prevent backup restores and would also change the background to the ransom note after encrypting the data. Locky’s ransom typically ranges between 0.5 and 1 bitcoin which, depending on the market, can be as much as $1300 (April 2017 values).
Cerber, another early 2016 emergent, spread rapidly through the use of spam campaigns, similar to Locky. Cerber is also distributed through the use of Neutrino and RIG exploit kits. Cerber has also seen a renewed popularity in 2017.
Along with encrypting all of the user’s files, Cerber will continually scan for and enumerate unmapped Windows shares and encrypt any data that is found on them. Similar to Locky, Cerber will also delete the Shadow Volume Copies. Cerber will place the ransom note on the desktop for the victim to open and when opened, the text is read aloud through a text-to-speech function. Cerber also states that the requested ransom will double if not paid within 7 days. Typical ransoms for Cerber have been between 1.24 and 2.48 Bitcoin (as much as $3000 by current rates). Additionally, Cerber has the ability to add the infected machine to a botnet to be used in various DDoS attacks.
Following the trend of the others, CryptoWall is commonly distributed through spam campaigns and exploit kits, commonly RIG and Nuclear. Many infections of CryptoWall have been predated by a Trojan.Zbot infection. CryptoWall has been a successful ransomware family for a long time and has seen several different versions (currently on v4.0).
CryptoWall leaves a ransom note on the desktop after the files are encrypted, providing details on how to proceed with payment. The ransom is typically $500 with the threat to increase to $1000 if payment is not made by a pre-determined date. CryptoWall also threatens to delete the decryption key after too much time has passed.
Common Tactics and Techniques
In order to remain profitable and continuously defeat the security measures taken to combat ransomware, attackers are continually changing their tactics. That being said, there are still a number of techniques that are used repeatedly and can be predictable.
The most common and successful attack/infection vector for ransomware is through email spam messages. A typical spam message will be sent to users within a targeted organization and will contain an attachment, typically disguised as an important document. The details of the message and attachment will vary but the attachment will typically run a script (if enabled) that will reach out and download the malware.
Most of these attachments will require the user to enable macros or advanced features. However, some recent attacks have seen zipped file attachments that are capable of executing when unzipped.
Another successful technique used in spam is to use a malicious link disguised as a legitimate site from a legitimate sender. Once the link is clicked the victim will be taken to a fake or compromised URL that will automatically download and execute the malware.
Many attackers will simply get their hand on a variant of the ransomware and then use an existing exploit kit infection to infect the target machine. This method is very hard to detect since many exploit kit infections can remain dormant and go unnoticed on a victim’s machine until it is too late. There are also places on the ‘dark web’ where users can purchase access to machines and networks that are already compromised by various exploit kits, drastically cutting down the time necessary for an attacker to carry out a successful ransomware attack.
In some cases, the exploit kit may have been installed for other attack purposes all together and the dropper malware installed through the exploit kit may have had the ransomware associated with it. There have even been instances where an attacker will install an information stealer malware through the exploit kit and then inject ransomware after collecting the targeted data in order to cover up thier tracks. This tactic assumes that the target will simply restore the machine from a backup instead of paying the ransom or attempting to decrypt the data.
Ransomware as a Service
As the demand for ransomware grew with its success since 2013, the idea of Ransomware as a Service (RaaS) has emerged. This RaaS model has made the spread of ransomware easier than ever. A malicious programmer can now develop a variant of ransomware and post it for sale on the ‘dark web’ for any user to access and distribute.
Cerber is probably the most successful RaaS ransomware and the overall success of the Cerber campaign is likely due, in part, to the ease of access for non-technical criminals through the RaaS model. Cerber’s RaaS portal allows the purchasing party to customize options for a variety of targets and, for a fee, will even distribute spam emails to an uploaded email list on behalf of the user.
As you can see in this image, customizing a RaaS for use by any novice attacker can be quite simple and intuitive. This particular portal even allows the user to log back in and track the installation and payment statistics.
Malicious ads can sometimes go unnoticed on trusted websites and may even be placed through legitimate ad networks. These advertisements can be used to initiate a download or redirect a user to a malicious site. In some cases, the user doesn’t even need to click on the ad. This is most commonly an attack vector for exploit kits but the ease of purchasing an advertisement via real-time ad-bidding networks has made this tactic appealing to ransomware criminals. This allows the attackers to target specific users of differing economical class judging by the websites on which the malvertisement is placed.
Though the most common forms of ‘worm-like’ behavior in ransomware have been seen on mobile platforms, where it is spread through SMS, this tactic is starting to pop up in more successful campaigns as well. ZCyptor was the first to show this behavior but other campaigns are adopting its techniques. These variants will infect any and all removable and networked drives before encryption begins. This increases the possibility of additional machines being infected and allows the malware to spread. If an improperly configured network share or storage device is infected with this type of ransomware, then an entire network could become compromised, potentially shutting down a business’ operations until repairs can be made.
Training and Education
Considering that the most successful attack vector for ransomware is through spam campaigns, the most effective mitigation strategy will be to enforce user training and education. The more that the users know about the potential for infection and how their systems can become compromised, the better they will be at identifying a threat.
It is highly recommended that users have an initial Information Security (INFOSEC) Training session, as well as annual refresher. This can be as simple as a short web-based training application. Another effective idea is to have either monthly or quarterly INFOSEC bulletins that can be emailed to users within the organization to provide tips and reminders of the best practices for security.
Managing and implementing access controls and privileges on standard user accounts is another effective strategy. Since the malicious email attachments usually require macros to run, the ability to enable them should be removed. It is also important to ensure that standard users have only the level of access necessary to perform their job functions. This can prevent an inadvertent infection of network locations. Regular review and updates to software restriction policies and application white-listing are also highly recommended. This will limit or prevent the number of programs that can be executed and can prevent access to common locations/directories used by ransomware.
The most reliable why to recover from a ransomware infection and to limit damages is to have a strong backup policy in place. In the event of a ransomware infection on a critical or important system, having frequent backups can allow administrators to perform a restore in a timely manner. This will limit the down time for the system and ensure that there is minimal data loss. For added security, it is even recommended to keep backups offline so that aggressive ransomware variants are unable to infect backup locations as well.
Another recommendation is to keep all important information in a cloud environment. This will limit the amount of important data on the endpoints where it would easily lost/destroyed by the ransomware.
Update, Update, Update
Patch and update systems and software as frequently as possible, or feasible. When security is a high priority, frequent patches and updates are a must. Most AV products release definition updates regularly to try and combat and detect emerging ransomware strategies. Additionally, patches will fix known vulnerabilities that can be used to install other malware, such as exploit kits, which are the second most successful attack vector for ransomware.
This graph shows the number and trend of exploitable vulnerabilities for 2015 and 2016 and demonstrates necessity for regular deployment of patches.
- Consider using Office viewers, to sandbox potentially harmful documents and attachments.
- Remove unnecessary browser plugins, or restrict them to require confirmation.
- Never pay the ransom! There is no guarantee that the data will be unlocked.
- When in doubt, consult ISOC!
Although it is impossible to predict an exact dollar amount for potential losses, a report from the FBI for 2015 ransomware complaints reported over $24 million in losses for reported complaints alone. No official FBI reports have been released for 2016, at this time, they have reported more individual ransomware infections in the first half of 2016 than all of 2015 and the trend is expected to continue for 2017. Businesses’ are being targeted by ransom campaigns since they are likely to pay higher ransoms in order to preserve business continuity.
In the event of a successful attack with an aggressive ransomware variant, businesses could potentially suffer a number of costs including; Downtime cost, Financial cost, Data loss, and damage to reputation leading to a loss of shareholder value.
If downtime is necessary, a business could realize financial losses and damage to reputation for the duration in which services are affected. Other immediate financial costs would be stem from incident response, legal expenses to cover any liabilities to customers as well as any associated fees. Data that is lost or stolen could further impact the security of customers and the company. All of these costs could cause reputational damage and decrease shareholder faith in the company causing a significant decrease in market value.
The best protection for ransomware is to follow the suggestions in the Mitigation Strategies section and to ensure personnel are trained to Prevent, Contain and Respond to any possible outbreaks. As ransomware, and malware in general, continue to evolve, it is important for INFOSEC teams to continually stay up to date and to learn and adapt to the latest changes in the environment and adjust their practices accordingly.
Beginning in 2015, there has been a growing shift in ransomware campaigns to specifically target business and public organizations for the potential of higher payouts. This targeting trend has led to more sophisticated spam campaigns and carefully crafted payloads that could appear legitimate to the target. For example, businesses have seen an increase of fake invoices and financial documents being sent to accounting personnel or even malicious resumes being emailed to HR personnel and recruiters. Other tactics have led groups to dedicate time and efforts to establish a foothold in an organization with exploit kits and Trojans allowing them to launch a ransomware attack on multiple machines or whole networks at the same time.
As demonstrated blow, new ransomware families and variants are continually emerging. It is very possible that targeted ransomware families and focused spam campaigns could increase. Moving forward, training and education to identify potentially malicious emails, attachments and links will be very important.
The increasing success of ransomware has made extortion the most successful business on the ‘dark-web’. This has led to more sophisticated, better funded and well-equipped groups that can utilize more advanced social engineering skills to leverage this “industry”. It is unlikely that this threat will diminish any time soon. Ransomware cyber criminals will only have the ability to impact business as much as we let them. Staying informed on the threat and adapting to the evolving landscape is now more important than ever.
Akin, W. (15 June 2016). Why you should care about Ransomware. CyberSTAC.com. Retrieved 23 April 2017 from: http://www.cyberstac.com/?p=464
Anderson, V. (26 April 2016). Ransomware: Latest Cyber Extortion Tool. FBI Press Releases. Retrieved 24 April 2017 from: https://www.fbi.gov/contact-us/field-offices/cleveland/news/press-releases/ransomware-latest-cyber-extortion-tool
Kaspersky (2017). Kaspersky Security Bulletin 2016. Kaspersky Labs. Retrieved 24 April 2017 from: https://kasperskycontenthub.com/securelist/files/2016/12/KASPERSKY_SECURITY_BULLETIN_2016.pdf
Spring, T. (24 April 2017). Locky Ransomware Roars Back to Life. ThreatPost. Retrieved 24 April 2017 from: https://threatpost.com/locky-ransomware-roars-back-to-life-via-necurs-botnet/125156/
Symantec (10 August 2016). Ransomware and Businesses 2016. Internet Security Threat Report. Retrieved 5 April 2017 from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
Zaharia, A. (7 July 2016). What is Ransomware? Heimdal Security. Retrieved 24 April 2017 from: https://heimdalsecurity.com/blog/what-is-ransomware-protection/