Share

Ransomware is one of the biggest cyber threats right now. The latest devastating ransomware attack hit the NHS late last week, not only highlighting the gap in knowledge but the severe lack of funding and cyber security support provided to the NHS and other organisations that hold masses of important data.

If you’re a home user or SME employee on the receiving end of an attack it must feel like a pretty lonely moment when the extortion message appears on the screen of an infected PC demanding a payment of somewhere between $300 and $1,000 in Bitcoin.

The ransomware will have taken control of the computer and encrypted all or most of its files after an employee clicked on an email attachment, usually a PDF or what looks like one. 

Infection and C2

It sounds like a simple attack and on the surface it is. An unsuspecting end user does something they normally do every day, clicking on an attachment, and lives to deeply regret it. Unseen, the ransomware is not only encrypting local files it can find but reaching out to attached storage drives and shared networks to encrypt those as well. All of this happens quickly before the user realises what has happened.

Typically, the ransomware also contacts a command and control (C2) server as this is happening as a prelude to downloading more software and phoning home.

After that, retrieving encrypted files is a matter of paying the ransom (in almost untraceable Bitcoin) and hoping the criminals deliver the key, or resorting to backups, assuming they’ve not been scrambled too.

Advanced ransomware

More recently, the MO of ransomware has evolved beyond this basic attack profile to target larger organisations. Here, simply attacking PCs one at time is no longer sufficient incentive to pay a ransom and the criminals have developed new ransomware families that can spread within an organisation to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments as was the case with something called Samas/SamSam.

As defences have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 or even working entirely from memory without the need to save files to disk.

There are now numerous families of ransomware – more are expected to appear in 2017 than in all previous years put together – and a wide range of innovations. Computerworld recently compiled a list of some of the worst recent examples and the level of innovation to avoid boosted defences is startling.

How successful is ransomware?

In terms of infection, very, although few victims in the business world ever talk about this fact and data on the number paying ransoms requires drawing inferences. Most of what we know comes from US and Canadian companies that disclose attacks to meet state-specific data protection regulations. 

Disturbingly, a 2016 survey by Ciitrix suggested that many UK firms are now quietly stockpiling Bitcoin to cope with a ransomware attack. This was especially pronounced in medium-to-large firms.

Why do organisations pay ransoms?

As far organisations are concerned it is not because they don’t have backups but because of the time and cost or reinstating data, including on servers, is simply far greater than the cost of the ransom. The ransomware authors know this and set their demands below this cost. It could also be the case that firms fear that merely ransoming encrypted data could soon merge with data breaches in which criminals threaten to reveal ‘hostage’ data.

How to stop ransomware?

As with most forms of malware, there doesn’t seem to be any fool-proof defence although the Windows PC is clearly a major vulnerability – other platforms are far less likely to be attacked for a variety of reasons. All the same, security vendors have belatedly engineered their technology to cope with ransomware using a number of techniques.

The simplest method is to improve detection and blocking at client level, in the manner of an endpoint security product. Many now claim to do this. The second approach is to build detection directly into network infrastructure, for example, advanced firewalls. The third method is to build some kind of correlation engine into a specialised appliance that feeds into a reporting console or SIEM. Most organisations will consider all three at the same time.

Read next: Best anti-ransomware tools 2017.

Ransomware explained – what’s next?

All sorts of possibilities have popped into the minds of researchers, chief among them the idea of a large-scale ransom attack on a corporate in which attackers spend weeks or months penetrating a network in the manner of data breach attackers. Using stolen credentials, they map out not only valuable data stores (databases, code repositories, shares) but gain a detailed view of the backup routines and services. Worm-like ransomware would be used to spread the infection around a network before the detonation date.

“Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3,200 workstations are compromised; half the organisation's digital assets and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation,” hypothesised Talos.

“The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like.”

Such an attack could be launched for money, probably in the millions, but also conceivably for ideological reasons. In the latter case, a company might be asked to make a public statement.

It sounds far-fetched but only the most optimistic don’t think it will come to pass at some point. The history of malware works this way: what can be imagined usually happens eventually. The weaker and less protected networks will be the first to succumb but as we now know that could in theory be almost anyone.