Ransomware is one of the biggest cyber threats right now.
If you’re a home user or SME employee on the receiving end of an attack it must feel like a pretty lonely moment when the extortion message appears on the screen of an infected PC demanding a payment of somewhere between $300 and $1,000 in Bitcoin.
The ransomware will have taken control of the computer and encrypted all or most of its files after an employee clicked on an email attachment, usually a PDF or what looks like one.
But it's not just SMEs that are being affected. This year has seen ransomware attacks on large, international and government infrastructures, with the recent attack in Ukraine, shutting down its national bank, state power company and Kiev's largest airport on June 27. Just one month after a large number of organisations - including the NHS - fell victim to WannaCry ransomware.
ComputerworldUK explores what ransomware is, why businesses pay and how it can be stopped.
It sounds like a simple attack and on the surface it is. An unsuspecting end user does something they normally do every day, clicking on an attachment, and lives to deeply regret it. Unseen, the ransomware is not only encrypting local files it can find but reaching out to attached storage drives and shared networks to encrypt those as well. All of this happens quickly before the user realises what has happened.
Typically, the ransomware also contacts a command and control (C2) server as this is happening as a prelude to downloading more software and phoning home.
After that, retrieving encrypted files is a matter of paying the ransom (in almost untraceable Bitcoin) and hoping the criminals deliver the key, or resorting to backups, assuming they’ve not been scrambled too.
More recently, the MO of ransomware has evolved beyond this basic attack profile to target larger organisations. Here, simply attacking PCs one at time is no longer sufficient incentive to pay a ransom and the criminals have developed new ransomware families that can spread within an organisation to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments as was the case with something called Samas/SamSam.
As defences have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 or even working entirely from memory without the need to save files to disk.
There are now numerous families of ransomware – more are expected to appear in 2017 than in all previous years put together – and a wide range of innovations. Computerworld recently compiled a list of some of the worst recent examples and the level of innovation to avoid boosted defences is startling.
How successful is ransomware?
In terms of infection, very, although few victims in the business world ever talk about this fact and data on the number paying ransoms requires drawing inferences. Most of what we know comes from US and Canadian companies that disclose attacks to meet state-specific data protection regulations.
Disturbingly, a 2016 survey by Citrix suggested that many UK firms are now quietly stockpiling Bitcoin to cope with a ransomware attack. This was especially pronounced in medium-to-large firms.
Why do organisations pay ransoms?
As far organisations are concerned it is not because they don’t have backups but because of the time and cost or reinstating data, including on servers, is simply far greater than the cost of the ransom. The ransomware authors know this and set their demands below this cost. It could also be the case that firms fear that merely ransoming encrypted data could soon merge with data breaches in which criminals threaten to reveal ‘hostage’ data.
How to stop ransomware?
As with most forms of malware, there doesn’t seem to be any fool-proof defence although the Windows PC is clearly a major vulnerability – other platforms are far less likely to be attacked for a variety of reasons. All the same, security vendors have belatedly engineered their technology to cope with ransomware using a number of techniques.
The simplest method is to improve detection and blocking at client level, in the manner of an endpoint security product. Many now claim to do this. The second approach is to build detection directly into network infrastructure, for example, advanced firewalls. The third method is to build some kind of correlation engine into a specialised appliance that feeds into a reporting console or SIEM. Most organisations will consider all three at the same time.
Read next: Best anti-ransomware tools 2017.
Known ransomware threats
As we know, ransomware isn't new, and over the last few years, a number of different kinds of ransomware have been found.
This year alone has seen two major ransomware attacks, affecting businesses and state-run institutions across the world.
Most recently, Ukraine suffered major outages after a new type of ransomware shut down systems across the country including the national bank, Kiev's largest airport and other government-run services on June 27.
According to leading security experts at Bitdefender Labs, these attacks were caused by GoldenEye, a variant of Petya ransomware. It works by encrypting whole computer systems rather than individual files, meaning whole systems can be offline.
An earlier attack saw some 47 NHS England Trusts infected with WannaCry ransomware in May 2017. WannaCry exploited a vulnerability found in Windows XP, which 90 percent of NHS Trusts were using at the time.
The vulnerability, called EternalBlue, was found by the USA's National Security Agency and leaked by a group called the Shadow Brokers earlier this year. Essentially, EternalBlue exploits a vulnerability in the SMB protocol, meaning it can worm its way through local networks and online. The worm will then encrypt your data.
One of the most notorious types of ransomware is Locky. This ransomware is brutal and almost impossible to recover from. It works by encrypting computer files, bitcoin wallets and even other PCs on shared networks.
Locky copycats include Crysis, which makes the computer inoperable, encrypting shadow copies and every file in its path.
All sorts of possibilities have popped into the minds of researchers, chief among them the idea of a large-scale ransom attack on a corporate in which attackers spend weeks or months penetrating a network in the manner of data breach attackers. Using stolen credentials, they map out not only valuable data stores (databases, code repositories, shares) but gain a detailed view of the backup routines and services. Worm-like ransomware would be used to spread the infection around a network before the detonation date.
“Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3,200 workstations are compromised; half the organisation's digital assets and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation,” hypothesised Talos.
“The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like.”
Such an attack could be launched for money, probably in the millions, but also conceivably for ideological reasons. In the latter case, a company might be asked to make a public statement.
It sounds far-fetched but only the most optimistic don’t think it will come to pass at some point. The history of malware works this way: what can be imagined usually happens eventually. The weaker and less protected networks will be the first to succumb but as we now know that could in theory be almost anyone.