We’ve talked a lot in the past about DDoS attacks as a common form of cyberattack but there’s also a growing threat of ransomware attacks, which now account for around a quarter of UK cyber threats1. At peak spamming times there are about 200,000 messages an hour carrying ransomware attachments2.
Ransomware either blocks access to the computer or device (‘locker ransomware’) or encrypts files and data on the system (‘crypto ransomware’). But both types of malware are designed to extort money from their victims in return for a decryption key.
Companies that fail to pay up find access to their files remain blocked with a devastating effect on their ability to operate. And even those that decide they have no alternative but to pay must ask themselves whether they can trust the integrity of their data once files have been compromised in this way.
Ransomware is not a new phenomenon, first appearing in a fairly crude form as early as 1986 as the AIDS Trojan. Tactics steadily evolved over the years to become a serious threat about ten years ago.
Today, ransomware is a global threat touching all corners of the world, although certain countries tend to be affected more than others. According to the latest report3 from security firm Symantec, the three countries most affected are the US, Japan and, in third place, the UK. The study reports the number of crypto ransomware families increased by 250% between 2013 and 2014. The authors note, “Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today.”
“Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today.”
You may be familiar with some of the more common malware – BitLocker and Locky, which deny access to the computer or device, and CryptoLocker, CryptoWall or Reveton, crypto ransomware that prevents access to data. While typically the sum requested is $300 per computer, the going rate for Locky was three bitcoins (around £885) per infected machine in March of this year4 and with the huge volumes involved, this particular form of malware is big business.
In March 2014, Symantec found that Trojan. Cryptowall earned at least US$34,000 in its first month of operations. A further study by other information security researchers found that by August 2014, Cryptowall had earned more than US$1.1 million. In June 2015, data from the FBI’s Internet Crime Complaint Center (IC3) showed that between April 2014 and June 2015, it had received 992 Cryptowall-related complaints. The victims were a mix of end users and businesses, and the resulting losses from these cases amounted to more than $18m.
How it works
There are many routes for the malware to reach a computer. Spam email is a primary tactic. As users became more savvy about opening unsolicited email attachments or clicking on unknown links, hackers adapted their tactics to deliver ransomware through ‘spear phishing’ emails targeting specific individuals. And as email systems got better at filtering spam they evolved still further bypassing the need for individuals to click on a link altogether by seeding legitimate websites with malicious code on poorly protected end user computers.
Other routes include malvertisements, social engineering, SMS messages, data breaches, exploit kits, downloaders and bot infection. Mimicking the marketing strategy of legitimate companies, some cybercriminals even offer affiliate schemes – effectively ‘Ransomware as a Service’ where the buyer is responsible for distributing the malware and the developer takes a cut.
Once the infection is present in the system the malware begins encrypting files and folders on local drives, any attached drives, backup drives and, potentially, other computers on the same network. Users and organisations will usually be unaware they have been infected until they can no longer access their data, or see computer messages informing them of the attack and requesting payment.
Bitcoins were originally the favoured method of payment due to the anonymity the virtual currency affords but Sungard Availability Services has seen requests for wire transfers, online payment vouchers (such as a UKash or Paysafecard) and, recently, even Amazon and iTunes gift cards.
To pay or not to pay?
The FBI has reversed its advice issued in October last year5 and no longer recommends paying a ransom in response to a ransomware attack. “Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom,” says FBI cyber division assistant director James Trainor. “Paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organisation might inadvertently be funding other illicit activity associated with criminals.”
Perhaps surprisingly, in the majority of cases victims do recover their data or use of their computer. This is less down to altruism on the part of the cybercriminal and more because it makes good business sense. They recognise that without the reputation that they can be trusted to decrypt files once the ransom has been paid no new victims would pay a ransom demand. To build 'trust', some ransomware – CTBLocker is one example - actually includes the option to ‘try before you buy’, allowing the user to have five randomly chosen files decrypted as proof of the attacker’s ability and willingness to do so once a ransom is paid.
Although ransomware is currently hitting the news headlines, it is only one of many ways hackers can cripple a company’s IT systems.
As April’s leak of 11.5 million files from the Panama-based offshore law firm Mossack Fonseca demonstrated, sometimes a simple hack on an email server can wreak untold damage. In what is the biggest data leak in recent history – bigger even than WikiLeaks in 2010 or the NSA files in 2013 – 2.6TB of confidential data was released relating to some of the most powerful people in the world.
The ‘Panama Papers’ data leak (as it is commonly known) revealed how the rich and famous hide their money offshore, resulting in lurid news headlines. Twelve national leaders are among 143 politicians around the world known to have exploited offshore tax havens. While there is no suggestion that those named have done anything illegal, the revelations have proved intensely embarrassing for many.
What you can do about the ransomware threat
Ransomware is the kind of threat where effective business continuity management comes into its own as organisations that regularly back up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection.
With any kind of cyberattack, cybercriminals will typically go for the easiest targets first so efforts should focus on prevention. Analysing the attacks directed at Sungard AS customers and picked up by our Intrusion Detection System, we have seen OpenSSL, Heartbleed, Magento SQL Injection and Apache Struts exploit attempts along with the Bandook Trojan infection and Webshell Backdoor code.
Here are some proactive measures all organisations should follow to guard against any form of cyberattack:
- Implement a Defence in Depth model. This is one in which you don’t place your faith in any single technique or technology but combine a number of security best practices to eliminate information security vulnerabilities. Use SIEM software to collate information from numerous sources to provide real-time analysis of security alerts generated by network hardware and applications.
- Network edge security to eliminate threats at the perimeter, the best location to eliminate the vast majority of attacks.
- Safeguard VPN access with regular patch and anti-virus management.
- Adopt a virtual desktop environment for remote devices.
- Block users from installing unauthorised applications and ensure applications are managed centrally.
- Insist on strong password controls for users but, importantly, for System Admin too. No users should be assigned administrative access unless absolutely necessary and, for this reason, do not use the same Admin passwords on servers as for users, a common mistake. Escalation of privileges is one of the first steps to compromise a network so strictly limit access.
- Adhere to basic security doctrines such as allowing users to see only the information necessary to do their jobs.
- Disable macro scripts from office files transmitted over email.
- Implement proxy internet access, mail relays and mail scrubbing to form a barrier between an internal network and the open internet. Proxy servers intercept requests for internet pages from users within the network and perform various chores to protect the network, improving performance and enforcing company web use policies.
- Segregate networks through the use of a Demilitarised Zone (DMZ) that separates your internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the internet but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.
- Invest in Intrusion Detection and Prevention software, both host and network-based, to monitor the network for malicious activities or policy violations and act on the findings.
- Install robust firewalls including Web Application Firewalls and monitor these to ensure they stay current and able to withstand the latest threats.
- Conduct regular vulnerability scans.
- Backup regularly and verify the integrity of those backups. Ensure they are not connected to the computers and networks they are backing up. Ideally, data should be held securely in a resilient, geographically separate location.
- Penetration testing to assess the effectiveness of your defences.
- Draw up an Information Security Policy and ensure it is rigorously adhered to.
- Create an education programme for users explaining the risks posed by inadequate defences, the threats faced by organisations and their responsibility to prevent breaches.
- Develop a practical incident response plan and business continuity management plan to guide the organisation’s response in the event of a cyberattack and minimise the effects of disruption. Crisis-driven decisions worsen the impact so prepare for a potential incident in advance and put plans to the test. Remember to think beyond technology and address the people and process aspects of your plan. For example:
- Specify who is responsible for each step of the response, whether it’s someone in-house or a third party.
- If your business involves e-commerce, have a ‘Plan B’ in place to keep orders flowing.
- Plan your communication strategy – who needs to be notified and when.
1Eset: LiveGrid telemetry – April 2016
2Trustwave blogpost – Rodel Mendrez
3Symantec: ‘The evolution of ransomware’ – 6 August 2015
4www.bbc.co.uk/news/technology-35773058 - 10 March 2016