In early 2016, reports regarding a particular ransomware began to surface. The attacks were witnessed in various parts of the world with most of the victims residing in the U.S. The ransomware since then continues to better itself with each version.
What is Ransomware?
Ransomware is a malware which locks data on the victim’s computer by encrypting it; subsequently, a sum of money is demanded to decrypt the data and unblock the victim’s access to the system. The payments demanded are usually in the form of a digital currency, such as bitcoin. In this manner the cybercriminal maintains anonymity.
The malware can be spread through infected software, malicious email attachments, infected external storage devices and compromised websites. It may also change the victim’s login credentials for a device in a lock screen variant attack. Earlier instances of the attack were limited to the web browser or the windows desktop. However, several versions of ransomware have been created which use strong public-key encryption to deny access to files on the computer.
How Ransomware Works?
Cybercriminals purchase a software on the web and use a software tool with specific capabilities to create ransomware. Afterwards, this malware is generated for distribution in exchange for ransoms which they get in their Bitcoin accounts. It is now possible to launch such attacks even without a strong technical background and huge efforts.
In order to extort digital currencies from their victims, attackers use several different approaches:
- Threats in the form of a pop-up message or email ransom note warning demanding the victim to pay the desired amount by a specific date, else face the destruction of the private key required to decrypt files or unlock the device
- Misleading the victim into believing that he/she might be the subject of an official inquiry for using unlicensed software or storing illegal web content on their system; henceforth, demanding an electronic fine
- Attackers also make money by encrypting files on infected devices and ironically selling a product to help the victim unlock files and prevent future malware attacks
- There might be a case where a threat will be displayed on exposing the data to the general public in its unencrypted state if the ransom is not paid on a given deadline
Cryptojacking & Ransomware
Cryptojacking, a cheaper and more profitable alternative to ransomware, is basically the mining of cryptocurrency via an unauthorised access to someone else’s system.
Either the hackers send email to the victims, making them enter a malicious link that loads crypto mining codes on the system, or infect a website or online ad through JavaScript code that automatically executes after being loaded in the victim’s browser. And the crypto mining codes run in the background unsuspected while the victim uses the system normally but might notice lags in execution and slower performance.
Hackers consider cryptojacking safer and more profitable than ransomware. Here’s a statement made by Alex Vaystikh, CTO and co-founder of SecBI, “The hacker might make the same as three ransomware payments, but crypto mining continuously generates money.” With ransomware, a hacker might get three people to pay for every 100 computers infected, he explains. With cryptojacking, all 100 of those infected machines work for the hacker to mine cryptocurrency.
More money for less risk is the reason why cryptojacking is becoming more popular with hackers. Moreover, the risk of being identified and caught is much less as compared to the threat with ransomware.
Types of Ransomwares
With a new ransomware being unleashed every week, it’s hard to keep track of such different strains. While each of these is spread via a different way, they generally use similar methods to take advantage of users and hold data hostage. Mentioned below are a few of those strains:
Bad Rabbit
On October 24, 2017, a strain of ransomware infected organisations in Russia and Eastern Europe. Bad Rabbit is spread through a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding .05 bitcoin (about $285).
Cerber
One of the most active kinds of ransomware is Cerber which works even if you are not connected to the internet, so you can’t stop it by unplugging your PC.
Typically, it targets cloud-based Office 365 users where the victim receives an email with an infected Microsoft Office document attached. Once opened, the malware encrypts files with RC4 and RSA algorithms and renames them with a cerber extension or a random file extension in the latest versions.
Crysis
Ransomware is a particularly nasty form of malware which executes on a vulnerable PC, encrypts files and locks users out of their system. It can encrypt files on fixed, removable, and network drives through strong encryption algorithms and a scheme that makes it difficult to crack easily.
CryptoLocker
The first case of a widely spread attack which used public-key encryption was Cryptolocker, a Trojan horse active on the internet from September 2013 through May of the following year. The ransom was demanded in either Bitcoin or a prepaid voucher. A security firm gained access to the command-and-control server used in the attack and gained access to encryption keys used in the attack.
Although the original CryptoLocker botnet was shut down in May 2014, but that happened after the hackers behind it extorted nearly $3 million from victims.
CryptoWall
CryptoWall gained opprobrium after the downfall of CryptoLocker. It is an improved version of the CryptoDefense ransomware. It first appeared in early 2014, and then appeared with a variety of names, including: CryptoBit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits as well.
CTB-Locker
CTB-Locker is a ransomware variant that encrypts files on a victim’s hard disk. It is noteworthy for its high infection rates, use of Elliptic Curve Cryptography, bitcoins, and its multilingual capabilities. The criminals behind CTB-Locker take a different approach to malware distribution. These hackers outsource the infection process to partners in exchange for a cut of the profits.
GoldenEye
On 27th June 2017, GoldenEye similar to prolific Petya ransomware targeted human resources departments through a massive campaign. It launches a macro which encrypts files on the computer to which GoldenEye adds a random 8-character extension at the end and modifies the user’s hard drive MBR (Master Boot Record) with a custom bootloader.
Jigsaw
Created in 2016, Jigsaw is a form of encrypting ransomware malware which was initially titled “BitcoinBlackmailer“. Jigsaw encrypts and progressively deletes files for a 72-hour mark until a ransom is paid.
KeRanger
The first ever fully functioning ransomware trojan horse targeting computers running MacOS was discovered on March 4, 2017, by Palo Alto Networks. It is remotely executed on the victim’s computer from a flaw in Transmission, a popular BitTorrent client.
Wannacry
12th of May 2017 witnessed the biggest ever cyber attack in the Internet history. A ransomware named WannaCry stormed through the network. It targeted computers running Windows OS that are not up-to-date and brought computer systems from Russia to China and the US to their knees.
It infected and encrypted more than 25% of the systems globally. The malware had used asymmetric encryption so that the victim cannot quickly recover the key required to decrypt the ransomed file.
In the case of WannaCry, the hackers couldn’t be identified, but since the transactions were visible, the overall payments could be tallied. During the week in which WannaCry was most viral $100,000 in Bitcoin were transferred. However, this proved to be unfruitful as there is no account of data being decrypted after the payment. The National Health Service in the U.K. was affected severely and was forced to effectively take services offline during the attack.
In accordance to Symantec 2017 Internet Security Threat Report, the amount of ransom demanded rose three times from the previous two years in 2016, with the average demand adding to $1,077.
A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom didn’t get their files back. A study by IBM found: 70% of executives they surveyed said they paid a ransomware demand; on the other hand, Osterman Research found that a mere 3% of US-based companies had paid.
Recently hackers broke into servers at the PGA of America. The hackers left a message warning the PGA staff to not attempt to break the encryption. “This may lead to the impossibility of recovery of certain files,” the warning read, according to Golfweek. “No decryption software is available in public.” PGA (Professional Golfer’s Association) of America didn’t immediately respond to a request for comment, but a spokesman told the BBC that the PGA Championship wouldn’t be affected.
Sophos, a leading security outfit recently released a paper detailing the analytics of the ransomware. Sophisticated research tools led to the firm uncovering details of the attack. The paper includes IOC (Indicators of Compromise), the scope of the attack and inferences about the creator of the ransomware. The paper is named ”SamSam: The (Almost) Six Million Dollar Ransomware” and was created in collaboration with blockchain analysis firm Neutrino.
SamSam
SamSam is poles apart from its counterpart due to its infection vector. Unlike other malware which spread a malicious code spread through an email, the creator of the malware explicitly targets their victims. An attempt is made to access a computer which is within the target’s network remotely. Once the access is established, the rest of the computers are targeted on the network.
The entire attack is carried out in six steps-
- Identification of the Victim
The victims are identified first, but it is not known how the hackers decide on their victim. The security firm reported: “They could be purchasing lists of vulnerable servers from other hackers on the dark web, or simply using publicly available search engines such as Shodan or Censys. What is clear is that they tend to target medium to large organisations, predominantly based in the United States.”
- Infiltration of the Network
After the target has been acquired the attackers attempt to infiltrate the network. In the initial versions of SamSam malware, the loopholes in JBOSS (a Java application server) were exploited to launch the malware off the system.
As the ransomware upgraded, the Remote Desk Protocol was used by the attackers. With RDP, administrators can gain remote access to a network to ensure proper functioning; however, the attackers used it instead. With the tool NLBrute, the attacker brute forces the password to the network.
- Elevating Permissions
The attacker continues to attempt to elevate their permissions to the level of an admin account, which would allow the launch of SamSam. The process can continue for a few days. The perpetrator also gains access to the login credentials of the genuine administrator with the help of Mimikatz.
- Identification of Vulnerable Computers in the Network
Hackers establish control over the network using the stolen credentials. SamSam is spread by the creators manually, and the malware is deployed while posing as genuine administrators. By using network scanning tools, the vulnerable computers in the network are infected.
Sophos believes this vector is used as it affords certain advantages to the attack, “As a manual attack, it poses no risk of spreading out of control, attracting unwanted attention. It also allows the attacker to cherry pick targets, and to know which computers have been encrypted. But first, it has to choose the targets.“
- Launching the Malicious Code
The hackers manually launch SamSam using system application tools, and the malware infects the targeted computers.
- Demanding Ransom
Once the malware has been infected the attackers merely wait for the ransom amount.
An important point to note is that SamSam encrypts all files on its target. SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, first.
What makes SamSam unique?
The hackers have incorporated tools which make detention and tracking extremely difficult. When an attack is carried out, the attackers include a file which deleted all the actions of the code. This tool removes all the traces of an attempted attack. This makes it very difficult for the network administrators to detect the attack. Since SamSam is spread manually by the attacker, it is very difficult to cease the attack once it has started.
The attacker launches the attack when the target is not using the network. The hacker keeps up the offence for 16 hours and stops for the next eight. The active version of SamSam is the third iteration of the software.
“What is clear is that they have remained anonymous for over two and a half years and continue to show signs of their attacks becoming more sophisticated,” Sophos stated in its report.
The Ransomware and Crypto Connection
Once the files are encrypted, the victim can view a ransom note that includes the address to the webpage hosted on the dark web. The ransoms taken earlier were 0.8 BTC per infected computer and 7 BTC for complete decryption. The sum was needed to be cleared in seven days, or the hacker would demand an additional 0.5 BTC. A unique payment system for each victim is created, and the process of decryption is smoothened when the ransom is paid.
Sophos along with Neutrino identified 157 addresses, that accrued SamSam ransoms. There were also 89 addresses which did not receive payments. Sophos and Neutrino have claimed the acquired ransoms to be $5.9 million. Additionally, that attackers made around $300,000 a month from victims.
The largest amount paid by one victim is $64,000. The researchers also found that hackers are now moving to privacy-centric altcoin Monero. Hackers have also used Bitcoin tumbling and mixing services such as Helix and Bitmixer.
How to not become a Victim of Ransomware ?
It is surprisingly effortless to prevent a ransomware attack. Although, ransomware can be very scary, but if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you prevent ransomware from attacking your system:
- Choosing a strong Password
When choosing a password, choose one which provides significant protection at the point of the entry. Brute forcing fails if the password is difficult. For example. It has been observed that commonly used passwords are birthdays or names of family members. An ideal password would be long and would have both upper cases and lower cases. Use numbers and punctuations to further strengthen your password. For instance Weberlogin@1500#success.
- Utilising Principle of Least Privilege (POLP)
According to Sophos, organisations should utilise the Principle of Least Privilege (POLP). It gives the system users the least access they need to perform their job. This drastically reduces the chances of attackers gaining access from masqueraded admin accounts.
For example, An HR staff may need read and write access to the enterprise payroll database, but an employee would not. On the other hand, an employee would not require an access to the client database. At the same time, an employee in the sales department would need access to the client database but would be denied access to the payroll database.
Since the Snowden leaks, the NSA has employed the principle of least privilege to revoke higher-level powers from 90% of its employees.
- Patch or Update your software
Malware authors frequently rely on people who run outdated software with known vulnerabilities, which are easy to exploit and get onto a system silently. Updating your software often can significantly decrease the potential for ransomware. Furthermore, enabling automatic updates would be of great help as well.
- Monitoring Networks in Real Time
It is of extreme importance for organisations to monitor their networks in real time and to stop any unusual activity. The organisations should also conduct drills periodically.
For example. Flowmon empowers government organizations with enhanced security of sensitive data and systems against advanced cyber threats that bypass traditional solutions.
Ministries, municipalities, computer incident response teams, the army and police rely on Flowmon when dealing with advanced threats, botnets, DDoS, data leakage and other modern risks.
- Backing up the Entire System
The security firm also recommended that a complete backup of the entire system be stored offline. This ensures a faster and adequate restoration system.
Having a formal backup process is necessary along with passing exams such as SOC 1, SOC 2, HIPAA, HITRUST, and FedRAMP. The requirements will be varied in accordance with the protocols being used.
While it’s important to be informed and understand how important it is to protect from ransomware attacks, there are several instances of ransomware destroying systems and also cases when the hacker was left disappointed due to efficient security system’s counter measures. With organisations deploying smarter systems the hackers are also getting craftier. Will it be possible to stop such attacks or will there be a simultaneous progress. Time will be the best judge.
