Ransomware is a category of malware which consistently grows and develops its ability to identify vulnerabilities and loopholes in technology. Everything that is connected provides a bigger landscape for ransomware threats. The perpetrators behind ransomware attacksperpetrators behind ransomware attacks have done significant damage to critical infrastructures and collected billions of dollars from their victims worldwide, and that is still going on todaycollected billions of dollars from their victims worldwide, and that is still going on today.
In this article, we are going to discuss the category of ransomware, ransomware traits, current potential threats and strategies to prevent and protect against ransomware attacks.
Ransomware is popularly described as a type of attack where the perpetrators hold the victims’ data and resources hostage until a ransom is paid. Ransomware is also a type of malware which spreads to the victims’ system, causing the system to become inaccessible by encrypting and locking the system’s screen or the files. Usually, it involves an unbreakable encryption, making it impossible to be decryptedan unbreakable encryption, making it impossible to be decrypted.
How Does Ransomware Work?
Generally, ransomware identifies the drives on an infected system or computer and begins to encrypt the files within each drive. It adds an extension to the encrypted files, such as .crypt, .cryptolocker, .petya, .vault, to show that the files have been encrypted. Usually the extension is unique to the ransomware variant. After the encryption is completed, the attacker will create and display a file consisting of the information on how to pay the ransom. After the ransom has been paid, the attacker would provide a cryptographic key that can be used to decrypt the encrypted files.
How Is Ransomware Delivered?
Ransomware is usually delivered through phishing emails which contain malicious attachments or via drive-by downloads. The attacker designs an email that looks like a legitimate email, pretending to be sent from credible sources such as organizations, departments, and attaching a malicious file in the email. The recipients of the email who trust the email will open the attachment and unknowingly install the ransomware, which then infects their systems and causes their files to be held by the attacker.
Other than phishing emails, an attacker may use a drive-by download, which is a program hidden beneath the surface that is automatically downloaded by the victim when they click on malicious links. Usually, these links are hidden in a malicious advertisement displayed on a compromised website, or sent through a phishing email. Such ransomware attacks can be deployed via exploit kits or Ransomware-as-a-Service (RaaS).
On an unprotected system, it is possible that the malware will be run and the malicious payload will be executed, without user interaction. After the execution, the system or computer becomes infected with ransomware. The most famous and destructive exploit kit to date is the WannaCry (WannaCrypt) ransomwareWannaCry (WannaCrypt) ransomware.
Categories of Ransomware
The most popular types of ransomware can be categorized as Locker Ransomware and Encrypting Ransomware. There are some additional categories such as Ransomware-as-a-Service (RaaS) and Automated Active Adversary.
As the name implies, Locker Ransomware is a category of ransomware that overtakes or locks the targeted data and resources out of the operating system, preventing access to files, applications, and other desktop resources. Most of the time, the infected system is left with limited resources to communicate with the attackers.
This type of ransomware combines innovative encryption algorithms to encrypt and delete the data and resources (files or folders) in the affected machine. Traditional encrypting ransomware encrypts the entire directory. Under this category, there is also Cryptoworm, a standalone ransomware that replicates itself to other computers for maximum reach and impact.
RaaS is a type of ransomware sold on the darkweb as a kit for attackers to easily leverage on. RaaS packages make it possible for inexperienced or unskilled people to launch ransomware attacks with relative ease. Typically, RaaS is deployed via malicious spam emails or phishing emails and exploit kits as a drive-by download.
Automated Active Adversary
This type of ransomware is deployed using the tools to automatically scan the internet for IT systems with weak protection. When such systems are found, the ransomware attackers start planning the attack to do maximum damage. Systems with weak protection are those that are openly exposed to the Internet, such as Remote Desktop Protocol. These systems will become an entry point to perform a password brute-force attack.
Ransomware creators constantly release new variants of ransomware. The new variants have no resemblance to the earlier samples which becomes the reason why endpoint protection tools that rely on static analysis will not be able to detect these new variants. Ransomware creators apply runtime packers to the ransomware program, as seen in other types of malware, in order to conceal its purpose and avoid detection until its core task is completed.
In most cases, this situation makes it harder for endpoint protection tools to determine the intention of the executed program and also difficult for human analysts to reverse-engineer. However, there are behavioral traits that ransomware routinely exhibits. These traits can be used to decide whether the program is malicious or not by the help of security software.
Attackers perform this action to minimize the possibility of being detected by endpoint protection software. This action is carried out by signing their ransomware with an Authenticode certificate which can be bought. After the ransomware is properly code-signed, the anti-malware defenses (such as endpoint protection software and antivirus) might classify the ransomware as trusted software. Instead of analyzing the software with antivirus, the system runs the ransomware.
Privilege escalation and lateral movement
Exploits are used within ransomware to elevate privileges, even when the infected system is logged in with standard limited privileges and permissions. The damage can then be more severe with the stolen administrator credentials.
Ransomware may try to encrypt as many documents as possible, sometimes even risking crippling the infected endpoints in order to ensure the victims pay the ransom money. Network environment usually consists of endpoints (PCs, laptops) that are connected to a server. Business-related data and other files are stored on one or more file servers, which are accessible through the endpoints. These endpoints are able to access the file servers because they have several drive mappings to different file servers. These mapped network drives ensure the endpoints are connected to the file servers which enable them to access the data. Ransomware causes an immediate impact and damage when it encrypts these mapped network drives first, causing most employees who use the endpoints to lose their access to the server, no matter where they are located.
Some ransomware are specifically designed to make efficient use of computers with one or more multi-core CPUs with Simultaneous Multithreading (SMT) or Hyper-Threading (HT). This ransomware performs individual tasks in parallel to ensure faster and more harmful impact before the victims realize they are being attacked.
Ransomware encrypts documents by overwriting (in-place) and copying. Overwriting means that encrypted documents are stored on the same disk sector as original documents. It is performed by reading the original document, writing the encrypted version over the original document and renaming the document (overwrite). Copying means that encrypted documents are stored on free available disk sectors. It is performed by reading the original document, writing the encrypted copy (with different file names and extensions) and deleting the original document.
Typically, ransomware renames the targeted documents at the time of encryption. This is performed to make the harm more visible, prevent the user from recovering their files from earlier versions, and prevent other ransomware from encrypting the documents.
Attackers may replace the desktop wallpaper with a clear message to alert the victim that their system has been infected by ransomware.
Causes of Successful Ransomware Attacks
Under most circumstances, ransomware attacks that hit the targets were caused by an insider threat or human negligence. Malicious insiders may hire an external hacker to help bring down the organization through well-composed phishing emails and other types of attacks. In some cases, successful attacks were also carried out by using the malicious insiders’ credentials. Successful ransomware attacks have also been completed because of the lack of timely system patching and proper security policy management, leaving vulnerabilities open for exploitation. Those are also the reasons behind the successful WannaCry attack.
Other causes of a successful ransomware attacks are as follows:
- Lack of security awareness training for staff
- Lack of support from top management
- Staff negligence without disciplinary action
- Using illegal software and applications
- Inadequate security infrastructure
- Lack of information security policies and procedures to ensure that security controls have been adequately implemented.
Ransomware Management Strategy: Preventive Measures
Ransomware attack risks can be managed through some techniques classified as preventive, protective, and detective.
Conduct security awareness training and build awareness as a part of the organization’s culture
End users are usually the most targeted attack vector when it comes to ransomware attacks, because they are considered the weakest link. It is recommended that the staff are trained to deal with certain types of attacks such as phishing, social engineering, espionage, malicious advertising and Advanced Persistent Threats (APT).
Perform data backup
Performing backup helps to minimize the damage caused by ransomware. It is important to perform regular backups and verify the integrity of the backed up files.
Apply system updates, patches and upgrades
This particular measure is applicable for:
- All operating systems
- Firmware and third-party software
- All applications that are exposed to internet
Ensure that all patches and updates are official.
Use robust anti-malware and antivirus solutions
Use the enterprise versions of anti-malwareanti-malware and anti-virus solutions that can be managed centrally and enforced to all endpoints.
Set up IT Security team
The IT Security team will be responsible for:
- Establishing information security policies and procedures
- Enforcing the implementation of the policies and procedures
- Review any noncompliance and exceptions
- Implement security tools, solutions, and perform monitoring
- Detect and provide response to information security events
- Perform system hardening
- Manage information security related risks
Disable unnecessary functions, features, and services
Unsecured or idle features that are not used can be exploited by hackers as a point of entry. Therefore, it is recommended to disable all unnecessary functions, features and services.
Decentralize resources and isolate network components
Segregate critical files and resources (network and devices) by implementing logical or physical separation based on the departments or units within an organization. This is to minimize the impact of the ransomware and contain the spreading.
Avoid using freeware
Visit only trusted websites by configuring the security zone and avoid downloading free software available publicly on the internet.
Have your IT Security capabilities assessed and audited by independent parties
To better understand an organization’s security capabilities and maturity level, it is recommended to seek advice from independent partiesrecommended to seek advice from independent parties. The assessments include Penetration TestingPenetration Testing, Vulnerability Assessment, Cybersecurity AssessmentCybersecurity Assessment, and IT Security Audit. Most of the vulnerabilities that are overlooked by an organization can be identified through these assessments. The organization can also receive assistance to remediate the vulnerabilities through security initiatives.
Ransomware Management Strategy: Protective Measures
Implement Endpoint Security (EPS)
EPS is intended to reduce the possibility of being exposed to untrusted sources. Some EPS solutions include ransomware behaviour monitoring, email and gateway protection, and web server protection.
Filter and monitor incoming emails
Implement tools to ensure that links and attachments received after being filtered are not malicious.
Implement program whitelisting
Program whitelisting helps organizations to restrict unauthorized and unknown programs from being executed. It is beneficial to organizations to prevent ransomware from launching itself on the systems.
Ransomware Management Strategy: Detective Measures
Implement firewalls, IDS / IPS
Implementing firewalls, IDS and IPS increases the chances of detecting and stopping ransomware from establishing a connection with the server.
Implement logging and monitoring
This can be performed by using a User Behavior Analytics tool to track suspicious behavior in the organization. Implementing Security Information and Event Management (SIEM) may also reduce the privilege escalation possibility after receiving an alert indicating a user non-compliant with security protocols.
Other than SIEM, it is recommended to deploy heuristic detection solutions that have the ability to learn and adapt to any situation. These solutions are also helpful for detecting ransomware.
A honeypot is a computer or part of the system used as a decoy to trick attackers because it is made similar to a certain target. Honeypots are not specifically implemented to detect ransomware only. It is actually a line of defense that gives a system administrator a signal that a potential attack could happen.
Responding to Ransomware Attacks
Ransomware attacks are a part of security incidents, hence responding to this attack requires an established Incident Response Plan or Incident Response Management capability. The following are some actions that can be taken in the wake of a ransomware attacksome actions that can be taken in the wake of a ransomware attack:
- Impose human firewall by getting the best Incident Response Team to stop the ransomware at the early stage. This can also be achieved by providing specific training for the team.
- Establish an Incident Response Plan and Incident Response Team.
II. Detection and Analysis
- Analyze the situation through a tabletop exercise.
- Report suspicious behaviour.
- Use a sandbox that allows users to execute the suspected ransomware in a virtual system and analyze the behaviour of the ransomware.
- Reset authentication methods (passwords, entry codes and authentication keys.
- Sign out from all user accounts with administrative privileges.
- Isolate the infected systems and control the spread. Immediately disconnect these infected machines from the network.
- Block untrusted domains from the firewall.
- Report incidents to the regulatory body. The time required for reporting the incidents depends on applicable laws in each country. Failure to report before the deadline may cause the organization to incur severe penalties.
- Do not consider ransom payment as a first option. Find out if there are any ransomware decryption tools provided by select security agencies.
- Check the last backups. Confirm if they are valid and successfully completed.
- Wipe the system and install the new OS.
VI. Follow Up / Post-incident
- Conduct a post-incident meeting to prevent the same attack from happening again.
- Update the material and document case in security awareness training materials.
- Send out a leadership message to all employees about learnings from the attack.