What is Ransomware & How to Be Prepared
IT has taken a foothold at the center of our lives and has spread like wildfire throughout the years. Software is getting more and more practical, but also complex. The reason we mention the complexity of our everyday solutions is to put a bigger accent on Security.
The reasoning behind this is, the more components a device has, the bigger the attack surface.
Imagining a Castle with 1 focused Gate with as contrast to a Castle with 10 Gates spread all around and multiple other hidden entrances. Yes the latter might look grander and be more practical, but for people who would like to break in, you give out tons more alternative ways to allow them in doing just that.
Software is no different, the grander it is and the more components and various technologies it harbors the more vulnerable it might be. Hackers take advantage of this and break in to what should be highly secured establishments.
On the other hand, there is software specifically built for malicious purposes from the ground up.
One such type of software is Ransomware.
In this article we will discuss how Ransomware, a specifically made software to hijack computers, uses well known vulnerabilities to spread throughout our systems.
WHAT IS RANSOMWARE?
Ransomware is a type of malicious software deliberately made to infect, encrypt and in turn effectively hijack our computers. The reason it is called Ransom-ware is because the perpetrators shortly afterwards ask for a ransom in order to release whatever they have encrypted.
The official statement for Ransomware is:
“A type of malicious software designed to block access to a computer system until a sum of money is paid.”
The way it works is as follows:
- A user gets infected
- The computer gets encrypted & locked up
- The only thing on the screen is an address where you should send money
Basically, the user can’t retrieve anything from their computer since it’s behind an encrypted wall of sorts.
They are faced with 3 possible solutions:
- Pay the requested Sum
- Accept the risk & format your computer
- Try to find a way to remove it
For all intents and purposes it’s a hostage situation for your data.
HOW DO WE GET INFECTED WITH RANSOMWARE?
Usually there are many vectors in which attackers try to get you to download/install their malicious software, but some are more prevalent than others.
Attacking a target by sending malicious software via the route of abundant Malicious E-Mail Attachments is a proven way to get someone infected. Most people do not possess even the most general security awareness training in order to prevent such fallacies.
After the user download the fake attachment they thought it was, they get infected.
Now this is the part where we will talk about preexisting vulnerabilities in our infrastructure.
There are usually two types of Ransomware:
Focused Ransomware is simply that, it is focused on the target it has infected and stays with it throughout the entire duration of the process.
Infective on the other hand is a bit more Intelligent Ransomware which has in-built ways to sniff out vulnerabilities throughout your network, which it can use to deliver itself on other systems as well. Effectively spreading itself and infecting more and more systems.
This in turn does a lot more damage than Focused Ransomware.
The reason for mentioning this is the following:
“The attack continues even after you’ve already been compromised.”
Let’s look at most delivery methods:
As previously mentioned E-Mail is one of the best ways to transmit Ransomware due to to its efficiency with the general public.
Websites & Exploit Kits
When users visit malicious websites, either by their own choice or by redirection they are facing danger of coming in contact with exploit kits. These kits are specifically crafted to scan and locate vulnerabilities on whoever is visiting them and silently install malicious software, which in this case could very well be Ransomware.
If you have public facing servers this means that you are exposed and if most of your equipment is not regularly updated you could be facing danger from outdated services running on your servers. By exploiting these services, attackers can easily install Ransomware on your instances.
HOW DOES RANSOMWARE WORK?
As previously mentioned, the main thing it does is Encrypt the instance it infects, thus making everything irrecoverable unless you have the attackers key to decrypt your files.
In order to get more in depth, we should mention the field of Cryptovirology as well. Basically it is a field that studies how Cryptography can be used to increasingly powerful malicious software.
Attackers use this field to develop malicious software that has two keys, a public and private one.
The encrypted files can only be decrypted only with the key that the attacker possesses. This is what you pay for.
After gaining this key, you are free to decrypt your system and retrieve your files. Usually heavy algorithms, such as AES-256 + RSA-2048 are used. Making it impossible for the everyday user to decrypt.
To best explain how the due process goes we will make a fictional story about a company that gets infected with one of the more dangerous Ransomware attacks around: WannaCry.
Companies around the world filed complaints that their servers were being attacked left and right and most of them have been successfully infected and encrypted. Attackers are demanding huge sum payments in order to release them. One System Administrator notices that all of these infiltrations have been done on Windows Based Servers.
After careful Network Analysis, they have found out that the Ransomware is not Focused, but rather an Infective type which spreads through an exploit. This exploit is labeled as MS17-010 or more commonly known as EternalBlue.
What we are seeing here is a malicious software, Ransomware in this case, being spread throughout network through a very big vulnerability that affects Microsoft Machines. By attacking largely old or unpatched systems, companies got in real trouble.
The aftermath was a blank screen with a field to send Cryptocurrency Powered by Blockchain Technology to the attackers in order to set your Data free.
Moral of the story? Patch your systems. Most of them were either old Out of Service Windows 2003 Servers of later versions of Windows 2008 Servers which were not regularly updated. This allowed the Ransomware to move freely and infect all of these servers with little effort.
After being compromised, the companies started looking for ways to break away from this infection. The ones that got off easiest were those who had everything backed up, others not so much.
Which brings us to the following point.
HOW TO AVOID RANSOMWARE INFECTIONS?
Good Security practices come to mind first. Having everything under control beforehand makes it easier to battle such threats.
Let’s see how our hypothetical companies could have avoided this mess.
Their infrastructure was riddled with archaic out of service software such as Windows 2003. This is a big issue and a prevalent one at that in infrastructures. Usually associated with the lack of funds to migrate, resources to contribute or most commonly ignored until something serious like this happens.
Proper security software such as IDS/IPS (Intrusion Detection & Intrusion Prevention Systems) if configured well, would have probably captured signatures ranging throughout the network that something is amiss. Even if infections started to occur, capturing them early on could prove crucial in avoiding bigger losses.
In the ultimate event of full infection and no way out, backups come in handy.
By restoring everything to the way it was before, companies avoid paying huge fines to criminals in order to get explicitly sensitive information back. Usually monthly backups are employed. Losing a months worth of data is better than completely going under.
By using quality Anti Virus & Firewall Software you make sure that at least the most common malicious software gets blocked. Usually Ransomware is spread out like a shotgun blast, common attacks launched in quantity not quality. This means that there is a good chance that the digital signature has been caught somewhere before and thus the AV Database will recognize and stop it quickly.
The first line of Security should be people themselves. By being trained at least in General Security these kinds of things can be avoided. For example, phishing relies heavily on the human factor, someone believing the attacker and giving out personal information or downloading an unassumingly dangerous attachment.
By employing layered security concepts instead of individual protection, enterprises benefit greatly in all cases and Ransomware is no exception.
WHO COULD BE ATTACKING YOU WITH RANSOMWARE AND HOW DO THEY DO IT?
There are different types of attackers, each with their own game plan and techniques.
Usually, attackers want access to confidential data, control of servers or various types of intellectual property and they are associated with three types of people:
Black Hat Hackers
These types of attackers are set on doing only malicious attacks and mostly for their own gain, usually financial.
Gray Hat Hackers
Gray Hat Hackers operate in the, well, Gray area of things. They switch from attacking targets unknowingly to reporting the findings in a conscious manner.
White Hat Hackers
White Hat Hackers are also called Ethical Hackers or Penetration Testers, which are hired to hack in to a company only to disclose their findings.
Another key point in this story, are Threat Actors. This term refers only to Black Hat Hackers.
Threat Actors can be:
- Script Kiddies
- Vulnerability Brokers
- State Sponsored Hackers
Let’s go through them for a bit:
- Script Kiddies are usually people without heavy technical knowledge, using other peoples tools to do damage that they don’t really understand.
- Vulnerability Brokers are people that buy & sell vulnerabilities to the highest bidder.
- Hacktivists usually have some political agenda backing their attacks.
- Cybercriminals are usually there only for the money, their attackers are most of the times financially motivated.
- State Sponsored Hackers are people that are hired and financed by a foreign state in order to attack complex targets, such as governments.
Since Ransomware is primarily financially motivated, usually only Black Hat / Gray Hack Hatters will be attacking. Either to fully compromise and deal damage or just to prove that they can.
Unless of course, a very specific agenda is at hand, then it could be anyone from the previously mentioned.
Now, let’s explain what a Black Hat Hacker that wants to infect a company would do in order to spread Ransomware throughout the Network.
This scenario is considered by attacking a publicly facing outdated server.
In order to gain access the attacker will have to go through multiple phases of attacks.
The Reconnaissance Phase:
Here the attacker basically probes the target Infrastructure in order to find out if there are any loose ends to exploit.
If they were attacking your company, they would usually do the following:
First it would be important to find out which IP Block they have reserved, in order to find all servers associated with their company. This would involve converting domains such as www.target-company.com to a tangible IP and afterwards search public registrars for any indication of Network Block Reservation.
This will give the attacker a comprehensive surface to probe.
Let’s assume that your company own a certain Network Block, they would want to know what services are running on those locations.
Port Scanning is a great way to find out if any services are disclosing any type of information such as software version etc.
If they find something and that service just happens to be outdated with public exploits known, they can start the exploitation phase by modifying public code to fit their own needs.
But if they want to be more thorough, they can do a full Vulnerability Scan on that port through Vulnerability Scanners like Nessus, Qualys, Burp Pro, OpenVAS, etc.
Once the vulnerability has been confirmed multiple times, it is time to exploit the server. As previously mentioned, they would download a public code from a Vulnerability Database.
Once they have successfully modified the code to fit their needs and have exploited one of these services, they will have access to your entire infrastructure.
Now they can do two things, either infect this current host with Ransomware and risk the IT Staff finding out sooner than expected, or try to spread throughout the network even further and only afterwards implement Ransomware on multiple hosts, doing maximum damage.
This does not cause only financial problems, in some companies, compliances and even legal ramifications could take place.
Security Management is what is important in such environments, but by being infected like this you break through it and prove that it was incapable to begin with.
In order to successfully advocate the implementation of Security Management in a company, everyone has to be familiar with the reasoning behind it.
To explain this in detail, there are three concepts that most will be familiar with:
Or the CIA Triad.
Let’s see how your company can benefit from this.
Let’s start with Confidentiality.
Confidentiality simply means that any private information that the company holds, should stay, well, private. It should not be divulged to third parties on purpose and valid security measures should be in place to prevent it from leaking involuntarily.
By being successfully infected with Ransomware, your company has not properly secured their data. Which means you did not have proper security measures in place.
On to the next one, Availability.
If you consider taking down your public servers as to not cause any more damage and try to mitigate the Security concern, you will not uphold the Availability right to your clients.
Often, companies profess things like:
Which gives the clients a false sense that they will have constant availability from this company. When something like this attack happens, not having the right tools or measures in place to mitigate the damage, the clients are basically being lied to.
This can often provoke legal actions as well.
And finally, Integrity.
Ransomware or any other malicious software for that matter, once having infected a system it makes sure that the IT Staff can no longer confirm the validity of the information that was held there. Basically, nobody can say that they are 100% sure that data was not tampered.
Now that we have established these concepts, it is easier to tell how Security Management that was not fully capable of protecting the company from such a compromise should be taken in account.
SHOULD YOU PAY WHEN ATTACKED WITH RANSOMWARE?
This big debate falls down on the financial scale at last.
Should you pay and get your files back or just simply accept your loss?
Before making a decision, there are a few things that need to be considered. First of all, you can not be sure that the attackers will actually give you the key even after you have paid out.
To run a successful operation such as Ransomware needs a well secured & private infrastructure running in the background.
Usually it is very sophisticated to get everything automated. Generally, only a small percentage of highly organized attackers have this, most of them just try to make quick cash by trying to make you send money and then disappearing.
This is simply because, they do not possess the right equipment to even give you a key and keep their privacy in tact at the same time.
The best course of action would be the following:
- Try a already existing solution such as Avast Decryption Tools
- Get a Forensics & Incident Response Team if you can afford it, depending on the situation.
- Accept your partial loss and restore from backup what you can.
- Accept the fact that you didn’t have enough security measures in place and take the risk of starting over.
Usually the choice comes down to something as defeating as this because most of the time, people or companies facing this do not possess the needed resources to battle such encryptions.
Also there is the case about paying out, this makes attackers pursue this kind of attack vector even more in the future and it’s only encouraging them if nothing else.
DECRYPTION TOOLS FOR RANSOMWARE
Some Anti-Virus vendors are generous enough to provide people with free Ransomware Decryptors.
This could be worth the look. Avast & Kaspersky seem to lead in this field.
Some of these Decryptors include the following Ransomware Strains:
- Alcatraz Locker
- CryptoMix (Offline)
Whatever the case it is always worth the look throughout the internet, maybe you will get lucky and find the cure without having to go through great depths in order to get your data back.
Usually paying off full fledged teams to try and recover things for you can be very expensive.
Ransomware is an ever growing issue.
Thousands of companies around the world are being threatened and infected, usually by not following simple Security best practices. All of this can be avoided if a good Security Management policy is set in place and most things are done as they should be.
As we have discussed, the infection route is most of the times done because Security was not taken seriously and has become an after thought.
We believe that by becoming educated with articles such as this, the future might look a little bit brighter for your assets, especially if taken seriously.
Differentiation is the principle of setting a company apart based on specific elements of the …
Let’s face it. I believe every single one of us has found themselves in one of the following …
In Berlin we interviewed Nicolas Weber, the co-founder of medneo. medneo was found by …