Current State of Ransomware

Current State of Ransomware

Ransomware cyberattacks are on the rise. If your computer is infected with ransomware, a type of malware (malicious software), you are not able to access data until a ransom is paid to the attacker. After the ransom is paid the data will usually be released.

Ransomware is opportunistic in nature; computers are typically infected by a user clicking on a malicious email attachment or visiting an infected website.

Ransomware Gets Its Start

Ten years ago those hit the hardest by ransomware were home users. Their monitors would display a screen showing a fake anti-virus product telling the user their system was infected. The user had to purchase the fake anti-virus product to rid their computer of malware and gain access to their computer.

fake-anti-virus.jpg

Ransomware Evolves

In 2013 ransomware evolved from fake anti-virus to a product that encrypted specific file types on the infected computer. File types were usually limited to Office files, PDFs, and pictures. This new ransomware also had the ability to spread across a network via shared network drives. This became more of a concern for businesses as the ransomware was not contained on a single machine; numerous files could be encrypted across the network.

If the business infected by ransomware had good backups, this was just an annoyance because they could simply restore the encrypted data. However, businesses that did not have current backups were at the mercy of the attackers. If they wanted their data back, they had no choice but to pay the ransom.

The method of payment also changed. Instead of credit cards, Bitcoin became the preferred payment method. Bitcoin is a digital currency that can be sent anywhere in the world and is difficult to trace. It can take days to establish a Bitcoin account, purchase the Bitcoins, and pay the ransom. In order to make it easier the attackers would provide detailed instructions for creating a Bitcoin account and transferring the money.

files-encrypted.jpg

Today’s Ransomware

Fast forward to 2016. Ransomware has turned into a lucrative business for cyber criminals. There are numerous variants of Ransomware which continue to evolve. Below is a list of identified Ransomware as of the date posted:

7ev3n
BuyUnlockCode
Ceber
Coverton
Crypt0l0cker
CrypteFortress
CryptoHasYou
CrypteJocker
CryptoWall
DMA Locker
ECLR Ransomware
EnCiPhErEd
HydraCrypt
KeRanger
LeChiffre
Locky
Magic
MakTub Locker
NanoLocker
Nemucod
PadCrypt
PClock
Petya
PowerWare
Radamant
SamSam
Sanction
Shade
SuperCrypt
Surprise
TeslaCrypt
UmbreCrypt

The majority of this malware is being spread via Exploit Kits served from compromised web sites or users clicking on attachments contained in phishing emails. However, that too is changing as the criminals realize that larger businesses have the ability to pay a higher ransom.

Enter a New Type of Ransomware

2016 has seen widespread use of a new type of ransomware “SamSam.” Attackers actively scan the Internet for vulnerable systems, and exploit those systems to gain access to the internal network. One tool being used is JexBoss, which discovers and exploits vulnerable JBoss servers.

Once inside the network the malware queries Active Directory for a list of Windows computers. After if discovers the computers listed in Active Directory it “pings” the computers to compile a list of active hosts. Next, it generates public and private encryption keys based upon the hostnames. The private keys are sent to the attacker.

Ransomware and the public key are uploaded to all of the active computers on the network. The ransomware launches in a coordinated attack, hitting the entire network in a few minutes. Once active, the volume shadow copies of the computers are deleted, and files on the computer are encrypted (see file types here). Backup related files are specifically sought out for encryption / deletion.

Previous versions of malware infected one system that encrypted the files on the network. There was only one key needed to decrypt all of the files. Now, every active computer on the network has a unique encryption key that is sent back to the attackers. The criminals now know how many devices have been infected, and can charge a ransom amount relative to the size of the network. Ransom has increased from around $500 to tens of thousands of dollars.

How to Defend Against a Ransomware Attack

The best way to defend against this type of attack is to make sure your systems are up-to-date with patches. Malware typically exploits unpatched third-party software, “SamSam” is no different because it searches the Internet for vulnerable systems to exploit.

If you have systems on the Internet where users enter credentials, encrypt the traffic and require multi-factor authentication.

Have a backup process that maintains current backups of all your important data. The backups should be “air-gapped” or stored on a locked down vLAN. Test the restore process frequently. If you are infected with ransomware the ability to restore from backup may be the only thing that saves you from paying the ransom.

Review your Incident Response plan, and practice regularly. Being prepared to confidently respond to a cyberattack an important key to success.

References:
http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf
http://www.bleepingcomputer.com/forums/t/600245/encryptedrsa-ransomware-support-and-help-topic-help-decryrt-your-fileshtml/
http://www.bleepingcomputer.com/forums/t/607818/encedrsa-ransomware-support-and-help-topic-help-decrypttxt/
http://blog.talosintel.com/2016/03/samsam-ransomware.html
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Samas.A

Let us take the fear and anxiety out of monitoring your network security.

Firewall and network security is an ever-evolving field, with increasingly sophisticated tools and techniques used by both the good guys and the bad guys. Managed Network Security is a must.