You must have heard of ransomware attacks. What is a ransomware? What does a ransomware attack mean? How does a ransomware attack take place? How do you defend yourself against ransomware attacks? What are the different methods of detecting ransomware?
These are some questions that this blurb will try to answer in layman terms. So, if you have time, read through it all. You are going to benefit from the knowledge.
What is a Ransomware and a Ransomware Attack?
Ransomware is a type of a malicious software (malware). A ransomware blocks access to data by encrypting it, and asks the victim to pay for decrypting the data so that he or she can regain access.
The person launching the attack and asking for ransom demands the payment to be made in bitcoin. Bitcoin payment ensures that the attacker maintains anonymity.
The amount that the attacker demands can vary from several hundred dollars to thousands, or even millions.
If the victim doesn’t pay for getting back the data, the attacker will often end up deleting everything, leading to complete loss of data.
A ransomware takes advantage of the vulnerabilities of software, a network, a system, or even humans. The malware infects the device of the victim. The device can be anything from a computer to a mobile device, a wearable device, a printer, a POS (point-of-sale) terminal, etc.
Ransomwares can be ugly in the sense that they can encrypt very important data including high-profile company secrets, personal and intimate images, and what not! There is no limit or restriction on the type of data a ransomware can hold hostage by encrypting it.
Examples of Ransomwares
There are thousands of ransomwares spread everywhere. Here are some of the most famous ransomwares the world has seen so far:
There is a vulnerability in the Windows SMB protocol. The WannaCry ransomware takes advantage of that vulnerability.
WannaCry is self-propagating, and it can infect all machines connected to a network. The attackers usually package WannaCry as a dropper, which is nothing more than a self-contained program.
Once WannaCry enters a device, it starts extracting itself. The application for encryption and decryption, the files that contain the encryption key, and Tor communication program – all are extracted.
One good thing from the standpoint of the victims is that WannaCry is quite easy to detect, because it is not obfuscated.
WannaCry once wreaked havoc on a global scale, infecting over 230,000 devices in 150 countries. This incident took place only 2017, and the estimated total damage caused by the malware is 4 billion US dollars.
Locky ransomware primarily targets files that are commonly used by engineers, testers, and designers. This malware has the capability of locking up to 160 different file types. Exploit kits are primarily used for distributing the ransomware, but it can also be distributed using phishing emails.
In phishing emails, the victims receive and email with a Microsoft Office attachment (Excel or Word) that contains malicious macros. The email may also contain a zipped file that installs the malware when the victim extracts the zip file.
Cerber is available to cyber criminals in the form of RaaS or Ransomware-as-a-Service. Someone developed it and made it available for use. Cyber criminals who use Cerber, pay a portion of their loot to the developer of Cerber.
Cerber is quite silent in its operation and does it job of encrypting files in the background. To avoid detection and blockage, Cerber prevents antivirus programs and Windows security features from running.
Once Cerber manages to successfully encrypt the files, it displays a ransom note right on the desktop wallpaper! Cerber is dangerous compared to WannaCry, because it tries to remain obfuscated.
Ryuk is yet another malware that uses phishing for infecting machines. However, Ryuk can also use what is known as drive-by-downloads for infecting machines.
Drive-by-downloads are a type of attack in which a web application is injected with an HTML code instructing the browser of the user to download a malware from a server controlled by the attacker.
Visitors are not usually aware of such tampering and do not realize about the background download. At times there can be warnings, but victims usually go ahead and dismiss the warning thinking of it as a part of the application.
Ryuk uses a dropper for extracting a trojan on the machine of the victim. This trojan then establishes a persistent network connection with the victim’s machine.
Once the connection is made, the attackers then use APT or Advanced Persistent Threat for performing various tasks like privilege escalation, keylogger installation, and lateral movement.
Everytime an attacker gains access to an additional system, Ryuk is installed!
After the trojan gets installed on as many machines as possible, the attacker will activate the ransomware that will encrypt the files on the infected machines.
What’s awful about Ryuk is that ransomware activation is only the last phase of the attack. Before activating ransomware, the attacker steals the files he or she wants to. So, Ryuk is a double whammy in the sense that the victim’s files are not only stolen, but the victim is also forced to pay.
Cryptolocker infected 500,000+ computers since its release in 2017. Infection vectors include unprotected downloads, file sharing sites, and emails.
Cryptolocker can encrypt files on the local computer as well as those sitting on mapped network drives, provided it gets the permission to write on the network drives.
There are several new variants of Cryptolocker that can easily evade firewalls and legacy antiviruses.
GrandCrab came into existence in 2018. It encrypts the files on a computer and then demands a ransom threatening the victims that it will disclose the porn-watching habits of the victim to the world.
Fortunately, there are various free decryptors available today that can quickly decrypt the files encrypted by GrandCrab.
Petya and NotPetya
Petya was first observed in 2016. This malware managed to get access to the Master File Table or MFT of Windows computers. Once it has access to MFT, it will encrypt the entire hard disk instead of encrypting individual files.
Petya spreads through a fake job application containing a link to an infected file stored in Dropbox.
The malware made users give permissions for making admin-level changes. Once the users give the permission, Petya immediately reboots the computer and then goes on to show a fake crash screen.
While the users don’t really know how to get rid of the screen (and they assume that the computer crashed), the malware does its dirty job of encrypting the files. Once encryption is complete, the malware shows a ransom notice.
Fortunately, the original Petya didn’t become too successful.
Unfortunately, however, there is a new variant of Petya. Kaspersky Labs named it as NotPetya. NotPetya is way more dangerous, and it comes with a self-propagation method that doesn’t call for human intervention.
NotPetya started off by exploiting a backdoor vulnerability in an accounting software that is extremely popular in Ukraine. The ransomware later started exploiting two vulnerabilities in Windows SMB protocol that are known as EternalBlue and EternalRomance.
Unlike Petya, NotPetya will access the MFT or Master File Table and encrypt it, thereby locking the entire hard drive, while at the same time, it will also encrypt the individual files on the hard drive.
Another problem is that NotPetya will go head and encrypt the files in such a way that the files are damaged.
Once the files and the hard drive are encrypted, the ransom message is displayed. Even if the victims pay the ransom, they cannot get the files back, because they are already damaged.
Common Ransomware Vectors
A ransomware is a malware. It must reach a computer to infect it and do its dirty job. But how does a ransomware spread? There are several vectors or channels or mediums that allow a ransomware to spread. Here is a quick list of all the vectors:
This is a very common vector that ransomwares use for infecting the computers or devices of unsuspecting visitors.
In this form, the unsuspecting victims receive an email with a link. Clicking on the link will take the victim to a malicious website or web page from where the ransomware infects the computer of the victim.
There are thousands of free software programs available on the Internet. Many of them contain malicious codes. Downloading and installing free software from the Internet is one of the many vectors for ransomware distribution.
Social media platforms like Twitter, Facebook, instant messengers, etc. can have posts or messages with links to malicious web pages.
TDS or Traffic Distribution System
There are various gateway web pages that distribute the traffic depending on geo-location, browser, operating system, etc. Such TDS gateways can lead people to malicious sites.
When a user visits a fake, suspicious or an unsafe web page such infections can happen. It can also happen when opening or closing a pop-up. A genuine web page may also be compromised via an HTML or JS code injection into the content of the web page.
Ransomwares can spread through USB drives or through the network connecting different devices.
Modus Operandi of Ransomware
Ransomware infection has seven stages. Once a device is infected with a ransomware, the malware may not come into action immediately. It may remain dormant until the device is at its weakest, and then execute an attack.
Here are the sevens stages of a ransomware attack:
Step 1. Infect
This is always the first step. The infection takes place covertly, that is, the unfortunate victim isn’t aware of the fact that a malicious program has been downloaded and installed.
Step 2: Execute
Once the infection is done, the ransomware gets into action and starts actively scanning for all the file types it can encrypt. It scans everywhere from local drive to mapped or unmapped systems that are connected through a network.
Certain ransomwares are so awful that they will attack and even destroy locally stored backup folders and files.
Step 3: Encrypt
Once the ransomware finds all the files it can encrypt, it will communicate with the command-and-control server to perform a key exchange. It will scramble all the files using the encryption key, and lock access to the data.
Step 4: Notify
The ransomware will add certain instruction files that will contain the details of pay-for-decryption process. Once the files are added, the ransomware will use those files for displaying a note to the victim, and ask for a ransom.
Step 5: Cleanup
After the notification step is completed, the ransomware will terminate and delete itself. The only file that is left behind is the payment information file.
Step 6: Payment
The payment information file contains a link. The user or the victim needs to click on it to reach a web page where he or she has to pay using the additional information on the web page. The attackers use hidden TOR services for encapsulating and obfuscating the communications so that they cannot be traced using network traffic monitoring.
Step 7: Decryption
The victim usually needs to pay using the bitcoin address of the victim. Once the payment is made, the victim receives a decryption key that will decrypt the data. Unfortunately, there is no guarantee for the following:
- Victim will receive the decryption key.
- The decryption key will work.
- If decryption key will give back undamaged data.
It is needless to say that ransomware attacks can leave people helpless, and force them to pay. So, it is important that you stay protected against ransomware attacks. How do you do that? That’s the question I am going to answer in the next segment. Read on…
Preventing Ransomware Attacks
Prevention of ransomware attacks is the best way to deal with these awful malwares. You need to be proactive.
Here are a few things you can do:
Backup Your Data
The first and the most obvious thing you need to do is make backup copies of your data. The golden rule of thumb here is to make sure that you have at least three different backup copies. These backup copies should stay on different media, and at least one of those three media should be disconnected from your network.
I usually keep everything backed up in an external SSD that:
- Is not connected to the computer/network in anyway.
- Has a biometric protection.
You also need to ensure that when you are taking a backup, you are disconnecting your computer from the Internet and run the backups. I usually do not recommend using online storage or online backup platforms.
No one can guarantee that those online platforms will not be hacked or attacked. Also, if a ransomware attacks your device, the hacker can get access to the online storage service.
The first thing that will cross your mind is to use an antivirus program. Well, that works, but not always. Legacy antivirus programs are not always fully capable of detecting all variants of ransomwares.
This is where modern endpoint protection platforms come into play. They provide NGAV or Next-Gen Antivirus. These NGAV are known for offering protection against obfuscated ransomware, zero-day malware signatures that are not yet available in malware database, and fileless attacks from ransomware such as WannaCry.
The endpoint protection platforms have security teams that detect and block attacks in real time using Endpoint Detection and Response and firewall capabilities.
Whitelist, Control, Disable
Implement what is known as device control and limit the applications that can be installed on your computer. Define a centrally-controlled whitelist.
Apart from that, make sure that your web browsers have tighter security. Remove every addon or plugin that is vulnerable. A good example will be Adobe Flash.
Use various web filtering to ensure that users can visit only trusted websites. An easy way of doing this is to get an antivirus program like Kaspersky that will notify which websites are safe to visit using a small badge.
Finally, disable macros from applications like word processing apps and other apps that have macros capabilities.
Update, Update, Update
Time and again the OS and application developers release updates. Many of them are feature updates while some are security updates or patches. Install them and keep your OS and your applications up-to-date.
Use an antivirus program such as Kaspersky to scan for vulnerabilities. If any vulnerability is found, fix that ASAP.
Phishing attacks are horrible things. You need to learn how to identify phishing attacks. One of the best ways of dealing with phishing is to install spam protection.
There are antiviruses that have email protection features available. Enable the feature. Spam protection can help by automatically blocking suspicious emails and links.
Network Defense and WAF
If you have a whole network running web applications, it is important that you setup and enable a WAF or Web Application Firewall. Use should also use IPS/IDS (Intrusion Prevention and Intrusion Detection System) and various other security measures.
These security features will ensure that the ransomware is unable to communicate with the control-and-command center.
How to detect a Ransomware in a Network?
A ransomware attack can take place any time. If you are running a network, it is very important to use a real-time monitoring and blocking feature for not only identifying the read/write behavior specific to a ransomware, but to also block specific endpoints or users from accessing any other data.
This step will ensure isolation of the endpoint or the user, and restrict the spread of the ransomware.
Another thing you must do is use deception in which you place hidden files strategically. Users will not see the hidden file, but a ransomware will. Any write or rename behavior of the hidden file should be an immediate trigger and tell you about a ransomware attack.
With this trigger, you can setup automatic block for the user or the endpoint, or you can settle for a manual block. The rest of the users and endpoints will still have access to the data.
This should be followed by a detailed forensic analysis of data usage by users.
Mitigating a Ransomware Infection
If your device or network is compromised by a ransomware, you should take some steps to remove it. Here is a quick list of things you can do:
This is the first step. You need to isolate the machine that is infected. Remove the device from the network to prevent ransomware spread. Also, lock all shared drives so that the ransomware cannot encrypt them.
Once you isolate the device, see which files and folders were compromised before isolation. Check for available backups. Try to find out which ransomware strain hit your network. Try to figure out whether it is a zero-day vulnerability or not.
Don’t forget to search for possible decryptor tools.
At this stage, your investigation will tell you whether you need to pay for decryption or not. Be very careful and know that paying doesn’t guarantee that you will get your files back.
If you find a decryptor, that’s great! Run it. If you don’t get a decryptor, you may think of paying, but only in extreme cases where paying is the only option. If the situation allows, it is better to follow the standard practice of wiping off everything, and reimage the device infected by the ransomware.
Once you have completed the recovery stage, you need to go back and understand how it all happened. You need to find out the vulnerabilities that eventually led to the crisis, and figure out a way to prevent that from happening again.
The evaluation you make here should try to answer questions like:
- What was the infection vector?
- Why did your existing security measures like firewall, antivirus, etc. fail?
- What was the extent of the infection?
- How much data did you lose?
- Did you have proper backup?
You need to address all your weak points, fix your vulnerabilities, and upgrade your security so that such ransomware extortions don’t happen again.
For home users with isolated or single computer, the best course of action is to reinstall the OS – a clean reinstall after completely wiping out the hard disk.
Once the new installation is completed, it is important to install a powerful and trustworthy antivirus and antimalware program that can protect the device not only from known ransomware strains, but also possibly from zero-day threats (which is quite unlikely).
Don’t forget! If you have proper backups in place, ransomware attacks will not cause financial damage unless you are hit my a strain that steals vital financial information before encrypting data!