The recent ransomware attacks on crypto mining and crypto exchanges remind the imminent threat of the hanging danger as it continues to dominate the threat landscape and affect important sectors (hospitals, banks, universities, government, law firms, mobile users) and various organizations equally worldwide. to the global technologists about this monster.
Cybercriminals are more active to crack the social engineering route to find their new target, they infect various computers and have access to valuable information. Such attacks disrupt businesses and forced them to take cybersecurity seriously. And, because of advanced technologies and the presence of cryptocurrency as a medium of exchange providing them a boost that equally affects the high success rate of a ransomware attack.
A recent study by Google shows that victims have paid more than $25 million as ransoms within last two years, making ransomware as a highly profitable, glittering ‘business’.
Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
Users are shown instructions on how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.
How ransomware works
There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.
There are several things the malware might do once it’s taken over the victim’s computer, but by far the most common action is to encrypt some or all of the user’s files. If you want the technical details, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files. But the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.
In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it, and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. But most attacks don’t bother with this pretense. There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.
5 popular ransomware
Attacks using software known as SamSam started appearing in late 2015, but really ramped up in the next few years, gaining some high-profile scalps, including the Colorado Department of Transportation, the City of Atlanta, and numerous health care facilities. SamSam is the perfect example of how attackers’ organizational prowess is as important as their coding skills. SamSam doesn’t indiscriminately look for some specific vulnerability, as some other ransomware variants do, but rather operates as ransomware-as-a-service whose controllers carefully probe pre-selected targets for weaknesses, with the holes it has exploited running the gambit from vulnerabilities in IIS to FTP to RDP. Once inside the system, the attackers dutifully work to escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.
Although the initial belief among security researchers was that SamSam had an Eastern European origin, the overwhelming majority of SamSam attacks targeted institutions within the United States. In late 2018, the United States Department of Justice indicted two Iranians that they claim were behind the attacks; the indictment said that those attacks had resulted in over $30 million in losses. It’s unclear how much of that figure represents actual ransom paid; at one point the Atlanta city officials provided local media with screenshots of ransom messages that included information on how to communicate with the attackers, which led them to shut that communications portal down, possibly preventing Atlanta from paying ransom even if they wanted to.
Ryuk is another targeted ransomware variant that hit big in 2018 and 2019, with its victims being chosen specifically as organizations with little tolerance for downtime; they include daily newspapers and a North Carolina water utility struggling with the aftermath of Hurricane Florence. The Los Angeles Times wrote a fairly detailed account of what happened when their own systems were infected. One particularly devious feature in Ryuk is that it can disable the Windows System Restore option on infected computers, making it all the more difficult to retrieve encrypted data without paying a ransom. Ransom demands were particularly high, corresponding to the high-value victims that the attackers targeted; a holiday season wave of attacks showed that the attackers weren’t afraid to ruin Christmas to achieve their goals.
Analysts believe that the Ryuk source code is largely derived from Hermes, which is a product of North Korea’s Lazarus Group. However, that doesn’t mean that the Ryuk attacks themselves were run from North Korea; McAfee believes that Ryuk was built on code purchased from a Russian-speaking supplier, in part because the ransomware will not execute on computers whose language is set to Russian, Belarusian, or Ukrainian. How this Russian source acquired the code from North Korea is unclear.
PureLocker is a new ransomware variant that was the subject of a paper jointly put out by IBM and Intezer in November 2019. Operating on either Windows or Linux machines, PureLocker is a good example of the new wave of targeted malware. Rather than taking root on machines via broad-range phishing attacks, PureLocker appears to be associated with more_eggs, a backdoor malware associated with several well-known cyber-criminal gangs. In other words, PureLocker is installed on machines that have already been compromised and are fairly well understood by their attackers, and then proceeds to make a number of checks on the machine where it finds itself before executing, rather than opportunistically encrypting data wherever it can.
While IBM and Intezer didn’t disclose how widespread PureLocker infections were, they did reveal that most took place on enterprise production servers, which are obviously high-value targets. Because of the high-skill human control this kind of attack entails, Intezer security researcher Michael Kajiloti believes that PureLocker is a ransomware as a service offering that’s only available to criminal gangs who can pay well up front.
Zeppelin was is an evolutionary descendent of the family known as Vega or VegasLocker, a ransomware-as-a-service offering that wreaked havoc across accounting firms in Russia and Eastern Europe. Zeppelin has some new technical tricks up its sleeve, especially when it comes to configurability, but what makes it stand out from the Vega family is its targeted nature. Where Vega spread somewhat indiscriminately and mostly operated in the Russian-speaking world, Zeppelin is specifically designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Zeppelin can be deployed in a number of ways, including as an EXE, a DLL, or a PowerShell loader, but it appears that at least some of its attacks came via compromised managed security service providers, which ought to send a chill down anyone’s spine.
Zeppelin began to appear on the scene in November 2019, and as more proof of its difference from Vega, its targets semeed carefully chosen. Victims were mostly in the health care and technology industries in North America and Europe, and some of the ransom notes were written to specifically address the infected target organization. Security experts believe the shift from Vega’s behavior is the result of the codebase being used by a new and more ambitious threat actor, probably in Russia; while the number of infections isn’t that high, some believe what we’ve seen so far has been a proof of concept for a larger set of strikes.
Sodinokibi, also known as REvil, first emerged in April of 2019. Like Zeppelin, Sodinokibi appeared to be the descendent of another malware family, this one called GandCrab; it also had code that prevented it from executing in Russia and several adjacent countries, as well as Syria, indicating that its origin is in that region. It had several methods of propagation, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN.
Sodinokibi’s spread again indicated an ambitious command and control team behind it, probably as a ransomware as a service offering. It was responsible for shutting down more than 22 small Texas towns in September, but it truly hit notorious status on New Year’s Eve 2019 when it took down the UK currency exchange service Travelex, forcing airport kiosks to resort to pen and paper and leaving customers in limbo. The attackers demanded a stunning $6 million ransom, which the company refuses to confirm or deny it paid.
When I asked Juniper’s Hahad for his pick for the worst ransomware of 2019, Sodinokibi was his choice, because of an extra twist that Sodinokibi’s controllers put into their attacks. “The one thing that really makes this a little bit special is that this particular group has taken on a new approach of not only telling people, ‘You’re not going to get your data back if you do not pay the ransom,’ but also, ‘We are going to publish that confidential data on the web or sell it in an underground forum to whomever is the highest bidder.’ That takes the ransomware approach to the next level in their business model.” This is a huge departure from the usual ransomware model — after all, one of its big advantages is that you can lock down your victim’s data without going through the difficult process of exfiltrating it — but they’ve already followed through on the threat at least once. The new era of hyper-targeted, custom-tailored ransomware appears to be reaching new and dangerous depths.
While ransomware has technically been around since the ’90s, it’s only in the past five years or so that it’s really taken off, largely because of the availability of untraceable payment methods like Bitcoin. Some of the worst offenders have been:
- CryptoLocker, a 2013 attack that launched the modern ransomware age and infected up to 500,000 machines at its height
- TeslaCrypt, which targeted gaming files and saw constant improvement during its reign of terror
- SimpleLocker, the first widespread ransomware attack that focused on mobile devices
- WannaCry, which spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers
- NotPetya, which also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine. The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.
- Locky, which started spreading in 2016, was “similar in its mode of attack to the notorious banking software Dridex.”
And this list is just going to get longer. Even as this article was being put together, a new wave of ransomware, dubbed BadRabbit, spread across media companies in Eastern Europe and Asia. It’s important to follow the tips listed here to protect yourself.
Who is a target for ransomware?
There are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks.
How to prevent ransomware
There are a number of defensive steps you can take to prevent ransomware infection. These steps are of course good security practices in general, so following them improves your defenses from all sorts of attacks:
- Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
- Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
- And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.
If your computer has been infected with ransomware, you’ll need to regain control of your machine. CSO’s Steve Ragan has a great video demonstrating how to do this on a Windows 10 machine:
The video has all the details, but the important steps are to:
- Reboot Windows 10 to safe mode
- Install antimalware software
- Scan the system to find the ransomware program
- Restore the computer to a previous state
But here’s the important thing to keep in mind: while walking through these steps can remove the malware from your computer and restore it to your control, it won’t decrypt your files. Their transformation into unreadability has already happened, and if the malware is at all sophisticated, it will be mathematically impossible for anyone to decrypt them without access to the key that the attacker holds. In fact, by removing the malware, you’ve precluded the possibility of restoring your files by paying the attackers the ransom they’ve asked for.
Ransomware facts and figures
Ransomware is big business. There’s a lot of money in ransomware, and the market expanded rapidly from the beginning of the decade. In 2017, ransomware resulted in $5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks. That’s up 15 times from 2015. In the first quarter of 2018, just one kind of ransomware software, SamSam, collected a $1 million in ransom money.
Some markets are particularly prone to ransomware—and to paying the ransom. Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to simply pay a relatively low ransom to make a problem go away. It’s estimated that 45 percent of ransomware attacks target healthcare orgs, and, conversely, that 85 percent of malware infections at healthcare orgs are ransomware. Another tempting industry? The financial services sector, which is, as Willie Sutton famously remarked, where the money is. It’s estimated that 90 percent of financial institutions were targeted by a ransomware attack in 2017.
Your anti-malware software won’t necessarily protect you. Ransomware is constantly being written and tweaked by its developers, and so its signatures are often not caught by typical anti-virus programs. In fact, as many as 75 percent of companies that fall victim to ransomware were running up-to-date endpoint protection on the infected machines.
Ransomware isn’t as prevalent as it used to be. If you want a bit of good news, it’s this: the number of ransomware attacks, after exploding in the mid ’10s, has gone into a decline, though the initial numbers were high enough that it’s still. But in the first quarter of 2017, ransomware attacks made up 60 percent of malware payloads; now it’s down to 5 percent.
Ransomware on the decline?
What’s behind this big dip? In many ways it’s an economic decision based on the cybercriminal’s currency of choice: bitcoin. Extracting a ransom from a victim has always been hit or miss; they might not decide to pay, or even if they want to, they might not be familiar enough with bitcoin to figure out how to actually do so.
As Kaspersky points out, the decline in ransomware has been matched by a rise in so-called cryptomining malware, which infects the victim computer and uses its computing power to create (or mine, in cryptocurrency parlance) bitcoin without the owner knowing. This is a neat route to using someone else’s resources to get bitcoin that bypasses most of the difficulties in scoring a ransom, and it has only gotten more attractive as a cyberattack as the price of bitcoin spiked in late 2017.
That doesn’t mean the threat is over, however. Barkly explains that there are two different kinds of ransomware attackers: “commodity” attacks that try to infect computers indiscriminately by sheer volume and include so-called “ransomware as a service” platforms that criminals can rent; and targeted groups that focus on particularly vulnerable market segments and organizations. You should be on guard if you’re in the latter category, no matter if the big ransomware boom has passed.
With the price of bitcoin dropping over the course of 2018, the cost-benefit analysis for attackers might shift back. Ultimately, using ransomware or cryptomining malware is a business decision for attackers, says Steve Grobman, chief technology officer at McAfee. “As cryptocurrency prices drop, it’s natural to see a shift back [to ransomware].”
Should you pay the ransom?
If your system has been infected with malware, and you’ve lost vital data that you can’t restore from backup, should you pay the ransom?
When speaking theoretically, most law enforcement agencies urge you not to pay ransomware attackers, on the logic that doing so only encourages hackers to create more ransomware. That said, many organizations that find themselves afflicted by malware quickly stop thinking in terms of the “greater good” and start doing a cost-benefit analysis, weighing the price of the ransom against the value of the encrypted data. According to research from Trend Micro, while 66 percent of companies say they would never pay a ransom as a point of principle, in practice 65 percent actually do pay the ransom when they get hit.
Ransomware attackers keep prices relatively low — usually between $700 and $1,300, an amount companies can usually afford to pay on short notice. Some particularly sophisticated malware will detect the country where the infected computer is running and adjust the ransom to match that nation’s economy, demanding more from companies in rich countries and less from those in poor regions.
There are often discounts offered for acting fast, so as to encourage victims to pay quickly before thinking too much about it. In general, the price point is set so that it’s high enough to be worth the criminal’s while, but low enough that it’s often cheaper than what the victim would have to pay to restore their computer or reconstruct the lost data. With that in mind, some companies are beginning to build the potential need to pay ransom into their security plans: for instance, some large UK companies who are otherwise uninvolved with cryptocurrency are holding some Bitcoin in reserve specifically for ransom payments.
There are a couple of tricky things to remember here, keeping in mind that the people you’re dealing with are, of course, criminals. First, what looks like ransomware may not have actually encrypted your data at all; make sure you aren’t dealing with so-called “scareware” before you send any money to anybody. And second, paying the attackers doesn’t guarantee that you’ll get your files back. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the malware. But any such malware will quickly get a reputation and won’t generate revenue, so in most cases — Gary Sockrider, principal security technologist at Arbor Networks, estimates around 65 to 70 percent of the time — the crooks come through and your data is restored.
Conclusion: So you should be very much aware, alert and well prepared to handle these cyberattacks and ensure your office or organization against any potential ransomware attacks.