Ransomware: Holding Data Hostage
Cybercriminals are continuing to refine and evolve their toolsets and methods of corruption in their quest to stay ahead of law enforcement and security experts.
Corporations across all industries have suffered losses from advanced threats stealing intellectual property and customer data. But one specialized form of malware has been on the rise that does not steal the information—it holds it hostage. This rising threat is called ransomware. Read the full paper, "Ransomware: Holding Data Hostage," to learn more about the methods used for ransomware and what to do when attacked.
Ransomware is designed to restrict users from accessing data on their own systems, while perpetrators demand payment (a ransom) to remove the restriction. This is accomplished by either encrypting data or by blocking access to resources.
This paper’s intent is to increase awareness of the growing ransomware problem, and to offer recommendations on how to identify it within your environment, prevent it from propagating further, and remove it from compromised systems.
The first widely known ransomware appeared in 1989 and was called the AIDS Trojan (also known as Aids Info Disk or PC Cyborg Trojan). This malware worked by hiding directories and encrypting the names of files on the local disk drive; it would then prompt the user for payment of a “license renewal” (ransom) to restore the infected host back to its original state. Encryption mechanisms for ransomware were rudimentary at first. By 1996, however, much stronger public-key encryption was found in some variants.
Ransomware continued to mature, leveraging increasingly complex encryption schemes. By 2008, some instances of 1024-bit RSA keys were reported, and today, 2048- or 4096-bit keys are not uncommon (the higher the bit strength, the harder it is to crack). The potential for monetary gain by cybercriminals, combined with the difficulty of removal, has led to the further proliferation of ransomware at the global level. The advent of Bitcoin and other cryptocurrency has inadvertently furthered propagation by making it easier to collect ransom, while protecting the anonymity of perpetrators. In fact, ZDNet conducted research in late 2013 that involved the tracking of four Bitcoin addresses identified as being associated with “CryptoLocker” attacks.
Between April 2014 and June 2015, the CryptoWall strain of ransomware cost Americans over $18 million, according to the FBI’s Internet Crime Complaint Center (IC3). This figure includes money spent not only on ransoms, but also on network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.
Most recently, we have seen numerous healthcare organizations targeted. A ransomware attack on one U.S. healthcare organization debilitated 10 hospitals in Maryland and Washington, and impacted 30,000 staff, 6,000 physicians, and countless patients. In February 2016, a ransomware attack on a medical center in Los Angeles, California, crippled the hospital’s infrastructure, and prevented staff from accessing critical systems and data. A ransom of 40 Bitcoins (roughly $17,000) was paid to restore order, but in many cases, order cannot be restored, even after paying the ransom.
Ransomware prevention and removal Although ransomware can be a powerful and effective extortion tool for cybercriminals, there are numerous ways to prevent it and to minimize the impact of an infection. Conducting effective security awareness training, monitoring networks and systems, timely security patching, and employing a robust backup and recovery program are some of the best ways to protect and recover from a ransomware attack. Listed below are several additional, more detailed techniques to aid in the prevention and removal of ransomware.
Prevention and Awareness
Since most ransomware enters a system via some type of socialengineering attack, user awareness is a critical step in prevention. As with all training and awareness programs, it requires an ongoing effort to stay ahead of changing ransomware tactics. This may require a significant cultural change to prevent users from opening untrusted email attachments and clicking on hyperlinks embedded in emails.
According to the Department of Homeland Security’s (DHS) United States Computer Emergency Readiness Team (US-CERT), as many as 85 percent of all targeted attacks can be prevented by applying a security patch. Maintaining current patch levels for all operating systems, software, anti-virus, and other security programs will greatly reduce the chance of infection.
In a shared environment, exchanging files is routine. Since the distribution of ransomware often depends on this file exchange, it is imperative to have a policy that provides for the transfer of such documents in a safe and secure manner. As an example, using digital signatures for document exchange may reduce the chances of infection.
Technical controls related to email security will go a long way in reducing the potential for ransomware infection. Effective techniques include employing anti-spam and antiphishing filters, blocking emails that contain hyperlinks, and quarantining images and attachments.
Ransomware and other malware leverage legitimate operating system processes and services in one form or another. Since every system is different, there is no “silver bullet” as to which services should be enabled or disabled. The information technology (IT) department should determine which services are deemed unnecessary, prior to disabling them. Additional permissions can also be levied upon “risky” services that are required for system operation.
Many ransomware variants copy, alter, and run critical system files (executables) in different locations for a variety of reasons. To stop this, policies in the Group Policy Object (GPO) that prevent executables from running in specific locations (such as ProgramData, AppData, and Temp) can be created.
The removal of all drives and devices when not in use will reduce the potential of spreading the ransomware. This includes mapped network drives, physical USB drives or memory sticks, smartphones, cameras, and anything else that can be logically written to.
Block IP addresses
Tor gateways are the primary means for some ransomware to communicate with their command and control servers. Blocking these gateways will impede this capability. It should be noted that some cybercriminals have changed tactics and are now using redirected web sites; however, it is still a best practice to block known malicious IP addresses in an operational business environment.
Robust monitoring capabilities
Employing host and network monitoring tools and establishing an effective security information and event management (SIEM) program can help identify malicious activity. Robust monitoring aids in quickly detecting instances where ransomware uses command and control servers, or when malicious code spreads from host to host.
Removal Back up data
Removing ransomware after it has done its work is difficult, and often the only option left (aside from paying the ransom) is to rebuild the infected system and restore data from known-good back-up medium (such as tape, disk, and so forth). The primary technical control is to ensure that data and systems are backed up on a regular basis.
While it is possible some backups may contain ransomware, the following steps should be taken to avoid and reduce this likelihood:
- Backups should be conducted on a regular basis and maintained for a specified period of time.
- Backups should be write-protected after being stored offline and offsite.
- Backups should employ versioning to ensure known-good media are available from a point in time prior to the infection.
- Backups should be tested regularly to validate the integrity and ability to restore the data.
- Backups should be checked regularly with anti-virus scans.
Have a plan
Being caught off guard is not a good position to be in when facing a ransomware infection. If your organization’s security policies do not include provisions for dealing with this type of attack, please work with your leadership team to develop and test a response plan. Understanding how ransomware works is the first step in determining which security controls are required to prevent and/or eradicate it.
Knowing how to identify, prevent, and recover from a ransomware attack is important. However, the timing of the response in the first few hours after an attack is critical. If faced with a ransomware situation:
- It is not advisable to remit payment of any demands, but refer to your company’s relevant policies regarding ransomware for guidance.
- It is advisable to disconnect infected hosts from the network if a compromise is suspected.
- It is advisable to deploy or enlist incident response and digital forensic teams for their ability to respond to any such situation professionally and efficiently.
- It is advisable to notify the authorities and record all information on these attacks; this will assist in building up the intelligence available for all those who may be targeted.
Read the full paper, "Ransomware: Holding Data Hostage."
Read the full paper to learn more about the methods used for ransomware and what to do when attacked.
Contact us to learn more about our Security Consulting Services.