Ransom-what?

Ransomware is a type of malicious software that restricts or limits users of a targeted organization from accessing their IT systems (servers, workstations, mobile devices, etc.), until a ransom is paid.

Ransomware is considered a major and exponentially growing threat in 2016, based increasingly on anonymizing payment methods (ex: Bitcoin digital currency) and anonymous networks (ex: Tor anonymity network).

The Cyber Threat Alliance estimates that the group behind the CryptoWall ransomware attacks caused $325 million in damages, after infecting hundreds of thousands of computers across the world.

Figure 1: Example of the first mobile-only locker ransomware

Figure 2: Example of a pay note of CryptoWall ransomware

Anatomy of a ransomware attack

A ransomware attack is a multi-step process. If the proper defenses are in place at the various steps of the attack, the impact can be greatly reduced.

1. Delivery and exploit: Ransomware is delivered through a certain mechanism (e.g.: phishing) and finds a vulnerability or a victim to attack
2. Install and disarm: Ransomware installs itself and lower the security poster of the victim machine
3. Occupy and encrypt: Establish communication with the command and control server and encrypt data files and mapped drivers
4. Demand ransom: Users attempt to access files and are alerted that the data has been encrypted
5. Decrypt: Decryption keys will only be provided on payment of a ransom

Types of ransomware

Crypto-ransomware now accounts for the majority of ransomware.

Figure 3: Two main types of ransomware

Ransomware’s rise in popularity

The popularity of ransomware among cybercriminals can be attributed to two main advantages:

• It is a low-maintenance operation for threat actors
• It offers a quick path to monetization, since the users pay adversaries directly in cryptocurrencies
  

The FBI has reported a 33% increase in the number of complaints filed involving ransomware:

• In 2014, over 1,800 complaints were filed, resulting in a loss of more than $23 million
• In 2015, more than 2,400 complaints with a reported loss of more than $24 million
   

Ransomware landscape in Luxembourg

The Computer Incident Response Center Luxembourg (CIRCL) receives 4 to 5 reports of ransomware infections per week in Luxembourg. CIRCL has reported, based on its operating Malware Information Sharing Platform (MISP), that Locky and TeslaCrypt* ransomware are the evolving ransomware varieties targeting the Grand Duchy of Luxembourg right now.

Furthermore, Cerber and Chimera ransomware campaigns are sometimes detected in Luxembourg. In particular, Chimera ransomware is considered quite hazardous, as it is not only doxing (i.e. blackmailing the victims to broadcast their personal information), but also searching people willingly to cooperate for franchising the business of ransomware.

According to CIRCL, the main ransomware delivery methods identified in Luxembourg are:

• Phishing with a focus on exploiting client side vulnerabilities

• Targeting vulnerable browsers and insecure Internet-facing services

* In May 2016, the developers of TeslaCrypt released the master decryption key and shut down the ransomware, thus ending the ransomware.

Should I be concerned?

Like all other cyber threats, any organization can be affected by ransomware and at any time.

Ransomware can harm an organization’s reputation especially if intellectual property or other relevant information are compromised. It can also affect an organization financially, especially if the business activities are disrupted and/or the ransom amount is paid. A typical risk might be an incident where data loss occurs, but one can also imagine a scenario where there is a major data breach if the ransom is not paid.

Initially, ransomware attacks have been non-targeted, e.g. they mostly spread via large e-mail phishing campaigns and demanded small payments (~1-5 Bitcoins) from individual users. However, threat actors have evolved to target specific organizations instead, hoping to land a bigger payday.

The new trends of ransomware

According to the latest cyber threat reports, the ransomware threat landscape is evolving in the following ways:

• More data extortion techniques. At the end of 2015, a Chimera crypto-ransomware was discovered with three disturbing capabilities (i) encrypting files, (ii) doxing, and (iii) extortion. After encrypting files, if the ransom is not paid, attackers claim to make those files public over the Internet. This trick, in most cases, pressures the victim into paying up the ransom, despite having a data backup
• Increased adoption of IP address anonymizing services for ransomware delivery (e.g. Tor anonymity network). These services can complicate the profiling of the threat actor behind a ransomware campaign
• Increased adoption of cryptographic key provisioning. This process ensures unbreakable cryptographic communication between hosts⁶. When cryptography is implemented correctly, the encrypted files are impossible to recover without a key
• Wide variety of technical sophistication. For instance, some types of ransomware depend on links to third-party libraries, making them easy to detect. However, other types of ransomware use different techniques (i.e. thread injection, process replacement, etc.) to avoid detection. For instance, CTB-Locker uses more advanced techniques (i.e. position-independent code wrapper) that make it almost impossible to detect using traditional signature-based methods⁶. PowerWare ransomware is using file-less infection to avoid detection
• “Ransomware as a Service” or RaaS. This is an evolution discovered in mid-2015, in which the creation of ransomware has been commoditized, allowing attackers to develop and distribute customized ransomware. This also gives uninitiated cybercriminals a foothold in ransomware business
• Future developments in the area of ransomware. The fourth version of CryptoWall introduced some capabilities for evasion of detection even from second-generation firewalls. Additional features have been added to ensure the non-recoverability of files (e.g. ransomware that deletes Windows “shadow copies”) and past flaws in ransomware design are quickly getting fixed.
• Ransomware uses every possible attack vector to get into victims’ machines. In some ransomware versions, complex obfuscation and covert launch techniques are used. These allow them to evade detection in the early stages of infection. In addition, cybercriminals are seeding legitimate websites with malicious code to distribute ransomware.
• Backup and large block file system encryption. It is likely to see additional ransomware activity related to the encryption of network backup methods and file shares, before encrypting the user's workstation.
• Exponential deletion. Increased use of time based motivation techniques, in effort to maximize criminal actors' revenues (i.e. encrypted files are gradually deleted permanently).
• Continued targeting of wealthy countries. Over 50% of infections occur in the USA and Europe; 85% of CTB-Locker infections hit in North America and Europe (50% and 35% respectively).

Ransomware platform footprint

First versions were basic, and often used poor encryption, making it relatively simple to recover encrypted files. However, the threat agents behind ransomware are continuously learning from their mistakes, and have become more sophisticated in their latest variants.

Initially, ransomware have primarily plagued Windows platforms. However recently platform-agnostic capabilities have been developed and targets have expanded to Linux and Android.

• Linux-powered servers are running most of the Internet’s infrastructure; the consequences of ransomware infections compromising webservers could be more disruptive than expected
• Android is the largest market share mobile OS. In cases where corporate data is not backed up, an Android-based ransomware can potentially be extremely disruptive to business
• Mac OS X may not be immune to the threat of ransomware. In November 2015, a cybersecurity researcher developed a proof-of-concept (PoC) threat known as Mabouia for Mac OS X systems. In March 2016, a security vendor detected that the Transmission BitTorrent client installer for OS X was infected with ransomware

Protect your business and your intellectual property from ransomware

Certainly, ransomware is not new to the world of crime-ware. However, newer more sophisticated methods of delivery, detection and monetarization, means ransomware continues to be a highly profitable business for cybercriminals. Ransomware promises to be more threatening, and organizations should be proactive in developing and maintaining their readiness and resilience against it.

Although the initial cost may be perceived as high, investing in cybersecurity can pay huge dividends in the long-term. The following proactive controls can help your organization be prepared for ransomware threats:

• Implement an effective backup and recovery strategy (off-line backups, storage in a secure / separate location, retain backups at multiple points in time, etc.)
• Develop awareness programs for your users
• Implement robust vulnerability and patch management processes
• Manage the use of privileged accounts and configure access controls correctly
• Consider recourse to whitelist filtering to prevent execution of unknown programs
• Implement content filtering to filter out emails and Web content
• Harden the security configuration of your devices (including mobile devices)
• Assess the readiness of your IT infrastructure and incident response processes by performing Ransomware Attack Simulations