Ransonware is commonly defined as "software designed to extort money from a victim."
It is from the category of software collectively called malware because it is designed with malicious intent. Ransomware is a lesser known malware when compared to other forms such as: a virus, a trojan horse or a worm.
Consensus says the first appearance of ransomware dates to 1989 (the so-called AIDS Trojan). Despite being over quarter of a century old, the prevalence of ransomware is only being established now. It is an increasing threat precisely because attackers can make money directly through it. Criminals are increasingly behaving like businessmen, they like a good return on investment too.
While ransomware is commonly described as a specific form of malware on its own. Secarma contest that it is simply a payload. This is true because a virus, trojan horse, or worm are all simply separate ways of getting onto or spreading between computers.
To relate this to the real world think of ransomware as the payload for a missile. The missile gets the payload to its destination but the payload does the damage.
How does it get onto a computer?
The following summarises the two most common routes used to put ransomware onto a computer:
- Exploiting flaw in a networked service – Computers offer services on a network so that other computers can access them. For example, this website is being delivered to you over the “https” protocol which is a networked service. If a service contains a security flaw which can be used to execute commands on the target computer, then those can be automatically exploited to run the ransomware payload. Flaws in this category include: a default password, or a missing security update for the service.
- Exploiting the trust of a human – Even if an organisation has a comprehensive patching strategy the human element can still be exploited. The tactic of coercing a human being to execute something they should not is highly effective. The most likely starting point for the exploitation would be an email with either a link to a malicious website or an attachment. Interacting with either the website or the attachment would execute the ransomware payload. The process of sending an email designed to trick a user is called “phishing”.
If the exploit is in a networked service which is available on the Internet then it can be exploited automatically by a computer program without human interaction. When true there is a risk of a worm style of malware. A worm would infect one computer, and then use that computer to scan for additional nodes to infect. This is the mode that the now famous WannaCry ransomware attack took in May 2017. It is a highly effective way to spread an infection to maximise impact.
When the exploit targets humans then it has a higher success rate when it is tailored. If the attacker crafts a plausible story and then targets the correct individuals they would have a higher strike rate. However, the old saying “if you don’t buy a ticket you won’t win the lottery” holds true when conducting a phishing exercise. The attacker may only need one user within an organisation to interact with the payload externally. If controls are not in place infecting one workstation may spread to the rest of the network. In those circumstances sending thousands of emails and getting one victim is enough.
What does it do?
So far, this article has covered broadly what ransomware is and how it gets onto computers. By now you understand it will try to extort the victim. But how does it go about doing so? To explain this let’s list the atypical behaviour of ransomware once it has executed on the victim’s computer:
- Find files matching certain patterns on the hard disk. The attacker is hoping to find high-value files a victim would miss if you were unable to access them. This would include photos, documents, spreadsheets etc.
- Encrypt these files to prevent the legitimate user accessing them. This includes destroying the original files.
- Optionally start the process of scanning for other computers to exploit.
- Display a warning message to the victim encouraging them to call a number, visit a site, or pay them by some means such as bitcoin.
Ransomware makes money for criminals. It works by preventing a user accessing their files. A home user may cherish the photographs of their children or holidays. The business user would need those documents to deliver on-time to their expectant customers. Either way they have lost something that they own and it is theft in the truest sense.
As with all theft the victim will feel panic and have the desire to recover what is theirs. No matter how the ransomware has been delivered the criminal is relying on exploiting this human emotion to make money.
What proactive steps to take?
The most effective time to act to ensure you minimise the risks of ransomware is before it finds you. By acting ahead of time, you will be less likely to get infected and you should have a plan in place for what to do if the worst happens. The following steps can be taken proactively. Some need to be done by you alone while others should likely be outsourced.
Steps you can take:
1. Create and enforce a complete software patching policy
- This must apply all operating system patches ASAP after their release.
- Additionally, it must include all 3rd party software.
- Pay close attention to software that is Internet facing such as: Email clients, web browsers and their plugins like Java, and Adobe Reader etc.
2. Ensure that all computers are protected by an anti-virus solution
- This must be kept up-to-date with all daily signature updates.
- Additionally, it must provide active scanning for accessed files, web pages and memory. Simply relying on regularly scheduled scans is not effective.
3. Create a backup plan
- Take regular backups.
- Send the results offsite to multiple locations or use physical media that is not always connected and which is only used for this purpose.
- Verify that your process works by trying to restore devices from it.
4. Consider taking out Cyber Insurance that reimburses you for lost data and time
- Note: not every provider will pay the ransom on your behalf. You would have to evaluate providers to choose the policy which suits your needs.
5.Develop your response plan.
- An example one is provided under “Reactive Steps” later.
Engage with a 3rd party to:
1. Conduct a penetration test of your externally facing Internet ranges.
- Doing this reduces the chances of ransomware coming in via a known flaw in a networked service.
2. Provide staff with security awareness training
- Doing this reduces the changes of staff engaging with a phishing email or attachment.
3. Simulate a “phishing” exercise to gain metrics around the likely effectiveness of this technique against your staff.
4. Undertake a configuration review of your standard workstation and/or server builds.
- Doing this can ascertain the attack surface available to ransomware given the software and patch level.
Review all routes from at least the user LAN to the Internet:
- Doing this can verify the routes via which malware may communicate back from a compromised workstation to a potential attacker on the Internet. Reducing these options can limit the effectiveness of malware spreading.
What reactive steps to take?
The worst has happened and you have been hit by a ransomware attack. What should you do? If you have followed all the proactive steps the answer is simply:
- Enact your response plan.
If you have not planned then you will no doubt be worried and still want answers. For illustration purposes a generic plan would be like this:
- DO NOT pay the criminals.
- Notify the relevant parties. Exactly who depends on what your organisation does and who they have employed:
- Your security team.
- Any industry relevant authority.
- Law enforcement via “ActionFraud” at http://www.actionfraud.police.uk/
- Potentially your lawyers and cyber insurance providers.
- Sandbag the affected workstation so that it cannot communicate to other hosts.
- If need be disconnecting the network cable or disabling the wifi card will do.
- You should leave the device booted and operational.
- Engage with an incident response team who can use forensic skills to determine the flow of the infection and advise about the extent of the breach. A key outcome from this is to understand what was exploited.
- Restore the device from a backup and address the problems that were exploited.
- If you have no backups then this is obviously not possible.
- At this point you may be tempted to pay the criminals depending on the risk posed to your business by the loss of your data.
- This may be good money after bad. You are talking to criminals, and if they get paid today what will stop them trying again next week?
- If this is you then you have one last resort. Try https://www.nomoreransom.org/
Keep your business secure with Secarma
We believe that the security of your critical networks and data is key to your organisation’s success. Whatever your sector, whatever your size, our mission is to help you to seize the competitive advantages of providing your clients with security, compliance, and reliability.