During the course of this year I have found that most of my conversations stem around ransom-ware so I thought I would put a 3 part ransom-ware 101 blog together:
- Part 1 – Introduction to Ransom-ware and the threat
- Part 2 -Best practices to undertake so you can protect today against Ransom-ware
- Part 3 – How to recover / restore from Ransom-ware
So it seems everyone is talking about ransom-ware at present and for good reason, since May 2013 various strains of ransom-ware have been pushed out from cryptolocaker, CTB locker and the most recent was actually crypto-wall 4 which was released around November 2015.
All in all ransom-ware has collected $325 million in paid ransom’s covering around 68,000 infections per month and unfortunately this is not slowing down, in the first half of 2015 it grew 165% and some outlets are claiming that it has grown 3500%.
At events when I present ransom-ware is at the forefront of peoples minds, if people have not been attacked then they certainly have this at the front of their mind.
The issue with ransom-ware is that it follows a very basic IT design principal, the simplest solution wins, the people distributing this are basically encrypting your data and holding you ransom was they have the keys to unlock your data. When you dig deeper on this you will find the software is very intelligent and actually uses the underlying OS against itself. Another downside of this is, we do not exactly get release notes published for a new strain of ransom-ware which comes out and we are always on the back foot. Example being the new strain of ransom ware which was actually coded in java script to circumvent security tools
Long gone are the days of detailed high profile hacks which require months to years of effort, the drive by shooting nature of ransom-ware is a very lucrative operation for cyber criminals and requires very little effort as this is distributed by C&C (Command and Control) servers across the net billions of times per day in the form of email attachments, pop up’s in browsers, macro’s in documents etc. The other bad news here is that every end point of your organization is a potential weak point and knowing where to bolster your efforts is key in preventing ransom-ware in your environment.
“By reinforcing every part he weakens every part” – Sun Tzu
How does Ransom-ware work?
So lets take cryptowall4 and look at how this actually works, please see below the steps it takes:
So taking in to account the above the key notes are to observe that if a machine, user is compromised the ransom-ware is not just infecting that PC
- It will scan any shares that user can access / edit and target those
- If it can see any backup targets it will seek to also encrypt those
- Think of this, why encrypt an entire file system when I could simply corrupt the master NTFS table? This is really a scary thought!
- Ransom-ware’s objective is to infect as far and wide as possible, so what ever your users can access are potential targets.
- Later versions of ransom-ware are so advanced they query your back up targets to look at your retention policies and actually attack at the worst possible time.
As I said before cryptowall4 is the latest gen of ransom-ware and seems to be very intelligent, worrying aspects are the lengths it goes to conceal itself against malware / antivirus technologies such as:
- Inserting itself in to explorer.exe
- Elevating itself in to svchost meaning your VSS shadow copies, bcd edit and disk check on restart are deleted and disabled respectively.
- Making itself persistent in %AppData% which means even after a reboot you still are infected
Points to note, your OS is still usable underneath, the aim of ransom-ware is to get you to pay a fee via bitcoin so you will find your browser still works just your files are encrypted and unusable. Ransom-ware does target certain file types designed to lock you out of your most important data.
When you really dig deep in to the way this works, it is quite sophisticated, rather than using look up tables or strings to call the API’s it uses a hash table to mask itself from the malware / antivirus so it does not detect any malicious activity. Again it seems like we are on the back foot with this a lot of the time, I did find an excellent white paper write up on the cryptowall4 as per below:
Can it be stopped?
Frustratingly there is no decryption method, previous versions such as cryptolocker, CTB locker etc have been shut down, but as I stated before these are ever changing and the only line of defense you have if you are infected is:
“Have a good backup Strategy”
One slight weakness which has been found is that when the exe. has installed it needs to contact its C&C server and this uses a specific network ID which if you have a good firewall and IPS system then it should be stopped from installing. The machine it infected will still need to be rebuilt but essentially the encryption process cannot begin and the installer goes in a loop. Look in to the link above (Whitepaper) for details on this.
What can we do?
In my part 2 blog post of Ransom-ware 101 I will cover what you can do today using existing tools in your environment to stop Ransom-ware and in part 3 I will show you how to recover from Ransom-ware if you are a victim of this.