Prevent ransomware infections

More information and advice on how to prevent ransomware infections

Summary

What are ransomware infections?

Ransomware infections-as-a-service

Targeted ransomware infections

Prevent ransomware infections!

Do not pay the ransom!


Ransomware infections are caused by malware that aims to extort money from companies by disrupting their activities. The most widespread type of ransomware infections renders information or computer systems unusable until a ransom is paid. When business-critical information gets locked up, most businesses seriously consider paying ransoms to recover it. In many cases, however, paying a ransom does not guarantee that the files will be recovered. Cyber attackers take advantage of the availability of anonymous cyber currencies, like Bitcoin, to monetize ransomware attacks. Read more about how ransomware developed over time.

How are ransomware infections different than common malware infections?

To prevent ransomware infections, we must first understand how they are different than common malware infections. First, ransomware infections mimic user behavior very well. They only operate with files they can access and perform standard files operations just like any other user or application. In most cases, there is little or no lateral movement, nor are there attempts to infect other computers. Instead, the accessible remote files are targeted irrespective of where they are, and in some cases, with priority over the local files. Lately, in 2017, new ransomware infection surfaced, implementing malware-like spreading mechanisms, mostly based on exploiting vulnerabilities in system services, however, this remains a collateral perk.

Secondly, ransomware infections usually make use of advanced obfuscation techniques, designed to avoid detection by classic antivirus techniques. Such functionality may also be used by common malware, but to a much lesser extent.

Finally, ransomware attacks are easier to carry out because of online ransomware infections platforms available in the TOR anonymity network. Virtually anybody can launch a ransomware attack without knowing much about coding, and they can monetize this activity using untraceable virtual currencies, such as Bitcoin. It is important to consider security measures to prevent ransomware infections as a result of the ransomware-as-a-service distribution model.

These differences lead to significantly higher numbers of successful infections and far more new variants compared to other malware.

“There were between 2M and 3M successful #ransomware attacks in 2016, and the frequency will double year over year through 2019.”

Click to Tweet!

(Source: Gartner: Predicts 2017: Business Continuity Management and IT Service Continuity Management)

What’s the cost of ransomware infections?

Well, it can be hundreds to thousands of dollars, depending on the victim’s location and company profile. According to a study by IBM, 70% of all businesses attacked by ransomware paid to recover their files. Half paid over $10,000, while 20% paid over $40,000. In addition to this money, each incident came with several days of downtime, which comes with its own separate costs.

The easiest way to understand the damage ransomware infections can do is to think about downtime. When it comes down to it, holding data or systems hostage leads to downtime and an inability to perform business activities. How much time can you afford to be unable to do your stuff? Add to that the effort it takes to recover the latest version of your lost files, assess your up-to-date status, and re-do all the work that’s missing. Then consider the cost of data exfiltration, which may happen during a ransomware attack. Evaluating this aspect may involve investigation activities that take up time and money. In addition, such incidents affect your brand, your company image, and your customers’ and partners’ confidence, costs that are difficult to estimate in the long run. Therefore it is imperative to prevent ransomware infections before they happen.

Notable examples:

CryptoWall was the first ransomware to include advanced obfuscation techniques designed to render the malicious payload undetectable by security software. It made over $100M in ransom.

Locky was one of the most prolific ransomware. It made over $200M in ransom over a relatively short period. Hence, it is cheaper to prevent ransomware infections than deal with their consequences.

Until recently, ransomware infections were the consequences of skilled cyber criminals. The primary purpose was to obtain money in the form of ransom paid in bitcoins in untraceable transactions. But not anymore. Ransomware attacks became available to unskilled, malicious persons as well under the form of ransomware-as-a-service. Let’s have a look at how it happened, and what are the implications.

To carry out a ransomware attack, a cyber-criminal develops an entire infrastructure:

• Engines to send SPAM and phishing emails, the main propagation vector for ransomware;
• Botnets that would send the SPAM and phishing emails, built over time using other types of malware;
• Anonymous servers to store ransomware packages – where the Phishing and SPAM emails point to;
• Technology to package the ransomware payloads in ways that make them difficult to detect;
• Various ransomware payloads configured to deliver a customized ransom notes.

With the infrastructure ready the attacker can launch attacks on various targets and wait to collect the ransom. As soon as the infrastructure is available, most of the high-profile technical work is done, and usage of the infrastructure does not require a lot of technical expertise. Hence, the attackers have the opportunity to create another effective revenue source, by renting their ransomware attack infrastructure to anyone who wants to carry out such an attack.  Thus, they have a reliable and efficient source of income by getting a margin on the profits of the ransomware operators. Like that, anyone can be a ransomware operator, even without technical knowledge and without a significant initial investment.

The model is similar to the software distribution model where the vendors are replaced by the attackers, and the distribution channel is replaced by the ransomware service operators.

By significantly reducing the level of technical knowledge required to carry out an attack, this cybercrime model greatly increases the number of potential attackers. Consequently, with more actors, the number of attacks will increase significantly.

Examples of existing ransomware-as-a-service

Shark (Cost: 20% of the revenue)

This ransomware has been around for a while, but as of recently, in August 2016, its developers decided to make it available for anyone and built tools that allow creating and configuring Shark ransomware payloads. Any ransomware operator would pay 20% of the revenue made from ransomware attacks using these tools.

Alpha locker (Cost: 65$)

For 65$ you get a ransomware kit that consists of unique ransomware code, a master decryptor program, and an administration panel.

Janus (Cost: variable, depending on the amount of ransom)

This online platform allows the creation of custom variants of Petya and Micha (a couple of the most devastating) and enables the distribution process. The costs depend on the amount of ransom received and vary from 25% to 50% of the revenue made by ransomware operators.

The development of ransomware, the rather exclusive revenue generator into a fully-fledged software distribution model usable by anyone has significant implications. We are likely to see an increasing number of attacks and a broadening of the scope regarding victims. While before money-making was the primary driver for running ransomware attacks, and the targets were usually high profile companies able to pay significant amounts in ransom (i.e. healthcare institutions), in the future attacks will occur for any reason and more and more individuals and businesses will fall as victims, if unable to prevent ransomware infections.

It is difficult to prevent ransomware infections caused by targeted attacks through classic anti-virus technology. Although such attacks are less frequent than their random, mass, counterparts, they are far more devastating and expensive mainly because they have a higher chance of succeeding in encrypting the files. Let’s look at some important differences between targeted and random ransomware infections.

Targeted ransomware infections scope

Targeted ransomware infections are carried out against a single, particular company or institution. Usually, the victim is a corporation relying heavily on IT and using files as part of their internal processes. Such companies are more likely to need access to files as soon as possible and thus, more likely to pay a ransom. Random attacks are fired across the internet without specific targets, in an attempt to infect as many machines as possible.

Targeted ransomware infections technology

Perhaps the most significant difference between regular, mass ransomware infections and the targeted ones lies in the technology being used, and this also influences the ransomware protection and ransomware prevention methods to consider. While both have the technology to elude standard antivirus engines, targeted ransomware infections also use customized ransomware variants never used before, for which there are no signatures recorded and which are impossible to detect via traditional security solutions. The rule of thumb that guarantees a high rate of success is one variant per valuable target.
On the other hand, the mass ransomware infections generally use known ransomware variants or samples used in other attacks as well. Classic signature-based solutions are more likely to detect such attacks because the payloads are known.

Targeted ransomware infections distribution

Targeted attacks use advanced social engineering techniques to deliver the malicious payloads into the network of particular victims. Usually, they spread via email, but the campaigns are targeted, more complex and carried out manually.
Mass ransomware attacks use email campaigns, malicious websites or software exploits to proliferate and are usually performed automatically via SPAM campaigns or via ransomware-as-a-service platforms running in the TOR anonymity network. In general, they are carried out unattended.

Targeted ransomware infections monetization

Targeted ransomware attacks demand far higher ransom. Most ask for thousands of dollars for a single computer, and the price goes up to hundreds of thousands or even millions, for more machines. Usually, the ransom is hard-coded in the ransomware itself and does not change. The high ransom demand is based on the fact that such companies are in urgent need of files and can also afford the price.
Mass attacks require far less ransom – a few hundred dollars to begin with, based on the fact that the victims are mostly small companies and consumers who do not afford more and because of a lower reliance on IT, they may be willing to lose the files and not pay the ransom.

Targeted ransomware infection prevention

Mass ransomware infections may be detected and stopped by classic, signature-based techniques, provided that the anti-virus is up to date and the vendor is aware of the ransomware variant. However, we must not forget that in many cases, mass ransomware attacks may use zero-day ransomware variants which elude detection. Targeted ransomware infections are very likely to evade detection of most traditional security tools. To accurately detect targeted attacks using custom, never-seen-before variants, companies need specialized anti-ransomware solutions that are able to detect ransomware based on advanced file-access patterns. Such detection technology delivers the best ransomware detection and outperforms signature-based solutions. Find out why specialized anti-ransomware does way better than anti-virus technology here.

Monetizing ransomware infections support an extended and elaborate cybercrime system that generates massive profits at the expense of legitimate companies and institutions. Clearly bypassing traditional malware in the effectiveness of monetization and with far easier exploitation than other cybercriminal activities like data exfiltration, ransomware infections are likely to remain the number one threat for the next years. Targeted ransomware attacks finance and support the development of criminal organizations in need of specialized attackers, with their own employment and training system to support more complex, effective and devastating attacks. Hence, it is important to prevent ransomware infections and reduce this phenomenon. The Register writes about targeted attacks and how they support cybercriminal organizations here.

There are many tips online, that describe how to prevent ransomware infections, and about ransomware protection, in general. Most include various commercial solutions that are, indeed, critical to providing adequate protection. We would like, however, to provide some tips on how to prevent ransomware infections, without relying on any software solution. It does not mean you should not implement adequate security solutions. You should ultimately combine these tips with the rest of the software-based recommendations, as when used alone, they only reduce the chances of ransomware infections but do not eliminate the risk fully.

1. To prevent ransomware infections, do not use privileged user accounts for everyday activity

Most people use computers at home without caring or knowing about the privileges assigned to their user account. The same happens in small and medium companies where IT departments, if present, usually have to deal with tasks that are more important. The result is people are browsing the internet, reading emails, exchanging chat messages, etc., using user accounts with far more privileges than required, usually administrative. Hence, they expose themselves to various types of malware and cyber-attacks, including ransomware.

Fact: out of the many ransomware strains, only a fraction can leverage vulnerabilities to gain privileged rights to execute malicious payloads that encrypt files and attack other computers. In addition, many ransomware variants do not function properly if not executed in a privileged security context. Hence, for ransomware prevention, proper use of privileges is very important.

Risk: running ransomware payload in the context of a regular user account may still compromise the files belonging to that user, but it is unlikely to compromise the files owned by other users or attack other computers on the network.

2. To prevent ransomware infections, exhibit caution when using email

Email is the most important ransomware infection vector. The vast majority of ransomware attacks have the following entry point: somebody clicking a link in an email or opening an email attachment. So, for ransomware prevention, the obvious advice is not to click on such links or open such attachments. The issue is: “How do I identify such emails?”.

Here are some pointers that may help you out:

• Unsolicited email (and email sent by new senders) is the first candidate for the “deleted items” folder. It is rarely valid messages you should consider; Express caution and go through the email message before taking further actions such as clicking on links and opening attachments;
• Note the email address listed under email sender. If it looks like automatically generated, or containing characters that make little sense, then that is another red flag. Usually, the email address is different than the sender name listed by your email client;
• Express caution when receiving an email from well-known corporations or brands. Especially those messages promising something for nothing, or looking too good to be true. Many ransomware email campaigns rely on messages disguised as valuable product offers or notices from shops or service providers. Like this phishing campaign based on Netflix.
• Irrespective of the sender, carefully assess this fact: Should you, or should you not receive an email from this sender?
  • If you should not (Email appearing to be from Netflix with important information about your account, but you do not have a Netflix account), then it is most probably something else than it appears to be.
  • If you should, or are not sure, carefully read the contents and verify the address as per the other tips This point also applies to social media; sometimes ransomware may spread like this too. So express caution when receiving messages from unknown persons, especially the ones that have a call to action, and insist on it.

3. To prevent ransomware infections, surf the internet responsibly

• Similarly to email, to prevent ransomware infections, try to avoid those websites that are dubious:
  • Have many adverts on the page;
  • Open many pop-out windows;
  • Have some questionable images or videos with high visual impact;
  • Provide essential advice on something using huge letters;
  • Give you free something;
  • Ask you to do something like clicking on links, etc., in exchange for something else, usually too good to be true.
  • Promise to offer copyrighted content for free;

If you come across such a website, there are big chances that the site passes on ransomware or other malware that in turn downloads ransomware.

• Disable macros
  The macro functions in the modern text editors are rarely used. However, they are enabled most of the times. Many ransomware families are using macro functionality to execute malware that, in turn, sets the stage for a ransomware infection. It is a good idea to disable macros, and only enable them whenever needed, and only if the source of the document that requires macro functionality is trustworthy.

Most industry experts, authorities and security vendors advise against paying the ransom when ransomware infections occur, and there are several reasons for doing so. First, paying ransom encourages the ransomware phenomenon, and more and more cyber-criminals will attempt to profit in this way. It verifies the fact that money can be made out of this, easily. Then, money obtained from such activities usually finance far more dangerous underground markets and organizations, linked with drugs and weapons trafficking and terrorism.
The above reasons, however, may be considered weak, for a ransomware victim in acute need to access the lost data. It is a difficult decision to make: get your data back in exchange for payment, or do not get your data back, but align with the ethics. This is why many pay the ransom in spite of the general advice.

However, when ransomware protection fails, there is a better reason not to pay the ransom. Although cyber attackers claim that paying the ransom allows data recovery, it is not always the case. There are many situations when victims have not recovered the data after having paid the ransom demanded by the attackers. We are going to have a look at three such scenarios:

1. Paying the ransom when the ransomware infection is caused by a “wiper“

Researchers have found numerous strains of malware that although apparently behave like ransomware, have no technical means to allow victims to recover the data. In this case, the attackers never intended to give you any data back.
It is often difficult to tell the difference between “legitimate” ransomware and such “wipers” because of the actions it takes on the target computer:

• It may create files with weird extensions;
• It makes original files unavailable, usually by deleting them;
• It deploys ransom notes.

When analyzing the behavior in detail, the original files are never actually encrypted. There is no infrastructure and technical implementation in place to allow data recovery. Such malware only wipes out your data. Paying the ransom, in this case, is futile and the files may never be recovered. Such an example was discovered by security researchers at Cisco and the malware ws named Ranscam. It is a typical case of malware that simply destroys files. Similar malware attacks the file allocation table. More details here.
Another recent example is RedBoot. It attacks the master boot record and alters the partitions in a way that makes a recovery impossible, from the technical point of view.

2. Paying the ransom when the ransomware infection is caused by incomplete ransomware having “inadvertent” design flaws

Other cases involve well-known ransomware families, that, let’s say, have a “proven” history of recovering the data after the ransom is paid. In such cases, the behavior of the ransomware is very similar to the one of the well-known ransomware family:

• Files are encrypted on the hard drive;
• The encrypted content gets the same extension as the ransomware family this malware mimics;
• Alternately, if the well-known family attacks the boot sector, similar behavior is implemented;
• Apparently, there is functionality to allow the entire data recovery process to happen: the victim gets assigned an install id, there are detailed instructions on how to pay the ransom and recover the data, etc

However, there are cases where the researchers have found that the functionality for data recovery implemented by the attackers cannot technically deliver the desired results.
A good example is NotPetya, later called “Shamoon wiper”: it is very similar in behavior with Petya, a ransomware attacking the boot sector. Petya has a “proven” record of successful data recoveries. In fact, researchers first attributed such attacks to a “new variant of Petya.” However, later, the researchers have found that key aspects required for the data recovery process, such as the installation ID of the victim, are populated with random information. This means that the attackers cannot unlock the victims’ data. More information here.

3. Ransomware does have bugs, and no, attackers will not debug nor provide support

There are many cases where a ransomware family, known to allow data recovery after paying the ransom, has technical issues that manifest only under certain, specific circumstances. In such cases, those victims, who have particular environments causing the ransomware to fail in the data recovery process, also lose their files in spite of paying the ransom.
The ransomware developers focus on making the ransomware profitable. This means it has to be stealthy and bypass known security measures in place; it has to have an automated infrastructure to allow mass monetization of the ransom, etc. They do not focus on making sure that the data recovery process works in most cases, if at all.
There are several points where ransomware may fail in the data recovery process:

• Inability to gather the necessary data from the victim, to build the essential recovery items;
• Failure to communicate over the internet with the command sever – crucial in the data recovery process;
• Infrastructure issues that cause the control servers to generate faulty recovery keys that do not work.

Like any other software, there are situations where the technical implementation fails, and this ultimately leads to losing both the data and the ransom money.

To summarize, some attackers never intend to give any data back; others give up at some point and do not properly implement their data recovery functionality and there are some who do not test their ransomware well enough. In either case, if ransomware protection fails, both money and data are lost, and the chances of this happening are not negligible. Prevent ransomware infections using tips and Enterprise ransomware protection and avoid having to deal with ransom demands.

For more information, follow us on social media and subscribe to our newsletter.

Follow @TemasoftSRL