Sage Advice - Cybersecurity Blog

The Current State of Ransomware

ransomwareRansomware cyberattacks are on the rise. If your computer is infected with ransomware, a type of malware (malicious software), you are not able to access data until a ransom is paid to the attacker. After the ransom is paid the data will usually be released.

Ransomware is opportunistic in nature; computers are typically infected by a user clicking on a malicious email attachment or visiting an infected website.

Ransomware Gets Its Start

Ten years ago those hit the hardest by ransomware were home users. Their monitors would display a screen showing a fake anti-virus product telling the user their system was infected. The user had to purchase the fake anti-virus product to rid their computer of malware and gain access to their computer.

fake-anti-virus

Ransomware Evolves

In 2013 ransomware evolved from fake anti-virus to a product that encrypted specific file types on the infected computer. File types were usually limited to Office files, PDFs, and pictures. This new ransomware also had the ability to spread across a network via shared network drives. This became more of a concern for businesses as the ransomware was not contained on a single machine; numerous files could be encrypted across the network.

If the business infected by ransomware had good backups, this was just an annoyance because they could simply restore the encrypted data. However, businesses that did not have current backups were at the mercy of the attackers. If they wanted their data back, they had no choice but to pay the ransom. 

The method of payment also changed. Instead of credit cards, Bitcoin became the preferred payment method. Bitcoin is a digital currency that can be sent anywhere in the world and is difficult to trace. It can take days to establish a Bitcoin account, purchase the Bitcoins, and pay the ransom. In order to make it easier the attackers would provide detailed instructions for creating a Bitcoin account and transferring the money.

files-encrypted.jpg

Today’s Ransomware

Fast forward to 2016. Ransomware has turned into a lucrative business for cyber criminals. There are numerous variants of Ransomware which continue to evolve. Below is a list of identified Ransomware as of the date posted:

7ev3n
BuyUnlockCode
Ceber
Coverton
Crypt0l0cker
CrypteFortress
CryptoHasYou
CrypteJocker
CryptoWall
DMA Locker
ECLR Ransomware
EnCiPhErEd
HydraCrypt
KeRanger
LeChiffre
Locky
Magic
MakTub Locker
NanoLocker
Nemucod
PadCrypt
PClock
Petya
PowerWare
Radamant
SamSam
Sanction
Shade
SuperCrypt
Surprise
TeslaCrypt
UmbreCrypt
     

 

The majority of this malware is being spread via Exploit Kits served from compromised web sites or users clicking on attachments contained in phishing emails. However, that too is changing as the criminals realize that larger businesses have the ability to pay a higher ransom.

Enter a New Type of Ransomware

2016 has seen widespread use of a new type of ransomware “SamSam.” Attackers actively scan the Internet for vulnerable systems, and exploit those systems to gain access to the internal network. One tool being used is JexBoss, which discovers and exploits vulnerable JBoss servers.

Once inside the network the malware queries Active Directory for a list of Windows computers. After if discovers the computers listed in Active Directory it “pings” the computers to compile a list of active hosts. Next, it generates public and private encryption keys based upon the hostnames. The private keys are sent to the attacker.

Ransomware and the public key are uploaded to all of the active computers on the network. The ransomware launches in a coordinated attack, hitting the entire network in a few minutes. Once active, the volume shadow copies of the computers are deleted, and files on the computer are encrypted (see file types here). Backup related files are specifically sought out for encryption / deletion.

Previous versions of malware infected one system that encrypted the files on the network. There was only one key needed to decrypt all of the files. Now, every active computer on the network has a unique encryption key that is sent back to the attackers. The criminals now know how many devices have been infected, and can charge a ransom amount relative to the size of the network. Ransom has increased from around $500 to tens of thousands of dollars.

How to Defend Against a Ransomware Attack

  • The best way to defend against this type of attack is to make sure your systems are up-to-date with patches. Malware typically exploits unpatched third-party software, “SamSam” is no different because it searches the Internet for vulnerable systems to exploit.
  • If you have systems on the Internet where users enter credentials, encrypt the traffic and require multi-factor authentication.
  • Have a backup process that maintains current backups of all your important data. The backups should be “air-gapped” or stored on a locked down vLAN. Test the restore process frequently. If you are infected with ransomware the ability to restore from backup may be the only thing that saves you from paying the ransom.
  • Review your Incident Response plan, and practice regularly.  Being prepared to confidently respond to a cyberattack an important key to success.

References:
http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf
http://www.bleepingcomputer.com/forums/t/600245/encryptedrsa-ransomware-support-and-help-topic-help-decryrt-your-fileshtml/
http://www.bleepingcomputer.com/forums/t/607818/encedrsa-ransomware-support-and-help-topic-help-decrypttxt/
http://blog.talosintel.com/2016/03/samsam-ransomware.html
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Samas.A


Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.

Go to Download

Topics: Malware, Ransomware, Cyber Crime


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More