Shiv Ganapathy, Senior Managing Consultant, Security Consulting, Spirent Communications

“Warning! Your computer is infected!” – remember those frightening pop-up windows? They claimed that sensitive personal and financial data might be stolen or corrupted. But relax! There was always a friendly toll-free helpline and, after a few questions your worst fear would be confirmed: “Your computer is compromised, but for just $199 you can download our software to clean and protect it”.

It was a very clever trick, because there was actually nothing wrong with your computer, and the software they sold you did nothing. The whole thing depended upon shock: after news coverage of viruses on the rampage, a busy user would simply pay up rather than take any risks. The victim was expected to pay a ransom.

Once people learned to ignore these bogus warnings, the stakes were raised. Today’s “ransomware” goes a step further: it actually does something to the victim’s computer.

1. What is ransomware?
   Ransomware is a type of malware that infects a computer and restricts users’ access until a ransom is paid.
   “Locking Ramsomware” locks computer functions and an on-screen alert gives instructions on how to pay in order to restore the computer. This could be a friendly “let our experts help you resolve this problem for a small fee”, or it could be a “pay up or we wipe your machine” threat.
   However, the most precious thing in a computer system is usually the data it contains – whether family photos, the draft of a novel being written, or some critical business documents. So “File-Encrypting Ransomware” hits where it hurts most: it encrypts data files using strong encryption. While a clever IT person might be able to unblock a locking attack, nobody could decrypt files without the key. Ransomware can also target data files in any drives connected to the computer including network shares, or DropBox mappings.
   Ransomware has been around for a long time, but resurfaces from time to time. In 1989 the “PC Cyborg” attack encrypted file names and displayed a message saying that the user’s licence had expired and it was necessary topay $189 to the “PC Cyborg Corporation” to restore it. Ingenious, but not very effective – because the encryption was so basic.

2. So why is ransomware in the news now?
   There have been several high profile attacks already this year.
   In Feb 2016, The Melrose Police Department in Massachusetts was hit by encrypting ransomware, apparently triggered from a malicious email opened by a member of the department. According to Melrose free press, the police department paid one Bitcoin as ransom to get the decryption key. This was dramatic because the victim was a law enforcement agency.
   Other high profile targets have been hospitals. In the same month blocking ransomware took Hollywood Hospital offline. The original ransom demand was $3.6M, but the hospital eventually paid $17,000 to free their computers.
   In May, over a hundred computers at the University of Calgary were infected, locking staff, students and faculty out of their emails. The University of Calgary reportedly paid $20,000 Canadian dollars to free their system.

3. What might we expect from a ransomware attack?
   Either loss of use or loss of critical data. Unlike a terrorist or malicious attack that causes permanent damage, the whole aim is to encourage the victim to pay up and get the system restored.
   So the data at risk will be critical: either for its personal value or because it is vital to the running of the operation. And the amount to be paid will relate to the cost of business lost or system downtime, as well as loss of reputation. Who wants to trust a hospital that loses its patient data? Or a company that loses customers’ financial data?

4. How do you pay the ransom?
   We began with a relatively harmless attack that played on ignorance and feelings of vulnerability. Because it looked so innocent, the payment could be made in a relatively open and unsuspicious manner.
   More vicious attacks cannot accept money via regulated banking systems: there must be a “safe” way for the money to change hands without being traceable. This means that the payment is often in a virtual currency such as Bitcoin or via a pre-paid cash voucher.

5. Should you pay the ransom?
   If critical files are at stake, it is tempting just to pay up. On the other hand, payment encourages the growth of ransomware.If the payment cannot be traced, there is no guarantee that the criminals will keep their word, and in some cases they have taken the money and vanished. But they do have an incentive to deliver: unless the public continues to believe that they will get their data back, nobody will pay the ransom.

6. Who is most at risk?
   Large institutions and government agencies with the most to lose are at risk. Hospitals make an ideal target because they provide critical care and rely on up-to-date patient data. They would rather pay than risk deaths and lawsuits. Also, hospitals do not have the same cyber-defence culture as law enforcement and other critical agencies: that makes them a soft and very lucrative target.
   Home users are also vulnerable to smaller ransom demands. Below a certain price threshold, a non-specialist user would pay rather than face hassle. So a virus that infected thousands of home computers could still make a lot of money.

7. Is the enterprise at risk?
   According to CNN, ransomware is expected to cost enterprises $1 billion in 2016, and no organisation is immune. Large enterprises are more likely to have in-house IT and cyber security expertise, but management will often pay rather than risk loss of business. In terms of an attack surface, enterprises have many users to target, and it might only take one user opening one phishing e-mail to infect the entire enterprise. Newer methods of ransomware infection include exploiting vulnerable web servers as an entry point to gain access into an organization’s network.

8. What types of ransomware are there?
   CryptoLocker was launched in September 2013 and spread via infected e-mails from a botnet. It targeted Microsoft Windows, encrypting certain files and offering to decrypt them on payment by a stated deadline. Or, if the deadline is passed before the key has been deleted, a higher fee is charged for online help. Although it was not difficult to remove the CryptoLocker virus, there was no way to recover the files once the key had been deleted. By May 2014 the botnet had been taken down, but it was estimated that the virus had extorted over two million pounds sterling by then.
   More recent attacks include names like Crysis, CryptoWall, CTB-Locker, Locky, SamSam.exe, TorrentLocker and Teslacrypt. Here are three examples:
   Trojan.Ransom is a whole family of ransomware that blocks access to the computer and demands a ransom fee to be paid via phone. Trojan:W32/Ransom, for example, prevents access to the Desktop anddisplays a fake law enforcement message accusing the user of storing illegal material or using illegal software, and demanding a fine.
   Citadel malware platform delivers ransomware, known as Reveton, which plays a similar trick while tracking the victim’s geographic location to make its law enforcement message look really convincing – so in the USA it will look like an official FBI summons displaying the computer’s IP address and sometimes even accessing its webcam to suggest that the victim is under police surveillance to ensure that the fine of about $200 will be paid.
   RAA, discovered in May this year, is a file-encrypting ransomware, distributed as an e-mail attachment via and written in JavaScript. This means that the file name ends in .js and that would normally make the user suspicious. But the file is cleverly given a name like filename.txt.js: Windows does not display a file’s final extension, so the attachment appears as a harmless-looking filename.txt. When double clicked the attachment opens as a bogus Worddocument while RAA looks for writable user files, encrypts them and adds the extension .locked. RAA also deletes the Windows Volume Shadow Copy Service to stop it from recovering files. The ransom payment instructions ask the victim to send an e-mail. In return, to prove that they do hold the key, they will decrypt a few of the files then demand Bitcoin payment for the rest. After a week, the key will be destroyed.

9. What to look out for
   Beware of mass phishing emails with attachments pretending to be photos, reports, invoices, resumes or other business communications. These attachments can be .zip files that contain .exe files disguised as PDF, Word or Excel documents; or, as in the RAA above, hidden .js files.
   “Drive-by downloading” occurs when a user visits a compromised website and a security weakness in the browser, plug-ins, or OS malware allows the ransomware to be downloaded and installed without the user’s knowledge.
   “Malvertising” means injecting malware into legitimate online-advertising pages. This is dangerous because it does not require any user action to compromise the system and it does not depend on any vulnerability on the website it is hosted from.

10. Best practice – what can we do?

• Raise user awareness. Do not open attachments from unknown sources or in emails that look legitimate but are unexpected – eg a FedEx notice when you are not expecting a delivery. Do not enable macros from email attachments or click on unsolicited Web links in emails.

• Keep on testing. Conduct frequent vulnerability scanning of the organizations’ external & internal networks, network devices and web applications to identify security gaps or known vulnerabilities. Penetration testing can identify vulnerabilities in the network, systems and processes.
• Keep anti-virus software up-to-date, and scan all software downloaded from the Internet.
• Restrict users’ permissions to reduce risk of unauthorized software applications. Apply the principle of “Least Privilege” to all systems and services to hinder the spread of malware through the network.
• Backup. Encryption ransomware locks critical information, so make sure it is subject to a regular data backup and recovery plan. Also backup servers and network shares with multiple restore points. Do not forget, however, that ransomware can also target files in drives connected to the computer, so consider backing up critical data in two different media, including one off-site.
• Customize email filter and spam filter settings to block emails with suspicious attachments.
• Patch and update operating systems, antivirus, browsers, AdobeFlash Player, Quicktime, Java, and other software
• Block pop-ups. Use browser add-ons to block pop-ups as they can bea point of entry for ransomware.

• Show File Extensions. The Windows“Show File Extension” feature turns off hiding files’ extensions. Seeing the actual extension of suspicious files means the user can avoid opening them.
• Unplug or turn off network connectivity. If you suspect any suspicious activity, turn off Internet and/or unplug any other connectivity. Done early enough, this can minimize the attack before it has a chance to contact the attacker’s server for downloading additional malicious code or cause any further harm to other connected devices/network.

Conclusion

The threat of ransomware comes and goes, and right now it is coming – fast.

Criminals are out to make a quick buck, so they generally prefer to re-cycle old tricks and code into new, unexpected shapes – so security staff and systems are constantly caught out – rather than go back to square one and create totally new malware. But when the rewards are high enough – as with the recent high profile attacks – organised crime will always come up with something new. So there are no hard and fast ways to guarantee security.

On the other hand, it is the lowest hanging fruit that delivers the quickest return. So any organisation enforcing the above ten principles will remain a lot less attractive.

For real peace of mind, however, nothing beats the assurance of on-going vulnerability testing combined with regular penetration testing.