The Dangers of Ransomware

Though there are multiple threats to personal and organizational data, the most recent disclosed attack reported by the United States news agencies related to an advanced ransomware attack.  Wong (2015) discussed the attack against Hollywood Presbyterian Medical Center, in which a ransomware infection encrypted a large numbers of important medical records, effectively freezing hospital operations until a ransom was paid.  While multiple attempts were made to circumvent the attack, the end result is that the medical center had to pay roughly $17,000 United States dollars in ransom to recover their data (Everett, 2016).  Ransomware is a type of malicious software that if often distributed as a Trojan Horse.  A Trojan Horse, in the context of threats and vulnerabilities, is a malicious payload contained within a legitimate file, or a file that appears as legitimate (Abuzaid, Saudi, Taib, & Abdullah, 2015).  When the end user executes or opens the seemingly legitimate file, a payload is triggered releasing the infection on the computer system.  This infection can take multiple forms, however, the end goal is to prevent the end user from utilizing computer resources until a ransom is paid to a third party.

While ransomware has been propagating for years, it initially only modified Operating System boot specific files to present the end user with messages stating that the computer was locked.  Infections such as WinLock presented screens at system boot to the end user, often with the appearance of being official federal messages stating that the end user had committed a crime and must pay a fine to regain use of their computer (Kirda, 2015).  These infections, though frightening to the end user, were categorized as scareware, and often easily cleaned resulting in no data loss to the system.

As computer speed increased, so did the threat level of ransomware infections.  Rather than easily cleaned infections, the additional computer speed allowed for the payload to conduct more operations in a shorter time period.  In newer varieties of ransomware, the additional operations include a full encryption of specific file types, with care taken to not encrypt files which would prevent the operating system from properly booting.  In addition to computer speed, technological advances such as the nVidia CUDA technology allows the cores of the Graphical Processing Unit to be used to augment speed on specific tasks, one of which is encryption (Vasiliadis, Polychronakis, and Ioannidis, 2015).  This GPU based enhancement can greatly increase the speed of the infection if the malicious application is written to take advantage of GPU acceleration.  Bangs (2014) reviewed the most widely known encryption class ransomware, known as CryptoLocker, stating that it was a critical threat to organizations.  While a federal collation including multiple United Stated governmental departments as well as multiple forensics teams from antivirus software vendors were able to successfully gain control of the server that housed the master encryption key for the CryptoLocker infection, the proof of concept and validation of easy fund availability had already been done, resulting in multiple clones of the infection using different master encryption keys and encryption algorithms (Bachrach & Rzeszut, 2014).  It was estimated that within its lifespan, the CryptoLocker infection resulted in payments of over $27 million United States dollars to the attackers (Bangs, 2014).  The exorbitant amount of payments for little work on the part of the attackers made the ransomware infection viable to refine and reuse, which has resulted in hundreds of variants being in existence currently.

Distribution and Attacker Philosophy

The earliest form of widely distributed ransomware, WinLock was traced back to originating from the Russia and Ukraine areas, however, current versions of ransomware are mutations of a base code and are operated from all over the world (Ortner, 2015).  While there are multiple methods of distribution, within the business segment the most common is by means of a phishing attack in which the attacker sends a seemingly legitimate message with an attachment to the target.  The most common phishing attack utilized is one in which the message emulates a message from a common business vendor such as FedEx or UPS, stating that an invoice is attached.  When the target opens the attachment, they are either executing the payload, or are directed to a third-party site that distributes the payload or a downloader disguised as a reader that will trickle in the payload over time.  Upon payload execution, the infection uses idle CPU time to encrypt files that would likely be important, including word processing, image, spreadsheet, and database files.  While many variants of ransomware are targeted specifically to the user specific Documents folder within Windows, there are some alternate versions that will scan the host system as well as any connected drives that the user has write access to, including external USB drives and mapped network drives.

The lure of easy money with minimal investment is the primary attraction to this type of attack. In the case of Hollywood Presbyterian Medical Center, the attacker or group of attackers gained a roughly $17,000 United States dollar bounty from a single target (Everett, 2016).  These monies were paid in untraceable funds, and essentially allowed the attackers easy access to large amounts of capital.  As phishing is the primary vector for distribution of this type of malware to business, an economy of scale comes into play (Leukfeldt, Rutger, Kleemans, & Wouter, 2016).  Using this economy of scale, if the attacker sends out 10,000 phishing messages, and only has a .5% success rate, they now have fifty infected targets.  Assuming a demand of $5,000 United States dollars per target, and a 10% rate of success on the ransom, the attacker just made $25,000 United States dollars for a single phishing attack.  As such, the motivation of the attacker is the lure of easy money, as is common with the criminal sector.

Danger to Organizations

The danger to an organization has an obvious aspect, being that the files necessary for operations are encrypted, and as such, halts the business.  However, it should be noted that while the obvious aspect is important, there are other, dangers that cause long term negative consequences to organizations.  In the example of Hollywood Presbyterian Medical Center, the attack became national news, meaning that there was extreme reputational damage to the organization.  This damage to reputation can affect the ability to attract talent, as well as reduce customer trust of the organization resulting in lost potential profits.  There would also be a necessity of post-attack investigations, often at high costs, to ensure that organizational data was not retrieved, altered, or disclosed pre-attack.

Mitigation Strategies

The use of frequent backups would assist in mitigating a ransomware attack against many organizations, however, in the case of Hollywood Presbyterian Medical Center, the lost data between the last backup and time of infection would not be viable, as information pertinent to customer health is entered into the systems through the day and the amount of missing data relating to patient information could be dangerous to patients.  Backups would be a viable option to restore data that is not frequently accessed, but being a snapshot will always be behind current data (Tuttle, 2016).  The issue within Windows based environments is that even if a user is running as a standard user, which prevents them from installing applications, they still have rights to a specific folder on their system, being the %userprofile%\%AppData% folder.  This folder is consistently used as an attack vector for malware infections, and is the most common root folder used by most ransomware attacks.  By changing the permissions to this folder through Group Policy to prevent execution of files, the likelihood of full infection drops drastically, as users cannot execute the necessary scripts and applications to trigger the payload (Beuhring & Salous, 2014).  While this will not mitigate all of the attacks, it will have a discernable effect on the ability for the infection to cause damage.

The use of Antivirus and antimalware applications, in this case especially MalwareBytes, is, of course, a best practice, though the problem is that the majority of these applications are signature based, meaning there is no protection from infections that the application vendor has not seen (Poonia & Singh, 2014).  The signature updates are also distributed on a scheduled basis, meaning that even after the signature is discovered for an infection, it may still be hours before a system is protected.  Additionally, users gain a false sense of security when they have an antivirus application installed (Tariq, Brynielsson, & Artman, 2014).  While this author is not suggesting antivirus not be run, it is important to note that antivirus applications are not necessarily a guarantee of protection.  However, it should be noted, that in the case of MalwareBytes, at least in the paid version, the heuristic analysis and real-time protection allows an additional level of protection not commonly found in Antivirus applications.  Additionally, FoolishIT has released a tested and viable prevention kit for CryptoLocker variants which can be found at: https://www.foolishit.com/cryptoprevent-malware-prevention/ .  Conversely, for organizations, the use of GPO settings provided by ThirdTier (now defunct) allowed for inherent protection for all domain enrolled computers.  Nonetheless, there is a PowerShell script that can protect file servers, though the original script from ThirdTier was much more viable.  The PowerShell script can be obtained from – https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce

For organizations, a significant mitigation strategy to not overlook is employee awareness training.  This training tells your employees what to look for, and how to operate their machines in a secure manner, which is important to organizations to help protect from multiple threats (Burns, Roberts, Posey, Bennett, & Courtney, 2015).  Organizations possess human resources with a varied level of skills and knowledge, and it should not be assumed that just because they use a computer for work that they know how to do so securely.  Though the use of proper technical security controls is vital to protect organizational data, properly training the workforce holds value in assisting with the prevention of threats.

While there are many other methods of protecting from ransomware attacks, such as application whitelisting, hash based rules, and folder redirection with versioning, the management of these options is often counterintuitive and can result in over limiting user access resulting in reduced productivity.

Concerns

Despite the fact that there are many high-profile threats against organizations, such as the malware infections against Target and Home Depot (Weiss & Miller, 2015) that resulted in an enormous breach of card holder information, the majority of the threats have limited consequential damage to organizational operations.  Even with the Target and Home Depot breaches, the organizations were able to continue operations during investigations.  Conversely, in the event of a ransomware attack, operations are ceased until such time that either a backup is restored of the affected data, or the ransom is paid.  Organizations without a viable backup have no option except to pay the ransom.  As such, this author considers the current versions of ransomware to be the highest level of threat to organizations.

 

References

 

Abuzaid, A. M., Saudi, M. M., Taib, B. M., & Abdullah, Z. H. (2015). Designing a new model for Trojan horse detection using sequential minimal optimization. In Advanced Computer and Communication Engineering Technology (pp. 739-746). Springer International Publishing.

 

Bachrach, D. G., & Rzeszut, E. J. (2014). Don’t trust anyone over… anything. In 10 Don’ts on Your Digital Devices (pp. 107-120). Apress

 

Bangs, G. (2014). New Ransomware and Cyber extortion schemes hold businesses hostage. Risk Management61(8), 30.

 

Beuhring, A., & Salous, K. (2014). Beyond blacklisting: Cyberdefense in the era of advanced persistent threats. Security & Privacy, IEEE12(5), 90-93.

 

Burns, A. J., Roberts, T. L., Posey, C., Bennett, R. J., & Courtney, J. F. (2015, January). Assessing the role of security education, training, and awareness on insiders’ security-related behavior: An expectancy theory approach. In System Sciences (HICSS), 2015 48th Hawaii International Conference on (pp. 3930-3940). IEEE.

 

Everett, C. (2016). Ransomware: to pay or not to pay?. Computer Fraud & Security2016(4), 8-12.

 

Gazet, A. (2010). Comparative analysis of various ransomware virii. Journal in computer virology6(1), 77-90.

 

Kirda, E. (2015, June). Cutting the Gordian knot: A look under the hood of ransomware attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 12th International Conference, DIMVA 2015, Milan, Italy, July 9-10, 2015, Proceedings (Vol. 9148, p. 3). Springer.

 

Leukfeldt, E. R., Kleemans, E. R., & Stol, W. P. (2016). Cybercriminal networks, social ties and online forums: Social ties versus digital ties within phishing and malware networks. British Journal of Criminology, azw009.

 

Ortner, D. (2015). Cybercrime and punishment: The Russian mafia and Russian responsibility to exercise due diligence to prevent trans-boundary cybercrime. Brigham Young University Law Review.

 

Poonia, A. S., & Singh, S. (2014, November). Malware detection by token counting. In Contemporary Computing and Informatics (IC3I), 2014 International Conference on (pp. 1285-1288). IEEE.

 

Tariq, M. A., Brynielsson, J., & Artman, H. (2014, August). The security awareness paradox: A case study. In Advances in Social Networks Analysis and Mining (ASONAM), 2014 IEEE/ACM International Conference on (pp. 704-711). IEEE.

 

Tuttle, H. (2016). Ransomware Attacks Pose Growing Threat. Risk Management63(4), 4.

 

Vasiliadis, G., Polychronakis, M., & Ioannidis, S. (2015). GPU-assisted malware. International Journal of Information Security14(3), 289-297.

 

Wong, S. (2016). Pay up or your medical records will be toast. New Scientist229(3062), 26.

The following two tabs change content below.

Robert Rife

Robert Rife is Chief Engineer at Velocity Micro. A twenty-five year I.T. veteran with deep experience in process optimization, computer manufacturing, and physical/electronic security, Robert understands financial ramifications of technical decisions and is able to readily translate business needs to technology solutions. Since originally joining Velocity Micro in 2006, has held multiple positions ranging from desktop support to production and on to advanced engineering. Robert holds many degrees including an MBA specializing in IT Management, Masters of Science in Information Security Assurance, and a Masters of Education in Curriculum Design. He is currently in his third year of a Doctorate of Science program focusing on Information Security. He also holds over 50 industry certifications and was awarded an Information Security Professional and Management certificate from the Committee on National Security Systems.

Latest posts by Robert Rife (see all)