Ransomware: A New Business Reality
Prepare or be prepared to risk it all
Healthcare, Legal, and Financial Services are going to be severely challenged this year. And for many years to come. Why? How much value do you believe your practice or firms data is worth? What is the worth especially to you or your organizations minute to minute operations? Near priceless? Well if you are in one of these sectors and do nothing significant to prepare yourself against a ransomware attack then it could wipe you out professionally and personally. Why? Because ransomware is a type of application that infects your systems, including phones and other Internet Of Things type devices and encrypts your data preventing access. In order to regain access (possibly) you will follow the instructions that manifest themselves with the end result being payment via bitcoin to parties unknown. If you fail to pay? Your data will remain encrypted and the decryption key destroyed after a few days rendering your data lost forever.
I know, its a pretty bleak paragraph that you just read. It was supposed to be because I wanted it to make you think. The aforementioned industries are being heavily targeted with ransomware by attackers at an alarming rate. 2016 is the year ransomware will wreak havoc on America’s critical infrastructure community. New attacks will become common while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim. “To Pay or Not to Pay”, will be the question fueling heated debate in boardrooms across the Nation and abroad. Ransomware is less about technological sophistication and more about exploitation of the human element.
Security firms like Kaspersky, Covenant Security Solutions, Forcepoint, GRA Quantum, Trend Micro and Securonix predict a dominant resurgence of ransomware attacks in 2016. Already, healthcare organizations, who were previously off-limits targets among ransomware, have been brutally and relentlessly targeted with inbound attacks intent on leveraging patient lives against the organization’s checkbook. This shift may be largely backed by the more sophisticated Advanced Persistent Group Threat attack group who are entering the scene because ransomware attacks are under-combated and highly profitable. According to Brian Contos, ICIT Fellow and VP & Chief Security Strategist at Securonix, attackers are pivoting to ransomware because “[It] is a volume business. It’s simple, relatively anonymous and fast. Some people will pay, some will not pay, so what. With a wide enough set of targets there is enough upside for these types of attacks to generate a steady revenue stream.” UI further not that revenue will increase because organizations like hospitals, clinics, legal firms, financial houses, etc who not only face heavy government fines for data compliance but also could be ruined by such an attack. Especially in health care sector if patient health were to be adversely effected. Ransomware has been around since 1989 but its popularity decreased in favor of other malware because the number of internet enabled victim devices was not exceptionally beneficial to the adversary’s profit margin. Now, with prevalence of mobile devices and the looming shadow of the internet of things, the potential threat landscape available to ransomware groups is too tantalizing a target to ignore. Danyetta Fleming Magana, ICIT Fellow and President and Founder of Covenant Security Solutions elaborates that “The world is a living and breathing digital planet, and over the past decade is has accelerated into a gorgeous global information field. The internet remains the single most common vehicle for billions of communications and business transactions on a daily basis. As new technology becomes available, more and more people and businesses will be connected to the internet in a variety of ways, making most of them prime candidates for a cyberattack.” Society now relies on constant access to the vast stores of data gathered from constant communication of people, devices, and sensors. Information security specialists and the technical controls that they implement must become adaptable, responsive, and resilient to combat emerging threats.
Ransomware cyber-criminals occupy a unique niche in the attack surface. Unlike hackers who attempt to exfiltrate or manipulate data where it is stored, processed, or in transmission, ransomware criminals only attempt to prevent access to the data. Aside from Advanced Persistent Threat type groups, hackers, in general, worry about what they can steal. Ransomware criminals concern themselves with what they can disrupt. As harsh as it sounds, businesses can easily continue operations after a data breach. Customers and end users tend to be the long-term victims. The same cannot be said for an active ransomware attack. Business operations grind to a halt until the system is restored or replaced. Moreover, unlike traditional malware, ransomware criminals can achieve some profit from targeting any system: mobile devices, personal computers, industrial control systems, refrigerators, portable hard drives, etc. The majority of these devices are not secured in the slightest against a ransomware threat. One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence. Attacks are more successful when effective countermeasures are not in place. Information security systems exist to detect and mitigate threats, to prevent data modification, to question unusual behavior, etc. After it is on a system, ransomware bypasses many of these controls because it effectively acts as a security application. It denies access to data or encrypts the data. The only difference is that the owner of the system does not own the control. That is not to say that ransomware goes unchecked. Many security applications detect ransomware based on its activity or the signature of the variant. Security firms are consistently developing and releasing anti-ransomware applications and decryption tools in response to the threat. However, solutions do not always exist because some encryption is too difficult to break without the decryption key. For variants of ransomware that rely on types of strong asymmetric encryption that remain relatively unbreakable without the decryption key, victim response is sharply limited to pay the ransom or lose the data. No security vendor or law enforcement authority can help victims recover from these attacks.
As with any cyber-crime, law enforcement’s response to ransomware is limited by their constraints (training, personnel, budget, etc.). Larger agencies, such as the FBI and DHS have the resources and technical expertise to respond to cyber-attacks in a responsible and rational manner. Smaller law enforcement organizations, such as local or state police forces, might lack the resources necessary to respond appropriately. Consequently, on a few occasions, police forces have been targeted and paid the ransom demand to free their systems and resume critical operations. Now, law organizations would only have paid the ransom after exhausting all other options. However, the decisions invoke a feeling that law enforcement bodies may not be the singular solution to the threat. Which makes one think “If they can’t protect themselves adequately we shouldn’t expect them to solve all our problems for us.” Executives at Forcepoint contends that, “The FBI, one of the leading law enforcement agencies tasked with pursuing cybercrimes, has stated that they will assist victims with traditional hacks. In cases of ransomware; however, they are working out the best response approach for victims of these types of attacks.” In point of fact, in October 2015, Joseph Bonavolonta, the Boston-based head of the FBI's CYBER and Counterintelligence Program, said, "To be honest, we often advise people just to pay the ransom." In response to pressure from Senator Ron Wyden, the FBI clarified that its position was only to pay the ransom if mitigation steps failed and the only other option was to lose the files. More or less, victims’ response amounts to reporting the incident to the FBI and hope that the attacker is eventually caught. The victim will never recover their ransom (if they paid). Despite increased ransom demands, the response for businesses is not exceptionally better. According to Symantec, “Information security researchers, however, suggest that some cybercriminal extortionists have found $10,000 to be the sweet spot between what organizations are willing to pay and what law enforcements are reluctant to investigate.” Again, this response may be justified in that the FBI and DHS also must handle significantly larger incidents. As the internet has no borders, in many cases these agencies do not even have the authority or capability to respond even if the attacker was a known entity.
Protection? If you wanted to secure the valuables in a room, you could adopt one of two basic approaches. You could lock the valuables in container (a safe, a chest, etc.) so that only those with the key could access them or you could lock the door so that no one could access the room. Analogously, there are two types of ransomware, crypto ransomware and locker ransomware. Crypto ransomware encrypts personal data and files so that the victim cannot access those particular resources unless they pay the ransom. Locker ransomware prevents the victim from using the system at all by locking components or all of the system. Generally, ransomware is profitable because it leveraged society’s digital lifestyle against itself. Ransomware locks the devices and data that some value more than their real world interactions. Ransomware depends on the majority of users reacting out of ignorance, fear, or frustration. The most internet dependent nations, United States, Japan, United Kingdom, Italy, Germany, and Russia, are also the most targeted by ransomware. The average ransom for either ransomware is around $300, as of 2015. One might notice that $300 might be significant for an individual; however, the average includes attacks on commercial businesses. In some cases, users might be charged less. In any case, $300 is less than half the price of a new laptop or mobile device; which is critical to the nature of the attack. Adversaries must keep the ransom proportional to the value of the infected host and the ability of the victim to pay. Cybercriminals choose which type of ransomware to deploy based on their skill set, the specifications of the target system, and their prediction of how each type might affect the target victim. In the former analogy, you might have decided that the best approach was to secure the valuables in a safe and then to lock the door. Luckily, a hybrid ransomware has not yet been popularized; however, with more sophisticated adversaries entering the arena, the development of more sophisticated or hybrid ransomware is only a matter of time.
Ransomware As A Service?? When malware attacks succeed, less technical criminals (script kiddies) try to capitalize on the threat landscape. Sophisticated attackers can gain notoriety and additional revenue by outsourcing their malware to these script kiddies. These opportunities are also attractive to botnet operators who do not know how to exploit their zombies. Ransomware is starting to follow the trend of other malware, in the form of ransomware as a service, through which script kiddies can use the ransomware developed by experienced criminals to exploit victims. The applications are designed to be deployed by practically anyone. The script kiddie downloads the client for free or a nominal fee, sets the ransom and payment deadline, and then attempts to trick victims to infect their own systems through phishing emails or watering-hole sites. If the victim pays the ransom, then the original creator receives a fee (5-20%) and the script kiddie receives the rest. The Reveton ransomware may have been the progenitor of the ransomware as a service model. In 2012, the Reveton authors paid sites to spread the malware. The first free tool was the Tox ransomware, which allowed users to keep 95% of the ransom. The tool, created by a teen hacker by the same name, infected over 1500 systems and demanded a ransom of $50-200. Fearing law enforcement attention, Tox sold his service, the source code, the web domain, a database of infected systems, and the decryption keys, to an unnamed buyer for $5000. RaaS may not always be profitable. In interviews with Business Insider and Motherboard, attacker Jeiphoos admitted that his November 2015 Encyptor RaaS, had made no money, despite infecting around 300 devices. Brian Krebs comments that "Many [RaaS authors] will try but few will profit reliably (and much at that) for any period of time," he continues that those that succeed will be the ones that offer good “customer service” to script kiddies and victims alike. In theory, it is a mutually beneficial relationship between the actual attacker and the script kiddie because both parties generate a profit with minimal additional effort. The script kiddies can utilize a tool that they could not have created and the threat author can focus their time on developing new variants. However, in practice, the threat author can suffer if the script kiddie does not decrypt the systems of victims who pay the ransom because news will spread and less victims will pay in the future. If the malware becomes too ubiquitous, then security researchers will develop a decryption tool faster and the ransomware will be rendered prematurely obsolete
Selective targeting the healthcare sector was not a traditional vector for ransomware attacks. One theory is that attackers did not target systems that jeopardized lives. Recently, that mentality has changed for at least the group operating the Locky ransomware. Around February 5, 2016, systems belonging to the Hollywood Presbyterian Hospital Medical Center was infected with the Locky ransomware. After ten days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems. Later that week, five computers belonging to the Los Angeles County health department were infected with a ransomware variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly, two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian Medical Center. Both are restoring their systems from backup systems. The banking and finance sector is the frequent target of botnet schemes such as the Dyre, Dridex, and Ramnit botnets. Ransomware often spreads through established bonnets. Further, the Locky ransomware is believed to have been developed or deployed by the Dridex group. Consequently, financial institutions are likely the next major sector to be targeted by ransomware, if their systems have not been infected already. Law Enforcement and Federal Agencies are often targeted with malware attacks in response to their efforts to investigate and apprehend cyber criminals. While large organizations such as the FBI, DHS, and other federal agencies have resources which increase their resiliency, smaller organizations, such as numerous police stations and state/local government offices, have been the victims of ransomware attacks in recent years. Typically, such as the February 2016 ransomware attacks against the police of the city of Durham North Carolina, the authorities ignore this advice, ignore the demand, and revert their system to a recent backup. This decision can have consequences. In late January 2016, 300 systems belonging to the Lincolnshire County Council were infected with ransomware and had to be taken offline in response. The systems are returning to operation in March 2016. Similarly, on March 4, 2016, 6000 files belonging to the North Dorset District Council had been encrypted by ransomware. The infection had been limited by security systems in place and the council has declined to pay the Bitcoin ransom. Still, in other instances, the authorities have paid the ransom in order to resume critical operations. On February 25, 2016 the systems belonging to the Melrose Police Department of Massachusetts were infected with ransomware from a malicious email that was sent to the entire department. The malware encrypted a software tool called TriTech, which police officers use for computer aided dispatch and as a record management system during patrol. The program also enables law enforcement officers to log incident reports. The department paid the Bitcoin ransom on February 27, 2016.
How much money can these criminals make? According to Kaspersky, creating a phishing page and setting up a mass spam email costs about $150. A trendy crypto ransomware sells for about $2000 on dark net forums. Locker ransomware probably costs less. This means that an attacker only needs to ransom eight everyday users (at the average $300) to generate a profit. Symantec estimated that in 2009, 2.9 percent of the victims paid the ransom. In 2014, researchers estimated that about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average of $500). Despite this seemingly low response rate, the FBI reported that from the 992 related complaints, Cryptowall reportedly netted over $18 million from victims between 2014-2015. Who knows how many infections were not reported? The lesson is that ransomware, while less sophisticated than other cyber criminals, is still significantly profitable, even when only a miniscule number of user fall for its scheme.
This is still bleak you are thinking and yes it is but you can protect your organization as best as possible. Organizations should protect their network as if it was a castle under siege. The goal is not necessarily to prevent an attack. Rather, network defense is about slowing the adversary and detecting their presence in time to react to the intrusion. At the very least, an organization should have as many fundamental systems as possible. No single product should be relied upon because there is no single product that provides comprehensive security. White-list firewalls permit only trusted traffic. Explicitly denying all traffic from Tor and I2P can prevent some variants of ransomware from contacting its C2 infrastructure. Intrusion detection and intrusion prevention systems warn the information security team of threats that get past the firewall. Anti-virus, anti-malware, and anti-ransomware applications protect the network with systematic scans. User Behavioral Analytic (UBA) systems monitor baseline user behavior and notify the information security team of suspicious activity on the network. An endpoint solution incorporates signature based, heuristic based, behavioral based, and reputational based protections into one product. Change management systems prevent unwanted modification or loss of data. When possible, data should at least be encrypted while at rest and in transit. Segmenting and subnetting the network restricts the access of successful attackers. User accounts should follow a least privileged model. Finally, especially with ransomware attacks, it is paramount to have backup and redundancy systems to ensure data confidentiality, integrity, and availability as well as business continuity.
Despite even the best information security program, exceptional operational security, and adherence to the most stringent of mitigation procedures, attacks will occur and some will succeed. Responding to ransomware is situational. When mitigation fails, it is important for organizations and individuals to consider all of the possible responses to a ransomware demand. Disengage from communicating with the attacker until the situation is thoroughly assessed and a course of action decided. Since attackers often give victims a time limit, organized response is essential to ensuring rational decision making. The proper response will depend on the risk appetite of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and the sectorial regulatory requirements.
The simple and turnkey application of ransomware enables script kiddies the ability to now play in the hacker big leagues. The number of ransomware attack variations is limited only by the imagination and motivation of the attackers. A vigilant cybersecurity centric corporate culture that cultivates an environment of awareness is the most effective means to minimize the attack surface populated by the human element. The enlistment of an information security focused company can craft a corporate infosec management policy becoming the first step in a companywide security strategy. The policy should, at a minimum cover: an immediate companywide vulnerability analysis, a crisis management strategy that takes into consideration all know threats, continuous device and application patching, auditing of third party vendors and agreements, organizational penetration testing and security centric technological upgrades. Together, these actions can profoundly minimize a company’s attack surface.
