Ransomware Evolution and Prevention

Ransomware - everyone talks today about this threat. Some believe it is a new cyber-delinquency weapon, an APT development, or a simple virus that could access our computer if we visit suspicious sites on the internet or the deep web. But who says ransomware is a virus? Where did it appear the first time? Is it used only by APTs? We could have as many questions as we can imagine. The purpose of this blog post is to give an overview of this threat. No one knows all the answers, but here I'll share some information about this threat.

Ransomware - a brief history

Ransomware is not new. The first documented attack occurred in 1989 by PS-Cyborg, widely known as AIDS Trojan. That was the year when many experts discussed AIDS and HIV at the annual conference in Africa1. Its creator was a US anthropologist named Joseph L. Popp. Popp sent numerous 5¼ diskettes via PO Box to World Health Organization conference assistants in the US.

During that year, the use of the internet was not so popular so the infection mechanism was different than the current ransomware (you could research more about this technique, but for quick reference, this was a phishing technique); however, the purpose was the same: encrypt the user's information.

The AIDS Trojan installed one executable file when the user inserted the diskette in the floppy drive. After 90 PC restarts, the Trojan hides the files, deciphers the names, and subsequently displays a note requesting 189 USD to be sent to a fictitious address in Panama City, Florida, to collaborate against the AIDS fight.

We only mention AIDS Trojan for history and context. Returning to the present, the world has internet connections crossing over almost all countries and communities. These connections are also used by hacktivist groups, APTs, script kiddies, and cyber-delinquents, who take advantage of this type of software.

Here are other important attacks that occurred fairly recently.

Reventon 2012 Cryptolocker 2013 Troldesh 2015 Wanna cry-BadRabit-Not Petya 2017 Ryuk-GrandCrab 2018-2019 Megacortex-Snake/Ekans 2020

With the passing of the years, ransomware has evolved from the single AIDS Trojan mentioned (only encrypt and request money = single-stage) to the new age of ransomware known as multi-stage (encrypt, steal information, communicate with command centers, destroy information, destroy IT/OT infrastructure, and request ransom, not only to recover data but also agreeing not to share leaks or destroy the infrastructure as a method of demanding payment).

Characteristics of Ransomware

Encryption can be used for protecting and attacking information. On the good side, it's by companies to encipher drives to prevent the loss or leak of data in case you lose the drive. Keep in mind that this is "encryption with your authorization." On the bad side, ransomware is used to encrypt your files and request money in a chance to recover it.

So the delinquents cheat users in any way they can to get those users to authorize them to install and execute the software. Used this way for bad purposes, the software is categorized as Malware, and the reader could now categorize ransomware as a type of malware.

Ransomware is a post-exploitation technique. When someone has been attacked by ransomware, it means that they were attacked by other techniques, such as a spear-phishing campaign, known vulnerability, zero-day attack, or bad configuration.

On this blog, we will analyze, for education, ransomware posted on a popular GitHub site, called Hidden Tear Project, belonging to Goliate3: See the infographic below.

Ransomware has variables

Variables are used to indicate to the program the extension used to encrypt if the program found these files on the victim computer.

Functions

Functions are used to tell the program the characters to use for key encryption.

Extension to change in files

Determining the modified extensions is important in identifying the family of ransomware and decrypting the affected files. It's also important that the decryption tool sets the same extension in code; otherwise, it will never work.

Command Center

The Command Center is where the Ransomware program will communicate the encryption keys, and what data of the machine has been encrypted.

Ransom Note

The Ransom Notes is used to indicate to the victim the conditions necessary to recover the encrypted information.

Of course, this educational Ransomware is identifiable and easy to break. The reader could review many biographies of its use on the internet, and also needs to understand that the simple use of this type of program is prosecuted in many countries. Check your risk and be responsible.

Despite this summary of the Hidden Tear Project, many cyber-delinquents today do not design their ransomware. On the contrary, they acquire this in the deep web where, depending on many factors, they could find single ransomware from 200USD, to expert multi-stage ransomware for thousands of dollars. It's easy to script kiddies, disrupted employees, or delinquents obtain ransomware to attack nations, organizations, persons, infrastructure, information, etc.

Directive Boards, Executives, CISOs, Technicians, InfoSec professionals, Ethical Hackers, and related professions maintain a great responsibility to defend information and infrastructures from this type of malware and take preventive and corrective measures to avoid being impacted.

Good practices such as developing policies in organizations, least privilege for the users, continuous training and awareness, updating antivirus, firewalls, IDS, segmenting networks, vulnerability management programs, backups, and recovery plans are some of the best recommendations for reducing the impact of ransomware.

Why has Ransomware grown up?

The last part of our analysis touches on why ransomware has grown up in the last few years. And this is far from the global conspiracy theories, APTs, and hacktivist groups. The motivation is the ransomware is profitable, though illegal, business.

If we review the state of ransomware 20202 report by Sophos (recommended for the executives and decision-makers in organizations), you will see some statistics that describe the ransomware business.

For example: Part 2 shows the impact of ransomware in the review of organizations that have been consulted during 2020 and impacted by ransomware. The attackers have succeeded in encrypting the organization's data in 73% of the cases., This is a crazy number! The same report declares that 94% of the organizations recover the data, but only 56% recover the data using organizational backups. This means that the rest of the organizations have recovered the data through their cybersecurity insurance, or have lost the data.

In summary, during 2019, the Ransomware business has cost the impacted companies at least US $1.448.458. And this amount is only from the data provided by companies that were surveyed. Many organizations pay the Ransomware and don't make the attack known to the public.

Part 4 of the report describes the most used techniques for attackers:

1. Malicious links / Phishing
2. Remote attacks to servers
3. Malicious attachments in emails.
4. Misconfiguration
5. RDP
6. Vendors or suppliers in the organization
7. USB /Physical attacks

The Sophos report analyzes and summarizes the answers of 5000 IT managers in almost 26 countries.

SUMMARY

Ransomware is a type of malware. To avoid being impacted, keep in mind preventive measures, such as antivirus and firewalls. An attacker could use ransomware. It doesn't matter their level of expertise, motivations, or geography; this is a business with great revenue potential. It's illegal but is an organized business that criminals exploit for undetermined use. APTs and other threat actors sell the Ransomware to the highest bidder, making this one of the most dangerous attacks. During 2020, we have seen news of new attacks, including PEMEX and HONDA, by MAZE APT group, we could wait for more. Ransomware could impact IT/OT environments and is categorized as single-stage or multi-stage. The future of ransomware is uncertain. The only truth here is that Ransomware has become a popular and powerful threat, and every one of us has a big responsibility to defend against it. Anyone could be a victim.

Be careful, take measures, stay on guard, and don't fall in the cheats of attackers.

Infographic

1. Edgar, Stacey L, Morality and Machines, ISBN 0-7637-1767-3, State University of New York 2003, P-125.
2. State Of Ransomware 2020 by Sophos
3. Hidden Tear Project [on-line] https://github.com/goliate/hidden-tear