If ransomware defense and recovery isn’t on your infosec shortlist, it’s time to put it there. According to McAfee Labs, in Q1 of 2015, organizations experienced a 165%rise in ransomware, attributing much of its growth because it is hard to detect. 1
However, Northeastern University’s latest ransomware research paper, Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, offers a different perspective. Between 2006 and 2014, this research team analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”2
In the end, like all challenges, education is key. Defense is not possible without understanding. In this guide, we’ll help you better understand the role that bitcoin plays in ransomware, various types of ransomware, specific variants, and cover a few mitigation methods.
Bitcoin is digital currency that lets you anonymously buy goods and services. You can send bitcoins digitally using a mobile phone app or computer. It’s as easy as swiping a credit card.
Bitcoins are stored in a digital wallet, which resides in the cloud or on a user’s computer. It’s similar to a bank account, but they’re not insured by the FDIC. Also, bitcoins aren’t tied to any country, subject to regulation, and there are no credit card fees.
Each bitcoin transaction is on a public log. Names of buyers and sellers are anonymous – only their wallet IDs are revealed. And it allows buyers or sellers do business without easily tracing it back to them. As a result, it’s become a popular choice for cybercriminals to choose bitcoin as a form of payment. To evade identification, many bitcoin addresses used by cybercriminals have no more than 6 transactions.3
To make a bitcoin payment, victims are often alerted to download anonymous browsers, such as Tor2web or Torproject, in order to visit a URL hosted on anonymous servers. Tor (The Onion Router) makes it difficult to trace the location of the server or the identity of its operators.
In October, at a Cybersecurity Summit, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program, said, “The ransomware is that good… To be honest, we often advise people just to pay the ransom.”
He explained, “The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word. You do get your access back.”
And if you pay, the FBI stated that most ransomware payments are typically between $200 and $10,0004. But there have been instances where the payment has been much higher. In 2014, the City of Detroit’s files were encrypted and the attackers demanded a ransom of 2,000 bitcoins, worth about $800,000.5 Besides the ransom, there can be additional costs such as mitigation, loss of productivity, legal fees, etc.
There might be times when you’re faced with other considerations. In November 2014, the Tennessee Dickson County Sheriff’s Office paid $622.00 in bitcoin to hackers who encrypted the department’s criminal case files, making them inaccessible to investigators.6 Detective Jeff McCliss said, “It really came down to a choice between losing all of that data – and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.” The department was lucky; it got back access to its files.7
Some security experts disagree with Mr. Bonavolonta’s remarks and urge you not to pay the ransom because there’s no guarantee that you’ll get your files back. Paying perpetuates an ongoing problem and make you a target for more malware.
The Department of Homeland Security also advises victims not to negotiate with the hackers.
Conflicting advice has prompted a debate about whether the FBI is encouraging behavior that will lead to more hacking.
In a November Wall Street Journal interview, FBI spokeswoman Kristen Setera declined to say if FBI officials recommend paying a ransom to hackers, as Mr. Bonavolonta stated.8
When deciding whether or not to pay, know that you should go online to see if a decryption tool exists. If you’re able to find the keys, there’s no reason to pay! Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online, like for CoinVault, TeslaCrypt, or the popular CryptoLocker.
By the way, according to a survey conducted by Interdisciplinary Research Centre in Cyber Security at the University of Kent in February 2014, more than 40 percent of CryptoLocker victims agreed to pay.9 Before the FBI and Justice Department disrupted the CryptoLocker operation, cybercriminals extorted over $30 million in the first 100 days10.
Another reason not to pay is if the ransomware author is a bad programmer. Power Worm, a defective ransomware product, ended up destroying the victim’s data. Don’t pay the ransom if it won’t help you recover your files!
In short, there are no simple answers. Perhaps another way that might help you decide is to understand the type of ransomware you’re dealing with.
Let’s get started. In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, researchers identified three major types: encryption, deletion, and locking.
CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption is the process of applying an algorithm (also known as ciphers) to data so it is unintelligible to anyone. And to decrypt the data, you’ll need keys. There are two types: symmetric and public.
Advanced Encryption Standard (AES), Rivest Cipher 4 (RC4), and Data Standard Encryption Standard (DES) are examples of a symmetric-key algorithm. With symmetric, the same key is used for both encryption and decryption. It’s only effective when the symmetric key is kept secret by the two parties involved.
Public Keys (Asymmetrical Key)
Rivest, Shamir, & Aldeman use two different keys in their famous RSA algorithm. A public key that everyone has access to, and a private key that is controlled by the person who you wish to communicate with.
Strength of an Encryption
To understand the strength of the encryption, you have to look at both the type of encryption being used –whether symmetric or public/asymmetric – and the key length.
Two important facts: the longer the key, the stronger the encryption, and key length is measured in bits.
Breaking an Encryption
For a symmetric algorithm, you’ll need a couple of hours of computer time for something like a 20-bit key or years for a 128-bit key (2128 = 340282366920938463463374607431768211456 possible keys of 128-bits)
For a public key algorithm, a key length of 32-bits would only require 232 combinations. Even a 512-bit can be easily broken (within a few months), but 2,048-bit is far harder.
Comparing public and symmetric keys can be confusing. Here’s a rough benchmark: a 350-bit RSA key is roughly considered the same strength to 40-bit RC4, and 512-bit AES.
The wonky reasons for these differences in key-breaking speeds has to do with the fact that in RSA, you have to factor a number—don’t ask!
The first ransomware variants used a symmetric-key algorithm and eventually upgraded to public-keys. Today, more advanced ransomware use a combination of symmetric and public.
Most cybercriminals probably wouldn’t use a public key to encrypt large file system because it is much slower than a symmetric key encryption. And taking too long to encrypt files could thwart the ransomware operation before the encryption process is fully completed.
So a better idea is to use symmetric techniques to quickly encode the file data, and asymmetric to encode the key. In CryptoLocker, for example, AES (symmetric) was used for file encryption, and RSA (public) for AES key encryption.
Another blend you might see in the near future is elliptical curve cryptography (ECC) and RSA. ECC is described as the next generation of public key, in which you can create faster, smaller, and more efficient cryptographic keys. Some researchers say that ECC can yield a level of security with a 164-bit key that other systems require a 1,024-bit key to achieve.11
In this variant, the attackers threaten you by saying that if you attempt to decrypt anything yourself, it would only result in “irrevocable loss of your data.”12 Or if you don’t pay, the files get deleted. Popular examples of deletion include Gpcode and FileCoder
Typically when we delete something, we wipe it off the disk. But in analyzing all the samples, the researchers learned that lots of data remained on disk because attackers were lazy, often choosing the easiest path. However, they’re also very clever. The researchers found that while the NTFS Master File Table indicated that files were deleted, the files were actually still on disk, so recovery is potentially possible.
With locking, attackers create a new login screen or html page that makes it appear as though a law enforcement agency has taken over the computer. They display a warning pertaining to laws such as copyrighted materials or child pornography. Or they might disable other components, typically keyboard shortcuts. Examples include: Winlock and Urausy. It’s a nuisance, but the data is usually still there.
The goal of cybercriminals isn’t to create the best and beautiful software, but to get funds as fast as possible, from anyone who is willing to pay. Because ransomware has been so lucrative, the hackers are getting even more creative in their marketing. Lately, we’ve been seeing ransomware-as-a-service, such asRansom32, where hackers sell their malware to other cybercriminals. Their 30 second pitch is, “Join us! Together, we can make more money!”
Most people don’t realize they’ve been infected until it displays the ransom note, notifying that your files have been encrypted. If you discover that your computer has been infected, shutdown your computer or disconnect from the network.
If you’ve decided against paying the ransom, scan your computer with an anti-virus or anti-malware program and let it remove everything. You can potentially usePowerShell or other tools to identify encrypted files, but with a new ransomware variant popping up every week, there isn’t a one size fits all identification and decryption tool. What most experts recommend is to restore from a backup.
If you’ve decided to pay the ransom. First we empathize and understand what a pain it must have been. Don’t forget to scan your computer with an anti-virus or anti-malware program and let it remove everything. Also review the mitigation methods below!
Monitor File System Activity
After looking at 1,359 ransomware samples, the Northeastern University researchers learned that it is possible to stop a large number of ransomware attacks, even those using deletion and encryption capabilities.
Significant changes occur in the file system (i.e., large number of deletions in the log) when the system is under attack. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behavior is observed, you can detect the creation, encryption, or deletion of files.
Try User Behavior Analytics
User Behavior Analytics (UBA) has become an essential ransomware prevention measure.
Defending the inside from legitimate users is just not part of the equation for perimeter-based security, and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users.
Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by anti-virus software.
In fact, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.
And that’s why you need UBA!
UBA really excels at handling the unknown. In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves. For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.
Think of UBA as File System Monitoring 2.0.
Cybercriminal may avoid encrypting all files and start by encrypting recently accessed files. Create a decoy by creating fake files and folders and monitor regularly.
This is also a good method for organizations that don’t have an automated solution to monitor file access activity. That also means you might be forced to enable file system native auditing. However, it unfortunately taxes your monitored systems. Instead, prioritize sensitive areas and set up a file share honeypot.
A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using
Least Privilege Model
Another approach is to control access to data and work towards achieving a least privilege model. Your goal is to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups such as “Everyone,” “Authenticated Users,” and “Domain Users” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company. In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares”—where both file system and sharing permissions are accessible via a global access group.
And lastly, a few reminders:
Click here to see how Varonis solutions can help you prevent ransomware!
Here are a few ransomware variants you should be aware of (guide first published: December 17, 2015, last updated: April 14, 2016):
CryptoLocker – released in the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.13
CryptoWall – released at end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.19
OphionLocker – emerged in December 2014. 23
CTB Locker (Curve-Tor-Bitcoin Locker): Also known as Critroni or Onion. Released in the middle of July 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.25
VaultCrypt – released around February 2015, it features of this ransomware are its use of Windows batch files and the open source GnuPG privacy software to power a very effective file encryption technique26
TeslaCrypt – will target all version of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. TeslaCrypt was first released around the end of February 2015.29
Alphacrypt: Looks like TeslaCrypt, Behaves like CryptoWall30
LowLevel04 – first spotted in October 2015
Chimera – In November, a new ransomware variant, Chimera In addition to encrypting files and demanding a ransom to release the decryption key, this new malware model involves publishing those files on the Internet, if the ransom remains unpaid.36 However, according to the Anti Botnet Advisory Center, there is no indication to date that anyone’s details have been made public.37
Torrentlocker – released around the end of August 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.40
By the way, it does not attack your computer if you live in one of these countries – Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazahstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. Coincidence?47
After your files get encrypted, you’ll get three files notifying you that your own files have been encrypted – TXT, HTML, and a VBS. These files convert the ransom text into an audio message . Yes, like a bad movie, it speaks to you in a monotone, robotic-like voice, “Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!”
Like ransom32, you get a “proof of life” where they decrypt one file for free. Before you pay the ransom, the attacker proves to victims that after the ransom is paid, files can be decrypted.