Are You Prepared for Ransomware? One of the most frustrating threat innovations of the last decade has been ‘ransomware’ malware. Initially considered just a consumer threat, both government and commercial enterprise networks can now be listed among its victims. This report examines the technical and business threats that ransomware continues to pose to organizations for which IT security teams must be prepared to address and overcome. Definition Ransomware refers to malware that demands a payment for ‘a service.’ Typically, that service is the safe return of data or user access to a device. A visible notification informs the user that access to their data or device is restricted and is accompanied by a payment demand. Upon payment, the ransomware grants the user access to their data or system. Ransomware’s simple solution of a payment in exchange for returning control and access to the victim appeals to the targeted individual or organization’s desire to “get back to normal as soon as possible.” A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm. While data-wiping malware, and indeed, crypto-malware are not new (with a history going back 20 years), crypto-ransomware has become highly disruptive in recent years. Types of Ransomware There are 3 primary types of ransomware: 1. Scareware: a demand for payment is made based on the threat of a future action using intimidation tactics. User’s files or system access are not affected. 2. Lockers: the promise of regaining access to the user’s screen or system is met with a demand for payment of a fee. 3. Crypto-ransomware: having encrypted the user’s files, crypto-ransomware offers to sell the victim the decryption key for a fee. Crypto-ransomware can affect local files and those hosted on network shares. Encrypted files that cannot be retrieved result in a “data destruction” incident. 1 What Has Driven the Rise in Ransomware? Ransomware works as a revenue generator for cybercriminals only when their victims pay the ransom. An increasing realization from businesses of the importance of their data has encouraged more individuals and organizations to pay the ransom demand. The monetization aspect of ransomware is now workable due to the Bitcoin payment system, the preferred crypto-currency of ransomware authors. Funds processed using crypto-currencies are easy to transfer and hard to track, which works in the cybercriminals’ favour and against that of law enforcement. Cybercriminals are clearly profiting from their lucrative illegal activity. Experts have estimated that the total amount paid to ransomware authors could be as much as $325 million (USD) for some variants of ransomware. As that income stream continues to grow, so will the frequency of ransomware attacks. Ransomware is a truly global phenomenon, affecting users from Australia to Sweden. However, for maximum impact, the lures are adjusted to the local language of their targets, or the ransomware purposely avoids affecting users in particular geographies. Furthermore, ransomware notices have been observed to be tailored to the user’s own language to smooth the payment process. And the number of ransomware authors is growing. The availability of Ransomware-as-a-Service, and before that ransomware kits, have both lowered the barriers to entry for motivated cybercriminals. Delivery Methods Crypto-ransomware spreads through email attachments (Microsoft Office documents are particularly popular), infected programs, drive-by infections on compromised websites and even direct network connections that exploit operating system vulnerabilities. Social engineering techniques are often used by ransomware authors to encourage end-users to run, download or click on malicious content. In addition, some ransomware is starting to use automated techniques to jump from machine to machine without any user interaction at all. Once the ransomware gets on a machine, it usually will search for particular file types and start encrypting files as soon as possible. Guidance from Forcepoint Security Labs: Ransomware and other malware threats are aimed at manipulating or imitating user behaviour, through whatever source of technology they can. Implement multi-layered security technologies to defend from attacks across relevant attack vectors - in this case, web, email and network attack vectors. Next generation firewalls (NGFWs) placed at the internal and external edges of your network can protect against automated propagation. Deploy monitoring and reporting tools, including cloud-based Advanced Malware Detection services, to detect and defeat incoming threats across multiple paths into an organization. 2 The Role of Social Engineering The human point of interaction between people, critical data and intellectual property—where technology is most enabling and security is most vulnerable—can undermine even the most comprehensively- designed cybersecurity systems in a single malicious or unintentional act. Ransomware takes advantage of this point of interaction, utilizing social engineering as a key component of the ransomware tactics, techniques and procedures (TTP.) Put simply, it is convincing an end-user to perform an action in a highly interactive way. This social engineering is performed during the initial lure (a malicious email or compromised website) phase of the threat lifecycle as well as during the payment demand phase (scaring the user into paying or giving them an incentive to do so such as promising safe return of their now encrypted files). Guidance from Forcepoint Security Labs: implement a continuous user education program. Alert your employees to the dangers of ransomware and have them report incidents into a tested and well- established security incident process. 3 To Pay or Not to Pay? It’s in the interest of cybercriminals to make payment easy and affordable. In order to maintain their revenue stream, ransomware authors have typically kept ransom fees low (a handful of Bitcoins). The price per coin in Bitcoin (a digital payment system) varies, but ransomware fees are typically calculated to be less than $1,000 USD per demand. However, it has also been known for targeted ransomware to demand payment of tens of thousands of US dollars from some organizations. Regrettably but understandably, some businesses are paying those demands. Giving in to ransomware demands may achieve short-term relief from a data destruction and business disruption incident, but this may well set the stage for more attacks globally. Alternatively, victims could choose not to pay the ransom and accept the damage (or recover from it), which is better from an ecosystem perspective. Better still, if victims could defend their data and systems, and therefore could avoid paying the ransom without consequence, ransomware attacks would quickly fade away. The decision to pay, or not, must take into account a balanced view, as we explain below. Guidance from Forcepoint Security Labs: the United States Federal Bureau of Investigation (FBI) initially suggested that ransomware victims should not pay the ransom demand. Guidance was later adjusted, suggesting that ransom payment is an option. We agree that making a payment is always an option, but it doesn’t guarantee successful return of encrypted files, nor does it guarantee that the ransomware author will not return. Factors such as the availability of the command and control servers on which the decryption key is hosted, the absence of mistakes in the decryption routine and the cybercriminals’ honesty all influence the successful retrieval of locked files. WE RECOMMEND THE FOLLOWING ACTIONS: 1. Establish a tried, trusted and tested (preferably offline) data backup process across your organization. This may allow retrieval of your files without payment. 2. Educate your users to not open unexpected or unfamiliar attachments in email messages or click on unknown hyperlinks. Provide end users with a ransomware incident reporting process. 3. Determine if there are weaknesses in your infrastructure or processes that can be exploited by ransomware tactics and seek to strengthen those gaps. For instance, ensure that you keep up with operating system updates and patches across the IT and security infrastructure. 4. Consider whether a ransom payment to retrieve data would be better spent on investment in more effective security measures to prevent similar incidents in the future (such as user education and sandboxing for URLs and files). 4 EXAMPLES Screenshot of WannaCry’s ransom demand: Screenshot of Locky’s ransom demand: 5 Ransomware Variants Analysed by Forcepoint Security Labs The development of ransomware families is relentless with enhancements or new families discovered in the wild on a continuous basis. A small selection of the many ransomware families analysed by Forcepoint Security Labs includes: Cerber - previously distributed via exploit kits and malicious email attachments, Cerber was spread via Windows Script Files (WSFs) inside double zipped attachments in the first half of 2016. CryptoLocker - considered the “original” ransomware variant that spawned many variants, CryptoLocker first appeared in 2013. The efforts of law enforcement shut down the campaign one year later. CryptoWall - Our 2015 study found that the healthcare sector is 4.5 times more likely to be affected by CryptoWall than other industries. The latest version of CryptoWall randomises filenames and encrypts most documents found on the machine. CTB-Locker – this variant stands out as not needing to connect