Ransomware: How Much You Knew and What You Need to Know!

Ransomware: How Much You Knew and What You Need to Know!
Ransomware is a type of malware that infects by locking or by encrypting users hard drives unless ransom fee is paid. It holds victim information by asymmetric encryption. Asymmetric encryption (public-private key) is cryptography that use a pair of key to encrypt and decrypt a file.
 
These both keys is uniquely generated by the attacker for the victim. Private Key is used to decrypt the locks or file but that key is stored in attacker server. This private key available to the victim only after the ransom amount paid to the attacker. Without private key, it becomes a big challenge to decrypt the files that are being held to ransom.
 

Types of  Ransomware

There are two main forms of Ransomware in circulation today:
 
Locker Ransomware (computer locker):   Locker Ransomware is used to deny access to computing resources and it typically affects by locking the computer’s or device’s user interface and then asking the user to pay a fee in order to restore access to it. Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the Ransomware and pay. This means access to the mouse might be disabled and the keyboard functionality might be limited to numeric keys, allowing the victim to only type numbers to indicate the payment code
 
 
Crypto Ransomware  (data locker): Prevents access to files or data. Crypto Ransomware doesn’t  necessarily have to use encryption to stop users from accessing their data. This type of ransomware is designed to find and encrypt valuable data stored on the computer, making the data useless unless the user obtains the decryption key. As people’s lives become increasingly digital, they are storing more important data on their personal computers and devices.  Many users are not aware of the need to create backups to guard against hard disk failures or the loss or theft of the computer, let alone a possible crypto ransomware attack. This could be because users don’t have the awareness or don’t realize the value of the data until it is lost. Setting up an effective backup process requires some work and discipline, so it’s not an attractive proposition for the average user.
 

How Ransomware Works?

There are many ways an attacker can start an attack with the different goal being to plant the Ransomware in the victim’s machine.The most common method to attack the victim’s machine is phishing email where the user is tricked into clicking on a malicious link which may connect to download some Ransomware malware codes but the email looks legitimate.
 
 
Phishing Email
The attacker tries by sending a phishing mail to the top level of the management and prompting a user to access links or attachment. 
 
 
There are multiple ways attacker tries to contact with a user given below:
  • Scam email campaigns that contain malicious links or attachments(War diving attack or target attack)
  • Attackers exploiting a vulnerable software.
  • Some unwanted ads redirecting to malicious websites.
  • Legitimate websites that have malicious code injected in their web pages.
  • In mobile, attacker sending a message with malicious links to the targeted user(by clicking links which apply ransomware in mobile).
DOWNLOAD and DROPPER 
User unpacks the attachment or links accessed. A public key is downloaded through command and control server via TOR to execute the Ransomware attack by encrypting the machine.
 
Communication with command and control server
  • After unpacking the malware or installation of Ransomware it communicates to the command and control server to get the private key.
  • Nowadays. attackers play a tricky role of C&C server already taken down by law enforcement. Instead of using static C&C server, attackers have started to use a dynamic domain algorithm technique to escape from being detected.
  • The latest modified crypto locker generates a list of 1000 domains (approximately) and tries to connect with C&C server till successful connection has been made. This way computer is compromised under the control of numerous C&C servers. 
  • In this final phase, the attacker encrypts the whole hard drives and files. He might give the private key only after some amount of bitcoin is paid. However, it is not recommended.

Public Key and Private Key
  • Attacker takes down the control of C&C servers. All interconnected compromised computers share the public key to all the affected machines. 
  • The older version of crypt locker would just encrypt the files on a local machine. 
  • New Version tries to encrypt backup first. They especially scan on remotely share files in date format (e.g.  SRS1234.bak) and encrypt all the data of these folders then it encrypts specific file types only. 
  • During encryption process, the incident response team have a chance to interrupt their process. So the attacker tries to take the important files and they are encrypted first. Usually, the attacker encrypts the data by sorting date (Recently accessed file). 
  • Finally, Attacker will notify with some dialog box to pay for ransom. Once you pay to attackers, they will verify and private key may be delivered. In some attacks, it will automatically decrypt the data once you pay. However, there is risk involved while making the payment and there is no surety that we will get the private key once the payment is made.

Impact

Ransomware not only targets home users; businesses can also become infected with Ransomware, leading to negative consequences, including
  • Temporary or permanent loss of sensitive or proprietary information.
  • Disruption to regular operations.
  • Financial losses incurred to restore systems and files.
  • Potential harm to an organization’s reputation.

Prevention Techniques

  • Backup and Recovery:  Perform the regular backup periodically based on the customer requirement, If any backup failure that will lead to loss of data. Store one copy in the cloud, and resorting to services like Dropbox, and the other on offline physical media, such as a portable HDD. 
     
  • Personalize Email Settings: Ransomware variants are mostly spread through known subject line (Eye catching emails) which contains a malicious attachment. It’s recommended to configure your webmail server to block the file extensions like .exe, .bat, .scr.    
     
  • Network Share Access Control:  To stop the ransomware’s spread, review use of network shares to ensure that write access is limited to the smallest number of users and systems on the role-based access control. 
     
  • Email and Executable Controls: Ransomware often begins with an email message carrying a Windows executable. Network security devices, such as a next-generation firewall, can identify these files when they are transiting the network and should block or quarantine them. Unknown Malware Prevention: Signature-based detection systems have proven unreliable for detecting new malware. 
     
  • Apply latest patches in current operating system and application:  Patch your operating system & your application regularly. Recommend to have the test environment before deploying the patches in the production to avoid the business impact. Having the latest operating system and application versions and patches will reduce the attack surface to a minimum.
     
  • Antivirus and Endpoint Control:  Update your Antivirus Signature on regular basis and ensure the latest signature has been updating your end point devices. Also, install endpoint application which has behavioral based analysis to ensure new variant of Ransomware is quarantined/blocked.  
     
  • Make yourself “weaker” when working: Don’t give yourself more login power than you need. If you allow yourself administrator rights during normal usage, consider restricting this. Surfing the web, opening applications and documents, and generally doing a lot of work while logged in with administrative rights is very dangerous. If you get hit with malware while you have fewer rights, you will reduce your risk because malware will also execute with fewer rights, which will reduce the threat’s attack surface.
     
  • Don’t turn on macros unless you know what’s happening: In general, do not enable macros in documents received via email. Notice that Microsoft Office turns off the auto execution of macros for Office documents by default. Office macros are a popular way for Ransomware to infect your machine, so if a document “asks” you to enable macros, don’t do it.
     
  • Allow only whitelisted items in the organization: Use an “application control” method that offers centrally administered whitelisting to block unauthorized executable on servers, corporate desktops, and fixed-function devices, thus dramatically reducing the attack surface for most Ransomware. 
     
  • Awareness: malicious hyperlinks can be received via social networks or instant messengers, and the senders are likely to be people you trust, including your friends or colleagues. For this attack to be deployed, cybercriminals compromise their accounts and submit bad links to as many people as possible. Please ensure you understand the phishing elements (certificate, Logo, Trademark, Padlock etc.)  and think twice before you click any link.

Detecting Techniques

  • Security Information & Event Management - SIEM:  SIEM  helps to identify the new and existing threats in the network and system level. Also, it is highly recommended adopting good SOC tools at the organization level to improve detective techniques. The objective of having the SOC framework (Prevent, Identify, Detect, protect, respond & recovery) is to track the Suspicious Behavior from user and devices level through near & real-time monitoring.
     
  • Use sandboxing for suspicious processes: To Analyze the suspicious emails reported by users and confirm whether the email is phishing /legitimate. Example: Online sandbox tools such as Virus Total, Url Query etc.. helps in identifying the URL’s  pattern and the flow of traffic
     
  • Use Whitelisting instead of blacklisting: Whitelist contains people, sites or networks you allow access to your computer. The opposite of whitelists is blacklisted. Blacklist or deny access to services you don't want such as sites that might try to add spyware to your computer. In a business environment, it’s recommended to use the whitelisting methodology to allow all the trusted URLs and blocking all the remaining internet traffic [External to Internal and Internal to External] in the organization. 
     
  • Analysis of behavior and seeing new indicators: Most of the endpoint antivirus or HIPS/HIDS are signature based. Hackers create malware that can easily bypass these devices so when they launch attacks, they will ensure that the antivirus solution is not having the required signature. Hence it is highly recommended to perform the behavioral based analysis if any system / Network devices are trying to connect blacklisted IP’s (such as internal to external or external to Internal) or any new hidden process running in the system trying to access the critical information of the users.
     
  • Vulnerability Scanning & Penetration Test: Running a series of Vulnerability Scanning and Penetration Testing helps in detecting the vulnerabilities and loopholes present in the system which can be fixed. Thus finding and fixing these vulnerabilities will prevent the hackers from creating a backdoor and accessing the critical information of the users.

If you found system infected with ransomware. Now, what to do?

Remove any infected machine from the network since there is a possibility for the malware to spread to other machines. 
 
If the machine is encrypted, it is recommended to wipe machine completely
  • Check the backup and restore if available.
  • Check your Antivirus Signature on regular basis and ensure the latest signature has been updating your end point devices.
  • Check with the respective security team to block the Malicious URLs, domain and IP address.
  • Check with the Email security team to block the malicious sender id through whom the user received malicious email. 
  • In case, the files that have been encrypted by Ransomware, attackers may tell to pay ransom in the form on Bitcoins, but there is no guarantee the files can be recovered even if paid. 

Conclusion

As awareness of these tricks increases, the attackers and their malware are likely to evolve and use more sophisticated techniques to evade detection and prevent removal. We have to focus on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world.  Also, the user awareness is one of the key areas which we have to concentrate to avoid human error while downloading such malware in a business area. 

Authored By - Raja Kannan and Santhana Bharathi
TCS Cyber Security Practice

 

Rate this article: 
0
No votes yet
Article category: 
Keywords: