The evolution of ransomware: How a nuisance turned into a business menace
As ransomware rapidly evolves, defenders look for help keeping up
Promo To many Internet users it must look as if ransomware arrived out of the blue. Pioneers such as Cryzip started circulating at very low levels in the UK as early as 2006 and yet it wasn’t until 2013 that this type of malware suddenly spiked with the appearance of its first big global superstar, CryptoLocker.
CryptoLocker, and its follow-up rival CryptoWall, were an object lesson in what made ransomware potent. Delivered using simple attachment and eschewing fancy evasion techniques, the modus operandi wasted no time finding and encrypting its victim’s data. The social engineering was brilliant - did the user want their data back badly enough to pay a Bitcoin ransom?
At first, the targets were consumers but the genius of ransomware was that anyone could be a victim, including SMEs and even departments in larger organisations. Unfortunately, a lot of security companies were caught as unawares as their customers, stuck in a reactive model of security that made assumptions about how malware was evolving.
For ransomware makers, it’s been too easy. Profits have soared, reaching a total ransom figure according to FBI estimates of $1 billion in 2016. If defences have improved and awareness risen, ransomware shows no signs of slowing down as the public body count of small businesses, hospitals, libraries, police departments, hotels, and uncounted lone consumers continues to grow.
Take time to understand the enemy
If it sounds as if the world is falling off a cliff, James Lyne, head of security research for security company Sophos, is keen to demystify the dread of ransomware. After analysing numerous samples of ransomware in his day job, he comes bearing an urgent message of hope: ransomware can be stopped as long as defenders take the time to understand the enemy.
“Everyone is a potential target. It doesn’t matter whether you are a large enterprise, an SME or a consumer – everyone is being affected by this,” explains Lyne. This universality has turned out to be a clever innovation for the criminals who no longer need to think about who they are attacking so much as how much victims value their data.
Technically, the payload is the bit of the malware that finds and encrypts the victim’s data. But another way to understand the payload is to see it as the psychological ratchet in which the price is increased to match the pain and inconvenience the extortion gang thinks it is inflicting.
In extortion, then, the payload is as much the mental state it engenders in victims as lines of code. The social engineering is to make paying the ransom look like the easiest way out.
Lyne mentions having conversations with businesses which have pondered whether it might not simply be easier to hold funds back to pay off ransomware attackers as if it were another transaction. Bad idea, argues Lyne.
“There is the obvious moral and ethical question of whether you want to be paying money to a cybercriminal. But if you show yourself as someone who will pay, you are all the more likely to be targeted again,” he warns.
He recalls the case of a company that paid to stop an attacker releasing personal information stolen from a website by exploiting an SQL flaw. Although not involving ransomware, the strategy typified the direction extortion crimes are heading.
“They did a deal and the attacker came straight back, found another flaw, and repeated the attack with higher prices. Remember you are dealing with criminals and can’t expect honour among thieves.” Lyne also cites the growing unreliability of the payment mechanisms used by cyber criminals, either because police have shut them down or the criminals have had to abandon them to avoid detection.
“There might not be any way to pay and that ransomware has inadvertently become permanent lockware. It isn’t safe to say ‘I will be able to pay to get my data back’. There are instances where you won’t be able to do that.”
The idea that victims could be attacked twice or more in succession using the same tactic seems counter-intuitive until you grasp the trick of all social engineering is to impose a degree of control in the minds of its victims. When criminals write the rules of the game, it is the captive who must adjust their understanding of reality. So where should companies and individuals look for salvation?
Ransomware: The first defensive layer
Before even mentioning anti-ransomware technologies, Lyne reels off a list of simple protections that should form the first defensive layer. These range from obvious suggestions such as comprehensive backup routines and more rapid software patching (“patch early, patch often”) to more careful network segmentation (keeping servers and workstations apart), and limiting overly-permissive user rights to network drives. Some admins block executables in attachments but forget to do the same for document macros, he says.
The best tweaks are often the simplest and cheapest: install Microsoft Office viewers so that recipients can see what documents look like before opening them and always enable file extensions so that recipients have visual information on an attachment. Microsoft has made specific, more granular controls available for Macros, which are one of the prime ways ransomware gangs get their malware deployed within well-constructed office documents.
But dedicated anti-ransomware protections also have their place even if working out which one is often not straightforward. Some traditional anti-virus vendors were caught out by ransomware’s sudden rise from obscurity, which caused blocking rates to drop.
Customers started asking themselves whether their expensive licenses were worth the annual retainers. Although protection has improved a lot in the last three years, confusion still reigns. With numerous fancy technologies hyped up to stop ransomware, which ones are worth investing in?
“It is hard to see through the mass of marketing and conflicting advice. Figuring out which technology is effective isn’t that easy,” accepts Lyne. “The first thing I’d do is ask my security vendor what they do in this area.”
For business customers, Sophos’s response to tricky threats such as ransomware is Intercept X, a modular endpoint security product launched in late 2016 that integrates multiple protections and boosts the ransomware protection already available in its existing endpoint products.
Intercept X includes exploit prevention (watching for the techniques that indicate ransomware such as opening lots of files), the detection of zero-day attacks and the sort of forensic analysis that can strip a malware event back to its source.
If ransomware manages to execute and start encrypting files, Intercept X’s CryptoGuard protection immediately engages its remediation. “It keeps state of what has happened to files and has the ability to roll back, enabling you to undo any damage,” Lyne says.
This underlines the way tackling ransomware has become as much about response as simple detection and blocking. Having an automated system on hand to help with this is a major advantage.
And the future? With the recent growth of targeted ransomware, ransomware-as-a-service, and the mass encryption of poorly-secured MongoDB databases, it doesn’t seem over-anxious to worry about where ransomware might be heading.
“We haven’t launched into the world of super-targeted ransomware yet. But we are dancing on the edge of it,” concedes Lyne, who remains surprisingly optimistic. Defenders simply need to overcome their fear and adapt.
“The majority of campaigns that we see are still opportunistic,” says Lyne, who downplays the issue of sophistication. For sure, ransomware is improving but what will make the difference in the end is how rapidly defenders adapt to stop it.
Technology will only take defenders so far - in the end it is the mental battle that will sort those who will resist ransomware from those who will succumb.