The many faces of ransomware
Ransomware has grabbed mainstream media attention recently but it’s nothing new – in fact, its origins can be traced back to floppy disk times. Part of ransomware’s new found notoriety is certainly due to the criminals’ latest target of choice, the healthcare industry, which is considered sacrosanct to most. And ransomware’s very nature lends itself to news-worthy headlines.
Unlike other types of malware which rely on stealth to infiltrate systems or quietly siphon off data, ransomware boldly declares its presence and intent, often with a clever name to go with it.
The biggest factor, however, is the sheer explosion in the amount and variety of ransomware. According to Symantec’s 2016 ISTR report, only about 16 families of ransomware were discovered in total between 2005 and 2014. In contrast, 27 new ransomware families emerged in 2015, with another 15 discovered in Q1 of this year alone, including the now infamous Locky. The trend prompted the FBI to issue an official warning, predicting a surge in ransomware incidents and damage this year.
Ransomware has spread to all different devices. Essentially anyone with a computer or smartphone these days is a potential extortion victim. The latest variant of FLocker can even lock down smart TVs (there are no known attacks to date.) Still, desktops and laptops remain the most common ransomware targets and are the focus of this article.
Ransomware everywhere
Ransomware’s mounting popularity parallels the increased availability of source code and target data through networks such as TOR, along with digital currencies like bitcoin that let criminals attack and collect while remaining anonymous.
Hospitals make a particularly attractive target as they require access to current information within patient records to provide care, so they will pay a ransom rather than risk delays that could endanger lives. Within the past few months, Hollywood Presbyterian in L.A., Methodist Hospital in Henderson, Kentucky, and the 10-hospital MedStar Health chain in the Maryland/Washington, D.C.-area have all been hit. The visibility of ransomware combined with the fact that the messages and payment demands appear similar to the victim obscures the fact that, from a cyber security perspective, ransomware is not the issue. It is simply the payload; and the delivery vectors vary widely.
Throughout 2014 and 2015, TeslaCrypt, CryptoWall and their variants dominated the ransomware scene. They delivered primarily through Exploit kits or drive-by web attacks that utilized vulnerabilities in browsers or third party plugins such as Flash. However, Locky, which first appeared in February 2016, reverted to old school social engineering tactics. It used phishing emails with an attached Word document containing a macro that downloaded the Locky Trojan from a remote server or ZIP archives that contained obfuscated scripts in JavaScript. These days, most ransomware does not limit itself to a single attack method, making them all the harder to prevent.
End-user education on cyber safety can go a surprisingly long way. The recent ransomware attack on the Lansing Board of Water and Light in Michigan, which forced the utility to shut down its accounting system, email service and phone lines, succeeded because a single employee opened an attachment to a phishing email. Something so simple to avoid. But good cyber hygiene loses effectiveness when an email purports to be from someone you know or an exploit kit hides in a banner ad on a legitimate website.
Security solutions have also proven fairly ineffective. Many ransomware victims are running fully-updated antivirus engines alongside anti-exploit and/or HIPS engines. Signature-based solutions compare a file to their database of known malware signatures to determine if it’s malicious. The signature might be a string of bytes in the file or a cryptographic hash. Only ransomware which has a signature developed and is in the database will be identified. Modern attackers know this and create new variants of their ransomware, sometimes on a daily basis. So the solutions are constantly trying to catch up. The use of automatic tools by hackers that create new malware variants (requiring new signatures) on the fly, without the intervention of the hacker, lowers the effectiveness of signature-based methods further.
An alternative is behavioral based detection tools, which operate under the premise that unknown malware variants behave similarly to known threats and this behavior can be detected. Although behavioral detection tools are more effective against new variants, they can still be evaded by various techniques and come with their own set of problems, including false positives and resource intensive updating and monitoring.
Most significantly, both signature-based and behavior-based solutions fail to detect and protect today for one main reason: many of the ransomware variants today are file-less, injecting malicious code into legitimate operating system services like Windows PowerShell or cipher.exe. Without an actual malware file, there is no file to be scanned and detected.
How can organizations protect themselves?
Once an organization is hit with ransomware, options are few. Even the FBI has unofficially advised to simply pay up. But ransomware is the last part, the payload, in an attack kill chain.
The real question is how to stop the initial exploit. One method is to reduce or obfuscate the attack surface itself so that target vulnerabilities cannot be found. For example, Moving Target Defense (MTD) technology uses counter-deception techniques to continuously and persistently change the target surface, concealing vulnerabilities in applications and web browsers and trapping attempts at access. This means the ransomware payload is never delivered.