Ransomware
Ransomware Trends around the Globe by Obedience Kuguyo Ransomware as a Service (RaaS) Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Today, ransomware is used to infect computers and extort money from a victim and has become a trend of criminal activity even by low-skilled hackers. The nature of ransomware attacks is starting to change and will continue to evolve – new resistant strains of ransomware are being developed and sold on the dark market for an affordable price with options to customize the code to meet certain security resistance. RaaS is fuelling criminal entities to invest in ransomware code and markets with most cyber-criminals now reverse engineering ransomware strains to develop better and resistant versions for their cybercrime c ybercrime arsenals of a wide range of attackers, like a keylogger or a network scanner. Why are more advanced cybercriminals modifying ransomware for their cyber arsenal. As a cybersecurity expert, I’ve I’ve seen many attacks already where skilled attackers get into a network, get what they need, and leave ransomware behind to further extort money or destroy systems. Part of the reason for this is that it serves as a useful distraction: To show the victim that ‘they have been hacked by a certain group’ and that ‘It wasn’t just a virus infection but rather a targeted one.’ one.’ I have seen most people p eople ignoring their network defence after a single machine has been infected by ransomware attacks – attacks – it it is common that systems administrators fail to look around their network area for other signs of a network breach, making it easier for the attacker to escape unnoticed and infect the whole cluster of machines on the same network environment.
But another reason and the more common one is that cybercriminals wants to make a ton of money from unsecured systems and ransomware attacks can give them an instant cash out which is mostly untraceable using cryptocurrency cr yptocurrency system such as Bitcoins and Zcash. In some circumstances, rogue nations practising espionage can also conduct state-sponsored cybercriminal activities and infect target countries with ransomware as cyberwarfare and to find new sources of revenue. These countries make use of contractors within the ta rget country who have very good access into many organizations around the world to throw around their ransomware. The rise of more sophisticated sophisticated ransomware attacks designed to shame the victims. Press coverage of recent ransomware attacks such as WannaCry and Petya has generated a considerably large interest from hacker groups in ransomware sample and analysis. The world must expect to see growth in these kinds of attacks with more copycat attacks coming up from different geographical areas as more samples s amples of ransomware are being downloaded for reverse engineering and analysis. These attacks will be more directed at profitable systems s ystems around the world especially those of the such as: • Self-checkout systems at grocery store chains • Bank ATMs • Hotels • Computerized billboards • Hosting servers 1
• •
Government institutions Profitable groups
Basically, any organization that has a kiosk-type system exposed to the public and running on older, insecure versions of Microsoft Windows can be infected and new strains for Linux and MacOS are being developed and sites claiming to have such services on the darknet are beginning to advertise their malware services for interested groups. If these types of systems get infected with ransomware, r ansomware, everyone knows you have been hit and there is a lot of pressure to resolve the problem quickly and the victim might even pay the ransomware in the hope of restoring back their infected resources. Cybercriminals have developed ways to infect the Internet of Things (IoT) devices with ransomware. They have devised ways to attack the whole cluster network of IoT devices connected on the same network using open protocols that are facing the public internet. Examples of ransomware using no executable as payload to evade security defences. Ransom32 is a type of ransomware developed entirely in JavaScript and PowerWare (developed in PowerShell.) It uses no executable payload that needs manual installation on the physical host so downloading this ransomware is very easy if JavaScript is enabled in your browser as Ransom32 payload will execute through loading the JavaScript. This trend of intelligent ransomware obfuscation technique will continue to grow because it is easy to evade antimalware protections and it is also easy to deploy with less suspicion from the victim through web-hijacking and clickjacking. Execution of the payload runs on the background and the victim won’t won’t suspect anything.
This type of ransomware uses a combination of scripting languages (such as PowerShell and JavaScript) and Microsoft API calls to encrypt the files on a victim’s machine. The encryption, enc ryption, the ransom note, and the call out to a command and control server are completed without an executable file. These ransomware families can avoid detection by many traditional security vendors because they are taking advantage of le gitimate processes on the system, s ystem, so everything they do is legitimate. Ransomware attacks via e-mail service Spam campaigns are losing the fight against consumer webmail providers such as Gmail, Outlook and Mimecast. These services have increased their security defences to identify new ransomware campaigns being sent over through their service by employing Artificial Intelligence or AI machine learning algorithms. AI have proved to be useful in learning dynamic changes in ransomware and its family. They are also able to filter he origins of the sample in certain circumstances but they can be less effective in learning new kinds of threats emerging in the cyberspace. These services also rely on the open threat exchange and it is only when a threat has been identified these service providers can come up with a solution to further their security to block these new emerging threats.
As ransomware attackers look to expand their attack surface, the easiest way to do that is increase the number of people who see their email or to have the ransomware auto-install when the victim opens the email. If the ransomware groups can find weakness in t he security of these 2
providers, or use some of the millions they have made to buy zero-day exploits to take advantage of weaknesses that may exist, they can increase the number of successful installs and increase their revenue even more. This is what is i s happening today, Shadow Brokers Brokers leaked the Eternal Blue vulnerability and cybercriminals have used vulnerabilities associated with the exploit to build up ransomware such as WannaCry and attacked hundreds of thousand systems across the world. Ransomware on IoT devices Ransomware attacks are now targeting almost every computing system even IoT devices. Since these devices tend to be synched with a local server or a cloud environment, it is too easy to wipe and replace them, so in my opinion, there is no compelling reason for a victim to pa y the ransom and have their systems replaced back to normal by cybercriminals. To think of an effective Ransomware attack on these systems will be a waste of time and a non-profitable business for a cybercriminal c ybercriminal who inspires to profiteer profit eer in using Ransomware as a service as I don’t think ransomware is going to be effective against these targets.
There is a discrepancy between the IoT device itself and the Windows systems that serve as the face of these IoT systems; s ystems; those will be subject to attack att ack in the same way as other Windows W indows systems. In fact, in some way they may be more susceptible to ransomware. The control systems of these IoT devices often run specialized software that controls the functions of IoT devices. This specialized software usually requires a specific version of Windows, one that is often outdated, unpatched or with less support in terms of its core development. IoT devices are mostly built on Linux/UNIX/Specialized OSs that handle the day-to-day functions of those systems. They are too obscure to be a reliable target for mass-produced ransomware. There is also a difference in the way the file systems are set up between Linux/UNIX systems and Windows computers. This makes it ineffective to attack Linux IoT devices. Most people act as local administrator on their home computer, and even a lot of companies allow their users to have local administrative access to their workstations. In practical terms, this means that the user can access every file on the system. s ystem. When a victim inadvertently installs ransomware that ransomware also has access to ever ything on the system and can encrypt it all. Linux/UNIX systems operate differentl y. The user only has access to his or her files, not all files on the system. Even if a user does accidentally install ransomware the ransomware will only be able to encrypt the user’s files, not all the files on the system. For ransomware to be effective on a Linux/UNIX system the attacker would either need a victim logged in as root or to package a privilege escalat ion with the ransomware. Consumer-grade IoT and more complex enterprise systems Consumer-grade There is a distinction to be made between consumer-grade IoT devices, such as home routers and web cameras and the more complex Supervisory Control and Data Acquisit ion (SCADA) systems that control things like the water supply, electricity supply, nuclear energy stations or traffic lights. These systems also run on specialized operating systems, but they are not disposable in the way consumer IoT devices are. Russians hackers are allegedly developing ransomware and malware to target SCADA systems for huge profits and if these sectors are left without appropriate security defence layers, they will soon become more attractive targets. Law enforcement action on ransomware and cybercr cybercriminals iminals 3
There is a strong need for the security community to collaborate with law enforcement agencies in a big way to permanently shut down the attacking domains behind ransomware and the exploit kits that deliver them. Law enforcement agents should be trained on cyber securit y, and cybersecurity units within the law enforcement agencies should work together with other nations to help stop the spread of ransomware and malware related activities. Law enforcement agencies should also consider collaborating with security researchers and malware analysts when it comes to dissecting ransomware and offering new protections and cyber response methodologies. How to Ransomware Prevention Prevention Tips As of today, ransomware attacks are here to stay. Computer users should adopt a certain set of skills and best practices to prevent ransomware attacks from happening. This can prevent bricking their systems and an d data loss. Ransomware attacks are ar e on the rise since the beginning of 2015 and 2016 and people should expect to see this type of growth in 2017 with more resistant types of ransomware being developed and targeting more complex s ystems. If victims continue to pay ransom and fund the growth and development of these new ransomware families, there will more complex, hardened and effective ransomware attacks that will brick computer systems.
Here are a few best practices to minimize the risk and data loss associated with ransomware attacks: Backups confidential/ useful data and test to t o verify the backups regularly. Disable Microsoft Office macros by default, and selectivel y enable them for those who need macros. Keep web browsers, services and plug-ins such as Adobe Flash, SMB protocol and Microsoft Silverlight updated, and prioritize patching systems with new update releases. Uninstall any browser plug-ins that are not required for business purposes, and prevent users from re-installing them by putting in place effective access control systems and policies. Scan incoming emails for suspicious attachments, including examining all compressed attachments. Disable or remove the PowerShell, wscript, and cscript executables on all nonadministrative workstations to prevent infections. Automatically quarantine any email that has an attachment att achment containing a script or a .scr file extension or from an unknown domain name. Do not give all users in the organization local administrative access to their workstations if it’s it’s an organization computer system. system . Use threat intelligence to gain visibility into your organization’s external threat environment and monitor for any emerging ransomware threats to your organization with proper/reputable security and reporting tools such as Symantec Solutions and Kaspersky. • •
•
•
•
•
•
•
•
4