How Ransomware is Evolving to Avoid Cybersecurity Defenses

How Ransomware is Evolving to Avoid Cybersecurity Defenses

Ransomware is arguably the most devastating malware incident for an organization, and in many cases the organization must restore data from backups. If no backups are available, the organization is often forced to pay the attacker, and paying the ransom doesn't guarantee restoration of your files. Cybersecurity research often finds ways to restore files without paying the ransom, and this causes malware authors to create new methods to bypass defenses. Ransomware authors have created new ways to guarantee payment in the last year. Here's what you should know.

?Older WannaCry Strategies

?WannaCry, released in 2017, was one of the most devastating ransomware programs that afflicted global organizations and cost millions in incident response and recovery. It's not the first ransomware application to be unleashed in the wild, but it was more effective than its predecessors.

Cybersecurity researchers subsequently studied the malware and now know enough about it to understand the way it works and its strategies to avoid detection. No matter what ransomware attacks your infrastructure, the key strategy is encryption. However, the way an attacker hides encryption keys and avoids decryption bypasses separates sophisticated attacks from mediocre ones.

Encryption can be asymmetric or symmetric. Symmetric encryption uses the same key to encrypt and decrypt files, and asymmetric encryption uses a public/private key structure, which means that you need two keys to encrypt and decrypt files. Symmetric encryption is faster and does not require an Internet connection, making it a preferred method for ransomware when it delivers a payload. The issue for attackers is that the symmetric key cannot be disclosed to the user because discovery of the key would render the ransomware ineffective. With the symmetric key disclosed, a victim could decrypt their files and avoid the need to pay the attacker.

The symmetric key is often included in the ransomware's source code, which is what WannaCry authors did. In the WannaCry ransomware, the attacker-controlled server's public key was used to encrypt the malware's executable files, so the symmetric key was protected from discovery. Public/private keys were generated on the fly, so only the attacker-controlled server could decrypt the executable and subsequently decrypt a targeted victim's files.

Even though WannaCry's strategies to avoid bypasses worked well at the time, cybersecurity researchers were able to identify prime numbers used to generate the public/private key pair, and some targeted victims could recover files without paying the ransom.

?Evolution of Ransomware and Malware Author Strategies

WannaCry was a sophisticated attack in its day, but eventually, its strategies were bypassed. This led to malware authors changing the way they created ransomware, and current malware takes additional steps to guarantee payment from targeted victims. Cybersecurity researchers might soon bypass these newer strategies, and then malware authors will eventually find new ways to avoid detection and bypasses.

The first new strategy involves blackmail. Before ransomware encrypts data, it sends a portion of the targeted victim's data to an attacker-controlled server, usually behind the Tor network to avoid identification. This strategy is especially effective against organizations with sensitive consumer data. With this data, an attacker threatens the targeted victim. Attackers will threaten organizations with publicly exposing their private data to ruin the organization's reputation. This strategy attempts to blackmail the targeted victim into paying the ransom even if data can be recovered from backups.

Blackmail was used against a company named Quanta Computer, which is a major vendor for Apple, Inc. Attackers were able to steal Apple's intellectual property stored on Quanta Computer servers. The attackers then demanded $50 million from Quanta Computer, or they would disclose Apple's intellectual property to the public.

Intermittent encryption is another strategy in new ransomware. The new strategy was incorporated into a family of ransomware named Lockfile. With intermittent encryption, ransomware encrypts every 16 bytes of a file, and output is stored in a separate file on disk. Lockfile does not require an Internet connection and does not require a lot of interaction with disks or an attacker-controlled server, making the ransomware more difficult to detect. The purpose of intermittent encryption is to make the malware more stealthy and able to avoid detection from analysis cybersecurity tools.

?Backups Are Also Vulnerable but Still Necessary

While it's not the newest strategy, searching and encrypting backups is still an effective strategy for malware authors. Any backup file stored on the network and available to the targeted user is vulnerable to ransomware. Ransomware authors program their malware to specifically seek out backup files and encrypt them. Should this strategy be successful, the targeted victim would not be able to recover from a successful ransomware attack.

Cloud backups are one strategy to avoid ransomware encryption on backup files. Administrators should have several copies of backups, and at least one copy should be offsite. Cloud backups would cover the offsite requirement, and it's a good strategy for ransomware that scans local network files.

All backups should be verified for integrity. It's not uncommon for administrators to find that their backup files are corrupted, rendering them unusable. Most enterprise backup software will perform a checksum on files to ensure that the files are not corrupted, but administrators should periodically check backup files for any integrity issues and corruption.

?Conclusion

A ransomware attack can cripple a business. For individuals, a loss of sensitive data can be devastating. No cybersecurity software or tools will guarantee that you will never be a victim, but you can take the necessary steps to reduce risk and protect your files. Always have backups in case of a successful attack, but keep them safe and do not allow them to be available to all users.

As cybersecurity researchers continue to crack ransomware and figure out how to detect and stop attacks, ransomware authors will continue to evolve and change their coding strategies. This evolution is constant in the world of cybersecurity, and strategies will always need fine-tuning and changes to keep up with malware author challenges.

Understanding the way ransomware works helps with protection, especially if you're an administrator responsible for maintaining and protecting corporate networks and endpoints. You can also better understand the ways malware authors attack network devices and files and find better cybersecurity tools to stop them.

* * * Stay Safe and Secure Online * * *

?