Ransomware Exposed
Peter Elliot
SME Cyber Security Advice | Cyber Essentials certification | Cyber Awareness Training | Webinars |
How does it work? Would you pay the ransom?
I must confess to being a bit of a nerd when It comes to cyber security, I spent half my career deep in the weeds of machine code, input-output protocols and the like before moving on to manage people, ultimately more challenging! But I remain technically curious as to how things work and try to understand exactly how breaches occur, so I can best understand how to protect against them. To this end I find myself reading and listening to the technical experts enjoying the fact I still understand their language.
There is no shortage of case studies. Over the past weeks, the Colonial Pipeline hack in the USA caused quite a stir in the murky world of ransomware professionals (or criminals). A $5m ransom in bitcoin was paid to get the gasoline flowing again because, as the East Coast ran dry of gasoline, they did not have time to carry out the forensics to understand both the extent of the breach and how to unscramble all their data. The gangsters also did their best to crank up the urgency by threats to increase ransom demands if contact was not made to start negotiations. You can imagine the pressure on the company’s leaders in this situation. As it ended up, US law enforcement authorities did manage to recover a majority share of the paid ransom. Maybe Bitcoin is not as immutable as advertised, make of that what you will.
More recently Ireland’s national health service, the HSE, got hit by ransomware. They publicly stated they will not pay the ransom and faced an uphill battle to restore their systems. In the mean-time patients suffered with delays to treatment and the added threats of exposure of their personal information. They recovered using a provided decryption key, who knows if they paid a ransom or not?
What is ransomware?
Essentially it’s a clever computer program that crawls through your IT system and encrypts all your data files using the latest cryptography. Cryptography is useful to protect our data from snooping and theft and is in use, unseen, everywhere. Like all useful technology it can be exploited for malicious purposes and the ransomware criminals have capitalised on the opportunity. Encrypted files are designed not to read by anyone unless they have a keycode. Cryptographic programs work with two keys, a Public key and a Private key. The files can only be unscrambled by someone in possession of both keys, the criminals hold the Private key, and will only release it once the ransom is paid. The whole span of activity of unlocking files upon payment of the ransom is now automated through RaaS – see below.
To give some idea of scale, in the US alone during 2020 there were 2,400 recorded attacks paying over $350m in ransoms, an increase of 171% over 2019. It is bound to be significantly more in 2021.
Consequences of a ransomware attack
Not only is your data held to ransom, but the threat of publication of your data is also issued unless the ransom is paid. This is known as exfiltration, where all the data to be encrypted is first copied away to the gangster's servers which exploits current data protection laws that further punish companies suffering a data breach. Interestingly, the Irish government have taken a novel approach by passing a law that prevents any media organisation from making such information public, effectively neutering the publication threat. Its worth noting at this point that ‘publication’ means make the data available on the ‘dark web’ – more of that later.
A further un-intended consequence of data protection law is that organisations are required to inform their clients when a data breach has occurred, which leads to adverse publicity and reputational loss as well as regulatory investigation.
Ransomware as-a-service
Criminals are currently using a combination of technologies called Ransomware as a Service (or RaaS for short). Such services are identified by names including Darkside, BABUK and ReVIL. The idea of RaaS is that it makes the highly technical file discovery and cryptography programmes available to anyone to deploy with very little technical knowledge. Such people are known in the business as ‘script kiddies’, referring to the ability to press buttons and run pre-written programs or scripts which can be taught to any child. Gangsters therefore no longer need any technical know-how to run a ransomware extortion racket. RaaS organisations bundle up everything required to operate the deployment including payment services using (nearly?) untraceable bitcoin wallets, negotiation and messaging services with victims using call centres. The whole thing is run from a control panel, similar to that seen in many of today’s online applications.
RaaS organisations advertise their services on the dark web to ‘affiliates’ who may sign-up to use their deployment services, the RaaS organisation taking its cut (maybe 25%) of the ransoms paid and sending the balance to the affiliate. The affiliates’ role is to identify and gain access to a victim’s IT systems by either buying credentials on the dark web, deploying phishing emails, exploiting vulnerabilities in applications or any of the countless well-publicised methods to hack into systems. Having established a covert foothold in the victim’s IT system, they are ready to deploy the ransomware and this is where the RaaS services kick in. Often, criminals maintain their covert access for long periods (months) while they plan their deployment.
Dark Web
Simply, the dark web consists of websites that are not accessible by familiar browsers such as Google, Safari, Firefox and Edge. The only browser that can access dark websites is TOR (short for The Onion Ring). Using TOR is like visiting an online den of thieves. The dark web is used by people who have something to hide, usually criminality. The dark web is not a safe place, sites tend to be infested with malware and I would not recommend using the TOR browser unless you know what you are doing and are working from an isolated network with a workstation reserved for the purpose. All the cyber security companies monitor the dark web on behalf of their clients to help the detection of cyber-crime. It’s a bit like having an informant inside a criminal gang.
The Colonial Pipeline incident
Ripples in the underworld caused by the high profile of this attack have spread through the ransomware community. It has caused a lot of unwanted attention from the US law enforcement authorities to the extent where a couple of dark-web chatrooms where hackers meet and discuss malware issues have banned ransomware discussions. They had been targeted by DDOS attacks (flooding a website with requests such that ordinary users can’t access them) and didn’t like the extra attention they were getting. Darkside, the platform that was used for the attack, also stated it was tightening up its vetting of affiliates and potential targets claiming a singular interest in monetary gain and no interest in geo-politics or the targeting of organisations that would impact upon people’s health and welfare. Witness the rise of the ‘ethical criminal’, again make of that what you will.
There is big money to be made
The RaaS platforms have made it relatively easy to extort significant amounts of money from innocent organisations. While illegal this nevertheless attracts many individuals and gangs interested in significant returns. Every time a ransom is paid, it funds further criminal activity. A recent taskforce made up of global law enforcement institutions has been assembled which is considering a range of measures and has even gone as far as suggesting Bitcoin could be made illegal.
The role of Cyber Insurance
Some cyber insurance policies will cover a ransom payment. This presents a somewhat ethical dilemma. Whilst a business can buy peace of mind in the knowledge that if hit by ransomware, the quickest way forward is to pay a ransom covered by an insurance claim, the money will inevitably go directly to fund additional crime. It could be argued that is no different to insuring against theft or other crimes, but I think this is on a different level, global in nature and the sums involved are much higher. Surely it would be better to spend your money on better protection rather than insurance premiums, particularly for SMEs. It is also worth noting that the cost of cyber insurance is increasing rapidly due to the increasing frequency and size of ransomware demands.
Protection against ransomware
There is a new concept in the cyber security world, that is ‘Zero Trust’. Zero trust assumes that breaches will happen, and advocates layers of security in response. It can be compared to physical security of, say, a bank, where if thieves get through the locked front door they are faced with a number of other barriers such as alarms and safe vaults with time locks etc. In my humble opinion this is a very wise approach to protection against ransomware and would advocate three main layers of protection.
The First Layer
The most common way for hackers (the potential ‘affiliates’ referred to above) to breach the first layer of security is to compromise the credentials (userid and password) of someone who already has privileged access to a target organisation’s IT system. This could be via a phishing email, social engineering or simply guessing (a ‘brute force’ attack) a weak or re-used password. There are other intrusion methods using the many known vulnerabilities of everyday applications or weaknesses in networks. Using this privileged access the hacker can install ‘Trojan’ malware. Your chosen anti-malware program is the first line of defence against this but can only detect footprints of known malware, and it is possible for either the hacker to compromise the anti-malware program or that it is unable to detect the Trojan. It may sit undetected for days or even months and is unlikely to trigger a first-layer alert as it typically looks like a legitimate user going about their daily business. The trojan will first cover its tracks by deleting audit logs recording the breach, create false aliases, study financial information to determine how much ransom should be demanded, search for documents referring to cyber insurance and claim limits, identify the decision makers, review backup strategy to understand where data is located and much more. They are free to roam inside your system, can easily deploy further malware, send fraudulent emails or exploit further vulnerabilities. This is where the second layer of protection can be effective.
The Second Layer
Often known as ATP or Advanced Threat Protection these tools are AI-based, learn normal patterns of activity and look for deviations. Trojans often attempt to connect to their own remote servers or sites which will be based abroad and may also be browsing files across multiple departments, outside of normal activity. ATP software will recognise abnormal behaviour, create alerts and also block such activity. Depending on how sophisticated the trojan is, it can be caught and compromised by ATP applications.
Back to Zero Trust. Assume that the ATP software has not been able to detect or stop the Trojan, and the worst happens. Ransomware is deployed, files are encrypted and messages are sent to users.
If your company has a DR policy, it will be deployed. IT systems will be rapidly shut down to prevent the malware continuing its trail of destruction. Normal business stops and all focus will be on what to do next. Now the third layer of protection becomes all-important – your Backups.
The Third Layer
I used to work for a data storage company and could write volumes (scuse the pun) about backups. They first became necessary to restore files corrupted due to system failure and human error, which was frequent in the early days of computing. So backups were traditionally file-based , and were not designed to be used to restore entire systems. What machine are you going to use to access your backups if they have all been compromised? How long will it take to restore your entire system file by file? What about the applications you need? So, to cut a very long story short, these are the attributes you need to look for in your backup application to protect against ransomware:
1. The backup data store needs to be logically and physically separate from your IT system. An always-connected cloud drive is likely to have been identified by the ransomware as part of your file-store and your backup files encrypted too.
2. Agent-based backups, where an agent wakes up at certain designated times, runs a backup to a separate cloud or server-based file-store, then goes offline, are likely to keep your files safer.
3. Look for file versioning support, where previous versions of files are kept. This helps when newly encrypted files are copied to the backup, the previous un-encrypted versions will still be accessible.
4. System-based backups, where a virtual machine (VM) system can be spun up on a new cloud or on-premise server to make your backed-up systems and data immediately accessible.
5. Ransomware detection. These backup applications will detect attempts to encrypt large numbers of files, create an alert and/or block the activity. It has been known that this last line of defence may be the first indication of a ransomware attack, as backups are often encrypted first by the gangsters. Think, as soon as the victim notices encryption taking place systems are immediately shut down, so best to encrypt the backups first!
Summary
Recently it has been determined over 2,203 successful ransomware attacks have taken place over the last two years and the numbers continue to increase.
Larger organisations should have all the above layers of defence in place (clearly not all though, as witnessed by the daily reports of successful attacks). To be fair, the volume and complexity of their IT operations make the security task similarly complex and consequently will have a dedicated Security team in place to manage these multiple defences.
Smaller organisations are also targeted and will need more than one layer of defence, ideally all three which will provide much greater protection against business disruption. It can cost less than you think. The cyber security industry is vast and there are a huge number of tools to choose from. How do you go about selecting the right ones?
I am used to working with SMEs and I know many of the of the tools on the market and can make the selections for you. Why not chat to me today for a free, no obligation review of your cyber security protection?
#ransomware #cybersecurity #SME #cyberessentials #hacked