RANSOMWARE – LEARN WHAT THIS EXTREMELY DANGEROUS ATTACK IS

Generally speaking, Ransomware is a type of malicious software (malware) that, when activated, encrypts files (all or part) on the victim's computer and demands a ransom to decrypt them. This is an increasingly common and extremely dangerous attack, as evidenced by the emergence of RaaS services , or Ransomware as a Service.

?

Ransomware – the beginning, or how did it all start?

The history of Ransomware dates back to 1989. It was then that Joseph Popp wrote a program called "PC Cyborg" or "AIDS". Its operation was based on encrypting all files in the "C:" directory, which manifested itself in hiding files and encrypting their names. PC Cyborg activated only after 90 system startups and demanded payment of $189 for "license renewal" to PC Cyborg Corporation, which in return was to provide the program to remove the malicious code. Joseph Popp himself was declared insane, which allowed him to avoid trial. However, he promised that all profits from the operation of his program would be donated to research on a cure for AIDS.

In 1996, Adam L. Young and Mordecai Yung came up with a way to use public key cryptography (read about cryptography and public key infrastructure here) for Ransomware attacks. They proved that the PC Cyborg Trojan was ineffective due to the use of a symmetric algorithm, as it was possible to extract the decryption key from the source code of this Trojan. They themselves developed and implemented an experimental encryption virus using RSA and TEA algorithms for hybrid data encryption. The principle of operation of this malware was to encrypt the victim's files, then send an asymmetric ciphertext to the attacker, who decrypted it and, after making a payment, gave the victim the symmetric decryption key.

The next breakthrough came in 2004 with the GpCode attack, which used the RSA algorithm to encrypt data. Then, attacks using Trojans such as TROJ.RANSOM.A, Archiveus, KRotten, Cryzip , or majArchive , which used increasingly sophisticated RSA encryption algorithms with keys of increasing length, made a big splash. In addition, a characteristic feature of these attacks was the demand for increasingly higher ransoms for decrypting data. The Gpcode .AG Trojan detected in June 2006 was in line with this trend; it was encrypted with a 660-bit public RSA key. Interestingly, in June 2008, a new variant was detected, Gpcode.AK, which used a 1024-bit RSA key.

The next "milestone" in the development of Ransomware was the end of 2013, when the CryptoLocker Trojan began to spread on a massive scale. It used the Bitcoin digital currency platform to obtain ransom. Back in December 2013, ZDNet[.]com analyzed information about Bitcoin transactions made between October 15 and December 18, 2013. The analysis showed that the hackers who created CryptoLocker received about $27 million in ransoms. The virus itself spread in the following months and was used as a basis for viruses such as CryptoLocker 2.0, which, however, was not directly related to CryptoLocker, CryptoDefense – its first versions contained a code error, as a result of which the private key was placed in a user-accessible location on the victim's computer, which was caused by the built-in decryption interfaces of Windows, or a Trojan detected in August 2014, which was mainly intended to attack NAS devices (i.e. devices enabling the connection of disk storage resources directly to a computer network) from Synology.

Since 2015, however, we have seen further development of Ransomware , which began to infect Linux systems and servers. Additionally, some strains of Ransomware viruses began to use proxy servers associated with Tor hidden services to connect to control servers, making it difficult to track the exact location of cybercriminals.

What is Ransomware nowadays?

The above introduction may give the impression of understanding the basics of a Ransomware attack. But is this really the case? To answer this question, it is worth taking a look at the modern and latest definition of encryption malware. In explaining what this attack is, it is worth presenting the origins of this name, which is a combination of two English words, namely ransom and software. This type of malware is responsible for infecting and blocking the computer system by encrypting selected files located on the local drive, but also placed on a network drive. A characteristic feature is the appearance on the screen of the infected computer of a window or file containing instructions for decrypting files and unlocking the system, which informs that access to the data will be restored after paying the attacker a specified amount, usually in a specified cryptocurrency. In reality, however, hackers not only encrypt data, but also steal it in order to blackmail the victim into making the stolen data public if the ransom is not paid.

Importantly, the ciphers used by the malware, if used correctly, make it impossible to decrypt data without the decryption key, leaving the victim at the mercy of the attackers.

Of course, sometimes there are errors in the malware code or the publication of appropriate keys allows the decryption of data, but these are sporadic situations.

Ransomware attacks most often occur through:

• known vulnerabilities in publicly available services such as VPN, RDP or mail servers, but time is of the essence here, as such vulnerabilities are exploited within hours or days of being made public,
• inadequately secured (e.g. weak password) remote access channels to infrastructure and public services such as RDP, VNC, FTP or databases,
• social engineering and phishing, most often in the form of emails encouraging you to download and run an attached file or a link.

Types of Ransomware

There are generally three types of Ransomware, which differ in the severity of the threat:

1. scareware software, or intimidating software – it works by posing as security software or technical support staff and displaying messages, e.g. in the form of a pop-up window with information that the computer is infected with malware, the removal of which requires payment of an appropriate fee; its negative impact is the constant display of tiresome and annoying messages if they are previously ignored,
2. software that causes the screen to lock, which completely prevents the use of the computer, and a message impersonating the Police or another state security body is displayed on the entire screen, informing about the detection of illegal activity on the computer and the possibility of unblocking the computer after paying a certain amount - of course to cybercriminals,
3. encryption software that encrypts and often steals files while demanding a ransom for their decryption and return - since this type of Ransomware is the most serious, I have devoted the following fragment of the article to it.

How Does Encryption Ransomware Work?

After infecting the computer, i.e. saving itself in the computer's memory, such a program begins scanning local and network data stores (e.g. disks, databases) for files to encrypt, usually important to the company or individual, depending on the purpose of the attack. It is worth noting that ransomware also encrypts backup files, if they are stored on the infected device, so that the victim cannot recover the encrypted information and thus refrain from paying the ransom. As a rule, a ransomware program searches the victim's computer and network resources to which the infected computer is connected, in order to find:

- Microsoft Office files such as .xls, .docx, .pptx and their older versions, e.g. .doc, .xls, .ppt,

- images saved in .jpg, jpeg, .png, .gif,

- technical drawings, usually saved in .dwg,

- data saved as .sql or .ai,

- video files in .mp4, .m4a, .avi.

However, most often the code of various file encryption and ransomware programs is written in such a way that these programs first search for Microsoft Office files, because in the vast majority of cases important business documents are stored in one of the formats of this package.

It should be emphasized that a Ransomware program can be launched immediately after infection, or it can wait in sleep for a specified number of time units or a specified number of computer startups. This depends on the creator of the malware and the purpose of the attack.

It is worth noting here that in order to make it difficult to decrypt data, newer Ransomware programs use a combination of symmetric and asymmetric encryption (the so-called hybrid approach). This is expressed by the malware generating two sets of keys and using an encryption chain, in which the symmetric key is responsible for encrypting files. Then, a pair of keys is generated on the client side, where the public key is used to encrypt the symmetric key file. Next, the Ransomware program generates a pair of keys, i.e. a public key and a private key on a server controlled by cybercriminals. The server's public key is used to encrypt the private key generated on the client side, and the client's encrypted private key is sent to hackers. After the victim pays the ransom, the server's private key allows the client's private key to be decrypted. The decrypted client's private key is used to reverse the encryption chain and decrypt previously encrypted data.?

Are mobile devices vulnerable to Ransomware attacks?

Unfortunately, the answer to the above question should be affirmative, and the attacks themselves began to be used on a large scale already in 2014. They emerged on the wave of popularity of CryptoLocker and similar programs originating from the same family of malware. Ransomware programs dedicated to mobile devices, e.g. mobile phones or smartphones, block them by displaying a message informing that the device has been blocked due to the illegal activity of its user. The device can only be unblocked after paying an appropriate fee, i.e. the attack model itself is identical to the attack described above in the form of software causing a computer screen lock. Of course, a mobile device can be infected with such a program by installing a malicious application, often from an unreliable source. Fortunately, it is easy to unblock such an infected mobile device by running it in safe mode, which allows you to remove the malicious application and restore access to the device.

What should you do if you become infected?

Of course, the first idea may be to pay a ransom to cybercriminals. However, apart from possible legal consequences, we have no guarantee that after paying the ransom we will receive the decryption key for the data, and the data stolen by criminals will not be published.

Therefore, once an infection occurs, the following steps should be taken:

1. First, you should isolate the infected machine, which involves disconnecting it from both wired and wireless networks, and only turn off the infected computer if it is not possible to disconnect it from the network. It is worth noting that RAM may contain information necessary for incident analysis and subsequent decryption of encrypted data, and after turning off the machine, this information will be irretrievably lost. For this reason, it is worth leaving the infected computer in hibernation mode and making a backup copy of the infected files, which will allow for the recovery of encrypted files and data after the appropriate decryptor, i.e. software enabling data decryption, appears.
2. The next step is to identify the source of the infection and eliminate it. Logs and their analysis for unusual activities or network connections are helpful here. Failure to eliminate the source of the infection can lead to further attacks.
3. The next step is to determine the malware family, which is usually done by analyzing the ransom note and sample encrypted files. In addition, other available data is analyzed, including email addresses from the ransom note, encrypted file extensions, and cryptocurrency wallet addresses (e.g. Bitcoin). This data helps to roughly determine the Ransomware family we are dealing with. This is important because if the appropriate decryptor exists, it will be possible to attempt to recover the encrypted files. It is worth adding that two web tools are helpful in this regard, i.e. nomoreransom[.]org and malwarehunterteam[.]com, which help find the right decryptors.
4. Once malware has been identified, systems must be restored to allow for the most priority activities. Clean, preconfigured system images should be used to restore them.
5. The last step (note: applies to Poland) is equally important, which is reporting the incident to the CSIRT NASK team via the website incydent.cert[.]pl or via email: cert@cert[.]pl. CSIRT NASK recommends sending at least two encrypted files and a ransom note as attachments. It is also recommended and advisable to attach a sample of the malware that infected the machine and logs from the infected computer and security systems from the time of infection, as well as the original encrypted files, if they have been preserved.

Can you protect yourself against a Ransomware attack?

Of course, you can effectively protect yourself against a Ransomware attack, but to do so, you should follow a few rules presented below.

Appropriate backup procedures should be established and reviewed regularly, in particular based on the 3-2-1 rule, i.e.:

• at least 3 copies of data must be kept,
• at least two copies of data should be stored on different data carriers,
• at least one copy should be isolated to prevent it from being encrypted in case of a Ranosomware attack.

It is also important to remember to regularly test data recovery from backups, which will prevent the impossibility of restoring data at a critical moment for the company, such as a Ransomware attack.

Of course, it is extremely important to keep your software up to date, as new versions contain security patches that fix security holes found in previous versions. This recommendation applies to system updates, as well as web services and applications such as browsers, office programs or email.

Another very important principle is the use of network segmentation by ensuring its logical separation in the form of VLANs (Virtual Local Area Networks) and physical. Such segregation can be applied between different organizational units in the company (e.g. offices, departments, teams), which allows limiting the effects of a potential infection to only one of the subnets. Due to the extraordinary importance of the subject, I will devote at least one article in the future to network security, its fragmentation and the principles accompanying them.

It is also important to verify publicly available Internet services and the version of the software that makes these services available on the network. This is important because currently, most often, infections with malicious encryption software occur through unsecured or vulnerable services available from the Internet. Conducting regular audits of network services allows you to determine the justification for making certain services available on the Internet, as well as ongoing control of the software's up-to-dateness and the latest security patches. It is also important to create an appropriate security policy for establishing appropriately strong passwords and introducing at least two-factor authentication (2FA) where possible. In addition, as part of this principle, it is necessary to introduce a policy of continuous change management and their documentation, as well as a proper process of monitoring and managing vulnerabilities.

The fifth principle is to secure the work environment and eliminate potential sources of infection at both the human and hardware levels. Here, it is extremely important to properly train employees to watch out for phishing attempts and social engineering attacks. It is important for employees to know how to verify an attempt to impersonate a trusted sender of specific content, e.g. an email message, to pay attention to the extensions of attached files, or to verify links included in messages. On the administrative side, it is extremely important to maintain an appropriate policy in the field of electronic communication, for example by verifying the sender of the message, using anti-spam filters, or filtering messages by the extensions of attachments included in them. In addition, security policies should be used to prevent code from being run in potentially malicious documents, e.g. macros in Microsoft Office documents.

Hardening of systems and workstations, in particular through:

• using anti-virus software that is regularly updated,
• introducing an appropriately configured ACL (Access Control List) to apply the least privilege policy, which is reflected in granting individual employees the least possible access to network and system resources, but at the same time broad enough for them to be able to do their job properly, e.g. a secretary should have access to the correspondence system, but access to the personal files of individual employees should be prohibited for such an employee; when discussing this principle, it is worth adding that if a given user (e.g. an employee) does not need the ability to save data in a specific directory, they should be granted read-only privileges, which will limit potential losses in the event of their account being compromised,
• introduction of SRP (Software Restriction Policies), AppLocker or WDAC used to define locations from which:

·???? software can be run, e.g.:

- System and System32 folders, or

- Program Files and Program Files (x86) folders,

·????? it is forbidden to run software (these are in particular locations where hackers most often place malware), e.g.:

- temporary folders,

- AppData and LoalAppData folder,

- ProgramData and UserProfile folder,

• thorough testing of rules and their adaptation to the requirements of the organization before the production implementation of specific software,
• introducing restrictions on the ability to run PowerShell scripts, as they are increasingly used in Ransomware attacks.

We should also not forget about the principle of active and ongoing monitoring of network events, thanks to which it will be possible to quickly detect an attack and effectively block it. Conducting constant monitoring of network events significantly improves post-intrusion analysis in the event of a successful Ransomware attack.

However, to properly monitor your network you should:

• configure devices to send logs to the central log server, and the logs themselves should also be saved in a backup copy; importantly, logs on the central server should be stored for at least 14 days from the date they are saved,
• use IDS (Intrusion Detection System), which continuously analyzes logs from individual devices,
• in addition, for Windows systems, you must enable and correctly configure Audit Logging, the Sysmon service (which supplements information from Audit Logging) and the WEF (Windows Event Forwarding) service, thanks to which you can send selected logs to the WEC (Windows Event Collector) server,
• additionally, for Linux systems, the Syslog service must be enabled and properly configured.

RaaS, or Ransomware as a Service

The world is changing faster and faster. Cybercriminals are also aware of this truism, adapting their offer to the changing requirements of the criminal black market. Previous Ransomware attacks, popular in the early 2000s, have become unprofitable for attackers, because victims did not pay the ransom, and constantly improving the malicious code so that it was unbreakable for decryptors was associated with high costs. In order to maintain high profits from Ransomware attacks, the creators of an advanced Trojan horse with the option of encrypting files (GrandGrab) changed their business model in mid-2019. This is how the Ransomware as a Service, abbreviated as RaaS , was created, initially based on the sale of GrandGrab malware codes. Currently, this specific service consists of selling Ransomware software (usually by its creator) to anyone interested in purchasing it. Here, customers include both individuals, criminal groups, and states. RaaS offers can be found on the Darknet, and transactions are settled in cryptocurrencies. Prices start from a few dozen dollars, and the upper limit is not set and depends on the selected package and the scope of the service.

Almost the End of Ransomware, or Sodinokibi in action

When the creators of the Trojan GrandGrab began selling its source codes, most of the cybersecurity community did not see much of a threat in the new offering that appeared on the black market. It was widely believed that the era of ransom encryption was coming to an end, as the largest ransomware attack program was no longer being developed, companies had become immune to this type of attack, making it increasingly difficult to deliver and infect this malware. Just when it seemed that the threat of ransomware attacks had been averted, GrandGrab's successor, Sodinokibi, appeared. It is assumed that the source codes of the Trojan GrandGrab were the basis for its creation. This virus led to the creation of a new malware family and a new Ransomware attack model – the development of Sodinokibi led to one of the most high-profile Ransomware attacks. It was December 31, 2019. It was on this day that hackers carried out an attack on Travelex, one of the world's largest currency exchange companies. First, they stole 5 GB of data and then began encrypting the systems. Initially, the cybercriminals demanded a ransom of $3 million in exchange for decrypting the systems, but quickly increased their demand to $6 million. This behavior of the hackers gave rise to a new attack model – a faster payment allows for the decryption of files at a lower price, but if the company delays paying the ransom, the price increases. Moreover, and this was also new, the cybercriminals also demanded a ransom for not making public the data stolen from Travelex, which was sensitive data of the company's customers along with their credit card numbers and information about financial transactions. The attack was successful due to outdated and vulnerable Pulse Secure VPN server software.

The critical security flaw exploited by hackers was made public in February 2019 and described in CVE-2019-11510 (read about what CVE is in this article) with a score of 10 on the CVSS (Common Vulnerability Scoring System) scale. A bug in the code allowed remote disclosure of files in the Pulse Connect Secure software in plain text, including usernames and their passwords. Using this vulnerability, hackers gained access to the internal Travelex network, and the malware Sodinokibi, by exploiting deserialization vulnerabilities in the WebLogic server (CVE-2019-2725, CVSS score: 9.8/10) and the Elevation of Privilege vulnerability in the Win32k driver (CVE-2018-8453, CVSS score: 7.8/10) of Windows, allowed hackers to obtain a domain administrator account and privileges, which allowed them to navigate the network using VNC, and install PsExec (a telnet replacement that allows processes to be executed in other systems, with full interactivity for console applications, without having to manually install client software) as a java.exe file. The hackers then disabled security mechanisms on endpoints (computers located at the ends of the network) and uploaded the Sodinokibi virus to them using PsExec. Since Travelex refused to pay the ransom, the cybercriminals first published a data sample and then all the stolen information.

Known Ransomware Attacks

You can read about historical Ransomware attacks in my article presenting the 10 biggest hacker attacks.

At this point, however, I would like to present five relatively new Ransomware attacks that have had a big impact, mainly in Poland, but also abroad.

1. Attack on the Air Ambulance Service in February 2022 - for over a week, the Air Ambulance Service units could not use the system for sending information about ongoing interventions, the website, and e-mail. Cybercriminals demanded a ransom of $390,000.
2. Attack on the Polish Mother's Health Center in ?ód? in November 2022 - in this case, the hospital decided to defend itself against the attack and to minimize its effects decided to temporarily disable IT systems. Until the systems were fully restored, patients had to be served using traditional paper documentation, which seriously disrupted the functioning of this hospital and led to delays in issuing medical documentation or discharging patients.
3. Attack on the Marshal's Office of the Masovian Voivodeship in December 2022 - as part of this attack, hackers managed to encrypt access to the electronic document management system, which led to the shutdown of the Regional Node's project infrastructure and loss of access to it by 300 local government units and loss of access to personal data administered by the Marshal's Office. In the issued statement, the Office did not confirm the leak of personal data or their disclosure, informing that "there is a high probability that the data processed in the systems covered by the incident are in the possession of third parties (...)".
4. Attack on the Magdalena Abakanowicz University of Arts in Poznań in January 2023 – after breaking through security, hackers managed to encrypt and steal personal data of university employees and collaborators, including names, addresses, and series and numbers of ID cards. As a result of the attack, the IT infrastructure was unavailable for several days, and the server environment that supported the HR and payroll system, which was at risk of attack, had to be removed and rebuilt, which was fortunately possible thanks to the university having a backup copy of it.
5. Attack on the Silesian Public Services Card system in February 2023 - this system enables, among other things, payments for parking and payments for public transport tickets in the Upper Silesian-Zag??bie Metropolis, inhabited by almost two million people. As a result of the attack, the system was blocked for almost two weeks, making the daily lives of the inhabitants of this metropolis difficult. Fortunately, it was possible to restore the system to full functionality thanks to daily backups. It is worth adding that people's personal data were not at risk because they were not collected in this system.?

Summary

Ransomware attacks have a long history dating back to the late 1980s. They had their heyday in the early 2000s, only to resurface in mid-2019 and immediately become one of the biggest cybersecurity threats, as evidenced by KPMG's "Cybersecurity Barometer 2022" report, which shows that 1/3 of surveyed companies admitted to having been victims of a Ransomware attack in the past.

Due to the development of services related to the sale of malicious encryption software (RaaS), the threat of these attacks has significantly increased and cybercriminals themselves have become even more sophisticated, blackmailing their victims into disclosing stolen data and significantly increasing the ransom price in the event of delay in payment.

Despite the fact that Ransomware attacks are extremely dangerous and affect the entire IT structure from endpoints through servers, network drives, to mobile devices, you can effectively prevent this type of attack by applying the right principles of operation, which I presented in the article. By having properly configured and constantly updated software, knowing your services exposed on the network and having knowledgeable employees who undergo regular cybersecurity training, you can confidently resist Ransomware attack attempts.