Is your organization prepared for a Ransomware attack?December 28, 2016Categories: News. Tags: hack, hacker, loss, malicious, malware, ransomware, Security, and virus.
Is your organization prepared for a ransomware attack?
In February 2016, the computer network at Hollywood Presbyterian Medical Center (HPMC) was down for more than a week as the Southern California hospital worked to recover from a ransomware attack. Hospital administrators declared an internal emergency as staff struggled to access patient records and computer systems critical for patient care. Some patients had to be transported to other hospitals to maintain their continuity of care. All the while, attackers held the hospital’s computer systems hostage until a ransom of 40 Bitcoins — approximately $17,000 — was paid. Only then could the hospital regain use of its files that had been surreptitiously encrypted by malware.
Since then, at least three more healthcare organizations have reported business disruptions due to ransomware attacks. And there will be others now that cybercrime syndicates have discovered how lucrative this type of attack can be. HPMC may have gotten off easy with a ransom of only 40 Bitcoins. Criminals know that many organizations would pay far more than that in order to restore their systems to working order. According to the Institute of Critical Infrastructure Technology (ICIT), “To pay or not to pay” will be the question fueling heated debate in boardrooms across the U.S. and abroad.
Is your organization prepared for a ransomware attack?. Successfully defending your organization against such an attack takes preparation and an understanding of what to look for if an attack begins. This guide shares the expert knowledge that researchers have gathered about how ransomware attacks begin, how they progress through your endpoints and network, and what you can do to prevent them, or at least shut them down, to avoid serious repercussions.
Figure 1: Ransomware
The 5 Phases of a Ransomware Attack
There are distinct phases of a ransomware attack, regardless of whether it’s a mass distribution or a targeted attack. “Understanding what happens at each phase, and knowing the indicators of compromise [IOCs] to look for, increases the likelihood of being able to successfully defend against — or at least mitigate the effects of — an attack,” says Sommers.
Figure 2: The typical timeline of a mass distribution ransomware attack
We’ll make note of where the activity of the phases and the IOCs differ by the type of attack. For instance, one of the distinctions between a mass distribution attack and a targeted attack is how long it takes to fully execute all the steps.
As shown in Figure 2, the timeline of a mass distribution attack is very compressed—often as little as 15 minutes from the exploitation and infection through to the victim receiving the ransom notice. One reason for the shortness of the duration is that the attack is not trying to go beyond the first system it lands on.
In contrast, a targeted attack acts more like an APT; it is looking to inflict as much damage as possible on as wide a footprint as possible. The attackers are trying to affect the entire business rather than an individual user, because they can extort the business and attempt to get a lot more money. Given that targeted attacks are usually operated by a person as opposed to an automated system, the response timeline can be a little less critical than for mass distribution ransomware. Unfortunately this also means the attack can be more difficult to detect.
Phase 1: Exploitation and Infection
In order for an attack to be successful, the malicious ransomware file needs to execute on a computer. This is often done through a phishing email or an exploit kit — a type of malicious toolkit used to exploit security holes in software applications for the purpose of spreading malware. These kits target users running insecure or outdated software applications on their computers.
In the case of the CryptoLocker malware, the Angler exploit kit is a preferred method to gain execution. The vulnerabilities favored by the Angler exploit kit are typically found in Adobe Flash and Internet Explorer.
Phase 2: Delivery and Execution
Following the exploit process, the actual ransomware executable will be delivered to the victim’s system. Upon execution, persistence mechanisms will be put in place. Typically, this process takes a few seconds, depending on network latencies.
Unfortunately the executables are most often delivered via an encrypted channel — instead of SSL, a custom encryption layer is added on top of a regular HTTP connection. Because the malware is using a strong encryption, it’s difficult to recover the executable from the wire. “Most often, we see the executable files being placed in either the %APPDATA% or %TEMP% folder beneath the user’s profile,” advises Sommers. “It’s good to know this for detection purposes because your organization can monitor for those events to set up a line of defense.”
Most of the Crypto malware will add persistence mechanisms such that if the afflicted machine is rebooted in the middle of the encryption process, the ransomware can pick up where it left off and continue to encrypt the system until it is completed.
Phase 3: Backup Spoliation
A few seconds after the malware is executed, the ransomware targets the backup files and folders on the system and removes them to prevent restoring from backup. This is unique to ransomware. Other types of crimeware and even APTs don’t bother to delete backup files.
Most of the ransomware variants will go out of their way to try and remove any means that the victim has to recover from the attack without paying the ransom. On Windows systems, in both targeted and mass distribution attacks, we often see the vssadmin tool being used to remove the volume shadow copies from the system. For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system. “The good news is that there are event log entries that are created when this happens, so triggerable events can be detected by a SIEM or a host-based product,” says Sommers.
Several of the variants, especially in the targeted attacks, will even go so far as to look for folders containing backups and then forcefully remove those files. Even if a program is holding a lock to those files, it will kill the process so it can delete those folders of the backups to make recovery all the more difficult.
Phase 4: File Encryption
Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system. Quite often the malware will tag the local system using a unique identifier that will be presented to the user in the instructions at the end. This is also how the C2 server differentiates between the encryption keys used for different victims. Unfortunately most of the variants today use strong encryption such as AES 256, so the victim isn’t going to be able to break the encryption on their own.
Not every type of ransomware needs to contact a C2 server to exchange keys. In the case of the SamSam malware, the software application does all encryption locally without reaching out to the internet at all. This is worth noting, because the communication with a C2 server is an IOC that should be monitored, but the absence of this event does not mean that ransomware is not present.
During the file encryption phase, different ransomware variants handle file naming and encryption differently. For instance, CryptoWall version 3 does not encrypt the file name, whereas CryptoWall version 4 randomizes the file name and extension. Locky will randomize the file names but add a locky extension to the end. Knowing this, your organization can sometimes fingerprint the exact ransomware variant based on the file naming convention that it uses.
Depending on network latencies, the amount of documents, and the amount of devices connected, the encryption process can take anywhere from a few minutes to a couple of hours. There have been instances where, on a widely distributed network, the ransomware tries to encrypt files across a wide area network. For a single endpoint device, however, the encryption process is usually done in minutes.
Phase 5: User Notification and Cleanup
With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay, and after that time the ransom increases.
How the instructions are presented can help you identify which ransomware software has attacked the system. The demand instructions are usually saved onto the hard drive, sometimes in the same folders as the encrypted files. Other times, they are saved to very specific locations on the hard disk. For example, CryptoWall version 3 uses the HELP_DECRYPT file to store the instructions. CryptoWall V4 changed it to HELP-YOUR-FILES. There are a couple different instructions and variations on the theme but you can usually use this guidance to do an internet search and find the exact variant.
Locky takes a different approach in that, not only does it place files on the system, but it also changes the user’s wallpaper to contain the instructions for how to decrypt the files. How’s that for putting the demand in your face?
Finally, like the Mission Impossible recordings that self-destruct, the malware cleans itself off the victimized system so as not to leave behind significant forensic evidence that would help build better defenses against the malware. With the self-removal of the malware code, there should be no lingering malicious files on the systems, and thus no lingering threat, though experts aren’t certain of this. “Even though the ransomware removes itself, we recommend you replace rather than simply clean afflicted computers if possible,” Sommers advises. [GRT]