What is Ransomware?
A beginner's guide to ransomware
Given the threat it poses to individuals and global enterprises, coupled with the headlines it has driven, it is common for people to ask “what is ransomware?”
At its most simple, ransomware is a type of malware that encrypts files and information on a system and prevents access to the information until a ransom is paid via cryptocurrency to decrypt them. The hallmark of ransomware has been the conspicuous ransom note that appears on victims’ computer screens indicating files have been encrypted. Victims are often given a specified amount of time to pay the ransom prior to their files being destroyed. For example, CryptoWall gave victims three days to pay.
How ransomware works
Another common question is “how does ransomware work?”
Ransomware begins by gaining an initial infection on the system of an individual or employee at work. This is most often via phishing emails or malicious URLs. A user will receive a phishing or malspam email, often with an infected attachment. Attachments have intriguing or urgent names to encourage users to open them, often related to taxes, false invoices, fake package tracking or current events.
Sometimes malicious URLs are used in emails to lure users into clicking in order to deliver web-based attacks with drive-by downloads or malvertising.
Let’s look at how an early version of ransomware, CryptoWall, worked once it gained a presence on an endpoint. With the laptop infected, CryptoWall corrupted explorer.exe, the part of Windows with the start menu, taskbar, desktop, and file manager, and restarts it. It then deletes the shadow copies, installs malware, disables services, and so on. It will establish persistence, so restarting won’t get rid of it.
It then communicates with its command and control server to get the encryption key to lock up files. With the key, all files are encrypted on the local system, as are any files reachable on connected network drives. The only way to regain access to them is with the encryption key obtained by paying the ransom to the group behind CryptoWall.
Ransomware worms its way into the enterprise
In 2016, SamSam gave the world an unpleasant surprise when it unveiled a new fearsome capability in ransomware: built-in lateral movement or self-propagation. Why? Attackers can effectively target entire enterprise networks to encrypt vast amounts of mission-critical data and, in turn, demand larger ransom payments. In the case of SamSam, attackers found their way in via exploitation of a dated JBoss vulnerability. Once inside, SamSam moved laterally by seeking out additional network connected systems in order to encrypt them.
An ugly poster child
WannaCry is what made many of us familiar with ransomware that spreads on its own. The attack leveraged the EternalBlue exploit, developed by the NSA, used to compromise machines, load malware, and propagate to other machines. Specifically, it took advantage of a vulnerability in Microsoft Server Message Block (SMB) used for tasks like file sharing between Windows computers. EternalBlue would then install DoublePulsar to execute malicious code on an infected system.
Microsoft had released patches at the time of the attack. However, many organizations targeted had not patched these older systems past their end-of-life.
Given its ability to spread, it is estimated to have infected more than 200,000 systems globally.
With the world still reeling from WannaCry, NotPetya made an appearance in late June 2017, becoming the most devastating attack the world had seen to date.
NotPetya appeared to be ransomware at first glance, but turned out to be wiper malware designed only to destroy, with irreversible encryption. The attack began by bad actors compromising the Ukrainian tax accounting software called MeDoc. MeDoc had hundreds of thousands of customers, primarily in Europe, who used the software to do business in Ukraine. Like all software, MeDoc pushed out an unknowingly compromised update to customers, who implicitly trusted this vendor update. This was a supply-chain attack, exploiting trust between software vendors and customers, that leveraged a compromised piece of software, MeDoc, as a beachhead on systems. The attack was then launched with an updated version of the Petya ransomware, dubbed NotPetya.
The attack spread laterally using EternalBlue and EternalRomance for unpatched systems or stolen credentials via password harvesting techniques to enable the use of tools like PsExec and WMI to spread to more systems. Total global damages tied to NotPetya, now seen as a geopolitical cyber weapon, have been estimated to be in the $10 billion dollar range.
Live off the land
Ransomware that is capable of spreading on its own has generated considerable attention, however, many recent ransomware attacks seem to be more methodical and attacker-controlled.
These attacks don’t move as quickly as ransomware with lateral movement built-in, but they are just as devastating due to long dwell time for surveilling an environment. US municipalities have reported a wave of attacks in recent years – and many more were likely not reported at all. In most cases, attackers case environments for weeks prior to the ransomware encryption.
These attacks gain a foothold, via phishing or brute-forcing poorly-configured services like Remote Desktop Protocol (RDP), used for remote access to Windows. Once inside, attacks are methodical, attempting peer to peer lateral movement via open ports, for example exploiting RDP or WMI, to ideally reach a domain controller.
Credential harvesting, also present in NotPetya, is also used to move laterally. Tools like Mimikatz facilitate this, allowing for privilege escalation, so attackers have greater levels of permission in the network.
Either way, attackers often reach domain controllers, making them an IT admin in the company they are attacking.
At this point, they “live off the land,” using existing IT admin frameworks like PsExec, used to execute processes on other systems, or PowerShell, used to automate tasks operating system management tasks, to drop malicious files onto systems.
What does Lady Gaga have to do with new ransomware attack techniques?
Her unsuspecting role in double extortion.
Ransomware attacks have become even nastier as some attacks may now add additional extortion. First, attackers will gain a foothold, find sensitive data, and exfiltrate it to their own servers. With sensitive data stolen, attackers then proceed to encrypt systems. Not only are systems locked up, but the sensitive information can be leaked publicly unless victims pay up, amounting to additional pressure for organizations to pay ransoms.
Recently, attackers targeted an entertainment law firm, stealing data related to high-profile clients like Lady Gaga, Bruce Springsteen, and Christina Aguilera. They initially released contracts related to Lady Gaga as proof of their possession of sensitive information.
The group behind the attack threatened to release more celebrity data if the law firm declined to pay the ransom ask, which reached some $42 million.
How to stop ransomware
Most organizations want to understand how to best stop ransomware. It is a tall order seeing that many attacks use newly created malware or live off the land to largely evade detection. There are a few best practices to reduce the risk of major ransomware attacks knocking your organization offline.
Here are some of the leading ways to reduce ransomware risk, according to US-CERT.
- Segment your laptops and networks to ensure the first laptop infected is also the last so attacks can’t move beyond the initial system.
- Patch all systems regularly to avoid vulnerable applications and OSs from being targeted.
- Use effective email and endpoint security tools to stop as many phishing emails from reaching inboxes or malicious activity associated with ransomware from reaching endpoint and encrypting files.
- Train users to open email attachments carefully and be wary of email attachments from unknown senders.
- Back up systems often and store backups separately to be able to restore to previous states if need be, with backups that cannot be accessed from a network.