Ransomware Unleashed: A High-Level Overview

by Leonidas Plagakis

Ransomware has arguably marked our era as one of the most prevalent and destructive cyber security threats, targeting numerous organisations in a variety of industry sectors. Over the past few years it has met with tremendous success and has been proven a very profitable business for malware authors, since it is estimated that businesses have spent millions on paying the requested ransom for file recovery. It is indicative that ransomware’s revenue was estimated to have reached a minimum of $1 billion in 2018 and a record of $2 billion in 2017, according to research.

Evolution of ransomware

Ransomware is by no means a novel attack and the concept has been around for well over two decades. In fact, the earliest appearance of ransomware in the wild was reported back in 1989, when a biologist developed the “AIDS trojan”, a malware that hid directories and encrypted file names, followed by a ransom payment request. Since then, the core idea, i.e. limiting users’ access to their systems by locking/encrypting files unless a ransom is paid, has not changed much. However, ransomware developers (as with any other malware category) have deployed various techniques throughout the years in order to adapt to the constantly changing technology landscape, to bypass advanced security controls and to evade detection. Part of the evolution of ransomware is the adoption of the ransomware-as-a-service (RaaS) model, an approach used more and more in other sectors of the IT industry (e.g. IaaS, SaaS), and which is highly used by malware authors nowadays, as a means of gaining quick money without much effort. This model also benefits the attackers that rent/buy the service as they are no more needed to develop their own malicious code. Noteworthy examples of some of the most significant ransomware reported over the last decade include Cryptolocker, Wannacry, NotPetya, Cryptowall and SamSam – some of them still active in the wild. Some of this year’s biggest names in the ransomware landscape are Megacortex, RobinHood and Troldesh with a high number of infected machines being reported globally.

Impact on business

The industries targeted by ransomware vary highly, but there has been observed a general trend. Industries and large organisations where data availability is of critical importance and where operation without accessing data is extremely difficult and inefficient, are frequently objectives of ransomware attacks. That dependency on data availability gives the attackers the opportunity for more profitability, as these organisations are more likely to pay in order to restore data immediately and limit the damage caused by the attack. Healthcare and business are among the industries affected the most according to studies so far.

Regular operations disruption is probably the most immediate impact that ransomware attacks have on an organisation. Since, the systems are locked and data is not available, organisations are not able to perform any activities until data is restored. This normally leads to loss of profit and economic harm in organisations where uptime is of major importance. The cost from the efforts performed to recover data (paying the ransom or restoring backup) comes to add up to the downtime financial damage, resulting in a total cost which is a lot higher than most would expect. Furthermore, organisations’ reputational damage is always a potential consequence of any kind of cyber-attack, and ransomware attacks could not be an exception. The way organisations choose to handle these kind of situations plays a critical role in limiting the (unavoidable) damage and gaining back some of their customers’ trust.

Another important fact that the majority of victims usually do not even take into consideration is that when paying the ransom, there is a possibility for their data not to be fully recovered, as it has been observed that ransomware’s recovery rate is close to 95-96%, on average. It is at the ransomware author’s own discretion to trick their victims and hand them an invalid decryption key after they have paid the ransom. However, this would be bad for the ransomware’s reputation (yes, ransomware devs care about reputation too!) and would potentially cost a lot of “clients”, since victims would be discouraged to pay the ransom if they knew that the payment would not lead in their system being restored successfully. So, as uncommon as it may be for the attackers to hand over a wrong decryption key, it may still happen and result in loss of valuable information.

To pay or not to pay?

Possibly the most discussed topic around ransomware. There is no doubt of how important it is not to keep funding ransomware campaigns by paying the ransom. Let’s start our analysis by first mentioning the advantage(s) of paying the ransom: quick recovery of victim’s data and systems, which results in limiting the downtime of the victim organisation and, subsequently, in less cost. Disadvantages? Cyber criminals are encouraged to continue their attacks, victims automatically make themselves candidates for a new attack and money extortion as they have been proven “cooperative”. Also, decrypting files does not mean the malware infection itself has been removed.

From the above comparison, it is made clear that paying the ransom is not the optimal solution. One reliable alternative would be to apply one of security researchers’ published decrypting tools. Publishing these tools requires first exhaustively analysing the malware, a process that could take some time depending on the complexity of the malware. Therefore, this solution might not be preferred by organisations that are highly dependent on having their systems and data available the soonest possible.

As a result of the ever-increasing number of compromised systems, there has been observed a significant rise in companies that advertise themselves as having their own methods of recovering from a ransomware attack. So far, a number of these companies have been reported for deceiving their clients and taking advantage of their need for fast data recovery. These firms usually claim that they can decrypt/unlock victims’ systems by applying their technology, while, in fact, they just contact the attackers directly, acquire the decryption key themselves and sell their services in prices higher than the actual ransom. This kind of business is heavily based on the fact that infected victims prefer not to pay the attackers, even if that means that they will have to spend more money on one of the data recovery promising companies, for the same purpose. While, the victims’ way of thinking is rational and benign, in reality they are unknowingly encouraging ransomware developers, as the ransom is still getting paid – in this case by the “data recovery company”.

Defending against ransomware

Wouldn’t it be preferable, though, if organisations could avoid reaching the point where they have to answer the “pay or not pay” dilemma? In other words, organisations should be properly equipped to deal with this kind of attack even, if data has been encrypted. Essentially, security measures should be deployed and an efficient business continuity plan (response and recovery) should be already in place.

From a proactive perspective, a security measure that should always be at the forefront of an organisation’s defence is security awareness of its users. Being able to mitigate the vulnerability of the human element is always tricky and requires extra attention, as social engineering attacks and drive-by downloads are the main techniques ransomware use to distribute to potential victims.

Figure 1. Potential time to respond per ransomware stage (Source: Exabeam)

By far, the most significant step towards efficiently mitigating the consequences of a ransomware attack is backup. Regular backups of critical files will help towards recovering locked data without having to pay the ransom. However, naive backup practices are easily dealt with by modern ransomware, as ransomware’s complexity has been continuously evolving and new features are being added by malware authors. A relatively new technique performed by ransomware targeting backup data copies is called ransomware attack loop. Ransomware does not start encryption immediately; it rather stays dormant for a period and, as a result, the malware itself is backed up too, along with the system’s data. In this way, ransomware has infected both primary storage and backup copies. When the ransomware’s encryption stage detonates, after the specified idle time, the encryption will be applied to the backup copies too, basically rendering them useless. This is just one of many ways cyber criminals have found to deal with data recovery through backups. Hence organisations should pay extra attention when designing and implementing their backup procedures.

The ideal solution would be to employ security controls that detect ransomware before it even starts encrypting data. Signature-based detection systems would suffice a few years ago, but malware developers nowadays have many ways to bypass these kinds of systems. A more “exotic” and reliable approach to this problem would be to use behavioural analysis. User and entity behaviour analytics (UEBA) tools can detect malicious activities by continuously monitoring file system and registry for abnormal behaviour. In general, ransomware makes several changes in the file system and registry level before the encryption step, mostly housekeeping and persistence related. Furthermore, ransomware performs mapping and enumeration of the victim’s local and network accessible systems (commonly including cloud repositories), right before the encryption. So, file activity logs, registry logs, endpoint security logs and basically every log related to users and entities of the victim’s environment could prove enlightening and helpful towards detecting anomalous behaviour before it is too late and avoiding the destructive consequences of a complete ransomware attack.

To conclude, the number of ransomware attacks has increased radically over the past few years affecting a wide variety of industries and causing manifold negative consequences. Hence, defending against ransomware should be taken more seriously by organisations as more and more are highly dependent on the availability of their data. There are solutions towards successfully mitigating this threat, each approaching the problem in a different way. Implementing a robust backup procedure is probably the most reliable way for successful system and data recovery. Furthermore, organisations could mitigate a ransomware attack at its early stages, before the encryption stage has started, by deploying tools that analyse the behaviour of the environment’s entities and users in order to detect anomalies that might indicate malicious activities. Lastly, a security aware environment is a decisive step towards dealing with ransomware (and all cyber security threats in general), as human attack vectors are usually the main method of propagation when it comes to ransomware.

By Leonidas Plagakis