Ransomware explained – how digital extortion turns data into a silent hostage

Ransomware has risen to the top of the malware pile. We look at how this has happened

Ransomware seems to be everywhere right now. If you're a home user or SME employee on the receiving end of an attack it must feel like a pretty lonely moment when the extortion message appears on the screen of an infected PC demanding a payment of somewhere between $300 and $1,000 in Bitcoins.

The ransomware will have taken control of the computer and encrypted all or most of its files after an employee clicked on an email attachment, usually a PDF or what looks like one. This computer was most likely patched and running up-to-date antivirus but this made no difference. The ransomware still got through.

Infection and C2

It sounds like a simple attack and on the surface it is. An unsuspecting end user does something they normally do every day, clicking on an attachment, and lives to deeply regret it. Unseen, the ransomware is not only encrypting local files it can find but reaching out to attached storage drives and networks shares to encrypt those as well. All of this happens quickly before the user realises what has happened.

Typically, the ransomware also contacts and command and control (C2) server as this is happening as a prelude to downloading more software and phoning home.

After that, retrieving encrypted files is a matter of paying the ransom (in untraceable Bitcoins) and hoping the criminals deliver the key or resorting to backups, assuming they've not been scrambled too.

Advanced ransomware

More recently, the MO of ransomware has evolved beyond this basic attack profile to target larger organisations. Here, simply attacking PCs one at time is no longer sufficient incentive to pay a ransom and the criminals have developed new ransomware families that can spread within an organisation to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments as was the case with something called Samas/SamSam.

As defences have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 or even working entirely from memory without the need to save files to disk.

There are now numerous families of ransomware - more are expected to appear in 2016 than in all previous years put together - and a wide range of innovations. Computerworld recently compiled a list of some of the worst recent examples and the level of innovation to avoid boosted defences is startling.

How successful is ransomware?

In terms of infection, very, although few victims in the business world ever talk about this fact and data on the number paying ransoms requires drawing inferences. Most of what we know comes from US and Canadian companies that disclose attacks to meet state-specific data protection regulations. Recent ransomware attacks have included several US healthcare providers and hospitals that have admitted paying ransoms as well as the University of Calgary which was forced to pay a $20,000 (Canadian) ransom to regain data from 100 computers.

Disturbingly, a recent survey by Ciitrix suggested that many UK firms are now quietly stockpiling Bitcoins to cope with a ransomware attack. This was especially pronounced in medium-to-large firms.

Why do organisations choose to pay ransoms?

As far organisations are concerned it is not because they don't have backups but because the time and cost or reinstating data, including on servers, is simply far greater than the cost of the ransom. The ransomware authors know this and set their demands below this cost. IT could also be the case that firms fear that merely ransoming encrypted data could soon merge with data breaches in which criminals threaten to reveal 'hostage' data.

Ransomware explained - how digital extortion turns data into a silent hostage - can ransomware be stopped?

As with most forms of malware, there doesn't seem to be any fool-proof defence although the Windows PC is clearly a major vulnerability - other platforms are far less likely to be attacked for a variety of reasons. All the same, security vendors have belatedly engineered their technology to cope with ransomware using a number of techniques.

The simplest method is to improve detection and blocking at client level, in the manner of an endpoint security product. Many now claim to do this. The second approach is to build detection directly into network infrastructure, for example advanced firewalls. The third method is to build some kind of correlation engine into a specialised appliance that feeds into a reporting console or SIEM. Most organisations will consider all three at the same time.

Correlation detection

Security startup Vectra Networks offered Computerworld UK an example of how the correlation of multiple anomalies can be used to spot ransomware which we describe purely for illustration of the principle. The following attack sequence from the common and aggressive Locky ransomware was recorded recently inside an unnamed US healthcare provider.

01: After infecting a single PC after an unspecified phishing attack Locky network detection triggered the first anomaly after security layer noticing a connection to an unusual domain.
16: Infected PC started scanning the network on port 445, used for file sharing and printers. The malware is looking for secondary targets.
11:53: Ransomware starts polling non-existent IP address range after starting to encrypt a file share. Vectra detection engine pinpoints infected PC and affected share.
12:30: PC is confirmed to have been pulled from the network and re-imaged.

Total time between infection starting and first remediation: 52 minutes.

"The detection of the malware doing its stuff was detected through three different machine learning algorithms. We have deliberately focused on new machine learning strategies," Vectra's Gunter Ollmann told Computerworld UK.

A key capability of Locky was ability to deactivate local antivirus which in this case it had most likely achieved as it was not detected. Once inside a network what ammeter was the speed of response and the ability to piece together the fragments of anomalous behaviour into a larger picture so that admins weren't overloaded with false positives, says Ollmann.

"It does take w while for network assets to be encrypted. You'll find it may be 10GB per half day that can be encrypted."

Ransomware explained - what's next?

All sorts of possibilities have popped into the minds of researchers, chief among them the idea of a large-scale ransom attack on a corporate in which attackers spend weeks or months penetrating a network in the manner of data breach attackers. Using stolen credentials, they map out not only valuable data stores (databases, code repositories, shares) but gain a detailed view of the backup routines and services. Worm-like ransomware would be used to spread the infection around a network before the detonation date.

"Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3,200 workstations are compromised; half the organization's digital assets, and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation," hypothesized Talos.

"The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like."

Such an attack could be launched for money, probably in the millions, but also conceivably for ideological reasons. In the latter case, a company might be asked to make a public statement.

It sounds far-fetched but only the most optimistic don't think it will come to pass at some point. The history of malware works this way: what can be imagined usually happens eventually. The weaker and less protected networks will be the first to succumb but as we now know that could in theory be almost anyone.

Join the CSO newsletter!

Error: Please check your email address.

Tags ransomeware attackers

More about AdvancedC2

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place