By Antonio Challita, Director of Product Management at cybersight
Ransomware is an increasingly growing cybersecurity threat. This variation of malware allows an attacker to take control of devices, such as personal computers or servers and encrypt the user or system data on these devices. The attacker then demands a ransom payment to return the owner’s data to its original state.
It is common for the attackers to encrypt the data using the same trusted algorithms, such as AES-256 and RSA-2048, that are used by the security industry to perform tasks that include browsing secure websites, online banking, and secure communication. These algorithms make reversing the encryption operation nearly impossible without having the private decryption key that only the attacker holds.
Ransomware authors also use scare tactics to amplify the impact of the attack. Tactics include commandeering the device to display sinister images and showing countdown timers, pressuring victims into paying the ransom quickly. Timers typically range from 24 to 72 hours and threaten to delete the victim’s data or increase the ransom amount when the time expires.
Along with the countdown timers, attackers provide victims with instructions on how to retrieve crypto-currency, which is needed to make the ransom payment and get their files back. The predominant method of payment for ransomware to date has been Bitcoin because hackers can receive payments anonymously, but additional cryptocurrencies are starting to make their way into ransomware attacks.
Ransomware is both highly attractive for hackers and highly disruptive for businesses. The recent spike in ransomware comes as no surprise. Market conditions, coupled with a major security leak from the National Security Agency (NSA) that took place in 2017, formed the perfect storm for ransomware.
According to the 2018 Verizon Data Breach Investigations Report (DBIR), attackers were financially motivated in 76 percent of breaches that occurred in the past year. Financial gains have steadily been the primary motive of attackers for several years running. The Verizon DBIR goes on to show that a spike in ransomware took place in 2017. Nearly 40 percent of malware incidents were found to contain ransomware inside them. Cybercriminals view ransomware as an easier way to make money, especially when compared to other forms of cybercrime such as credit card theft, identity theft or medical record theft. They do not have to deal with intermediary buyers on the black market for stolen data, instead, they collect payments directly from the victims. Victims are motivated to get their data back and are more likely to pay when faced with a ransomware attack because the data is personal and in some cases irreplaceable.
Cryptocurrencies: the first market condition
Over the past few years, the first market condition has steadily come to fruition: digital currencies – also referred to as cryptocurrencies – have gained traction around the world. Led by Bitcoin, cryptocurrencies have crossed the chasm and entered mainstream conversations.
From a cybercriminal’s perspective, Bitcoin offers two major benefits: pseudo-anonymity that makes it harder for law enforcement to trace, and the convenience of collecting payments without having to go through a central banking authority. This makes Bitcoin an attractive mechanism to handle ransomware payments. Bitcoin is not the exclusive cryptocurrency used when conducting ransomware attacks – as cryptocurrencies become more widespread, cybercriminals have demanded other forms, including DASH and Monero.
Ransomware-as-a-service: the second market condition
On the dark web, a new criminal-friendly market condition emerged in 2017: Ransomware-as-a-Service (raas). Raas has been lauded as the next great cyber threat. It opened the door for people who are not tech-savvy to get in on the action, enabling ransomware to spread further.
In the raas model, ransomware authors provide distributors pre-built ransomware campaign kits that include the ransomware payload, phishing email templates and a large email list of potential victims. Some raas campaigns even provide the option to set the amount of ransom to demand. Once victims are infected and make the payment to the distributor, the revenues collected are shared between the ransomware authors and the distributors.
Eternalblue: the seismic security leak
On April 14, 2017, a hacker group called Shadow Brokers leaked an exploit created by the National Security Agency (NSA) called eternalblue. Eternalblue exploits a vulnerability in the Windows Server Message Block (SMB) and enables the attacker to execute arbitrary code on the targeted device.
Less than one month later, on May 12, 2017, eternalblue was used to launch one of the biggest cybersecurity attacks in history. The infamous wannacry attack shut down hospitals, telecommunications companies, and transportation organizations; in the end, it infected over 250,000 devices around the world.
One of the reasons wannacry spread so widely was its worm functionality. This enabled wannacry to scan and spread to other machines in the same Local Area Network (LAN) over Server Message Block (SMB) protocol. SMB is a client-server communication protocol that allows sharing of network resources, such as files, printers, and serial port, over port 445. All that wannacry needed to be was a single machine in the LAN to get infected, and then the entire company was at risk, due to its ability to spread over SMB.
A month later, on June 27, 2017, eternalblue struck again, in the form of the notpetya ransomware. Notpetya would go on to be labeled as the most disruptive and destructive cyber attack of 2017. It caused businesses to lose data and severely disrupted their operations. One of the largest known hits was the shipping giant fedex; they reported losing $300M of revenues on their quarterly earnings report due to notpetya.
Many organizations scrambled to react to both wannacry and notpetya. The unfortunate reality is that there was little they could do because many companies, particularly larger ones, run machines with older versions of operating systems; these devices are vulnerable to the eternalblue attack specifically, and to ransomware attacks in general. Furthermore, for many larger organizations, keeping devices updated and patched is a daunting task in and of itself. However, the only true way to stay safe from ransomware attacks is prevention – the reaction has shown to be costly and only intermittently effective.
About the Author
Antonio Challita has been immersed in cybersecurity since the mid-2000s and serves as the Director of Product Management at cyber sight, the creators of the award-winning ransomstopper solution. Prior to joining cyber sight, Antonio served as a Product Manager at Qualcomm for chipset and mobile security, where he led security solutions for protecting Ultra-HD videos from Hollywood studios. Previously, Antonio was a Senior Software Engineer and Senior Technical Marketing Specialist at Motorola for mobile cybersecurity solutions. He holds a Masters of Science in Information Networking from Carnegie Mellon University and an undergraduate degree in Computer & Communications Engineering from the American University of Beirut.