Smoke - with plenty of fire

When a ransomware attack takes place, losses can be measured in millions of dollars and thousands of hours of remediation work. Yet relatively simple measures can prevent most of these from happening

Ransomware accounted for 30% of the incidents that Check Point handled in Q1 2019 - but these were by far the most impactful ones. "Each case we handled caused significant disruption to customers, from financial losses to business shutdowns that typically lasted anywhere from five to ten days, to weeks of clean-up, which included full system rebuilds and brand recovery work," reports Dan Wiley, global head, Check Point Incident Response Team. In several cases, losses were measured in millions of dollars and thousands of hours of remediation work.

"A key trend we saw in this period was the amount of intelligence-gathering that attackers had done on their victims. This included studying Security & Exchange Commission filings for the target company's financial position and using this to scale their ransom demands. While my response team does not negotiate with threat actors, in one case we handled the customer's insurance company interfaced with the threat actor to try to negotiate a payment. In the negotiations, the threat actor told the insurance company that they knew exactly how much cash on hand the customer had and refused to accept a lower payment."

Ryuk ransomware was responsible for the majority of the cases Check Point handled. "In most of these, Ryuk was never delivered directly, but a cast of other malware was used to serve up the final Ryuk infection," says Wiley. "We typically see infections using Emotet and Trickbot before the deployment of Ryuk: these pre-infections usually start a week or two before Ryuk is delivered, so IT teams should watch out for signs of these stealthy agents. We recommend running a full compromise assessment any time that there has been signs of intrusion. "Unfortunately for network admins, we typically see ransomware attacks occurring during the weekend or holidays when resources are most limited. So, if patching, upgrades and other IT activities wasn't enough, prepare yourself for a major disruption if you don't have controls in place to protect against ransomware. If you don't prepare, expect your weekends and public holidays to be disrupted."

Check Point also sees EternalBlue vulnerabilities still being actively exploited within customers' environments. "These were exploited by WannaCry and NotPetya, and patches have been available for over two years," he continues. "We cannot stress enough that rigorous patching is effective in stopping many of the attacks we regularly deal with. While my team does occasionally deal with some very advanced new threats, these are massively outnumbered by common-or-garden email compromise, ransomware attacks and well-worn old exploits. Relatively simple preventive measures can prevent the vast majority of these attacks from happening - or at worst, contain them, so they have minimal impact on the business."

There are several different ways that ransomware can infect your computer, Akshay Bhargava, senior vice president of products at Malwarebytes, points out. "One of the most common methods today is through malicious spam, or malspam, which is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Malspam uses social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate-whether that's by seeming to be from a trusted institution or a friend. Cybercriminals use social engineering in other types of ransomware attacks, such as posing as the FBI, in order to scare users into paying them a sum of money to unlock their files.

"Another popular infection method, which reached its peak in 2016, is malvertising, or malicious advertising, which uses online advertising to distribute malware, with little to no user interaction required," Bhargava adds. "While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalogue details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware.

There are three main types of ransomware, ranging in severity from mildly off-putting to Cuban Missile Crisis dangerous, Bhargava states, which he outlines below:

Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you'll likely continue to be bombarded with pop-ups, but your files are essentially safe.

Screen lockers. Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you're frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal, saying illegal activity has been detected on your computer and you must pay a fine.

However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography or other cybercrimes, they would go through the appropriate legal channels.

Encrypting ransomware. This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment, in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because, once cybercriminals get a hold of your files, no security software or system restore can return them to you. "Unless you pay the ransom," Bhargava advises, "for the most part they're gone. And, even if you do pay up, there's no guarantee the cybercriminals will give you those files back." UNHAPPY BIRTHDAY
Hard to credit, but ransomware turns 30 this year. The first-ever ransomware was distributed in 1989 at an international AIDS conference, earning it the title 'AIDS Trojan', and, in the last three decades, it has become one of the most pervasive cybersecurity threats across the globe. "Ransomware attacks have targeted every sector, affecting organisations from the very large to the smallest," points out Azeem Aleem, VP Consulting, NTT Security. "Cities and government agencies in particular are vulnerable and have become prime targets, although research indicates that when the victims are government entities, the attack is more of a target of opportunity than a highly targeted attack.

Why do some victims stump up the cash, though? "Given that ransomware attacks can take down systems, cause major disruption and rack up serious costs, perhaps it's no surprise that some organisations would rather pay a ransom than suffer the consequences of not paying up."

According to NTT Security's 2019 Risk:Value report, a survey of non-IT respondents across 20 countries, a third admitted they would rather pay a ransom to a hacker than invest in cybersecurity, because they considered it the cheaper option. "What's more worrying is the 36% who would rather pay a ransom than get a fine for non-compliance, which indicates, first, a fear about the consequences of non-compliance, but also a lack of confidence in the ability of some organisations to deal with important regulatory issues and lack of development of an effective incident response plan," continues Aleem. "With Ransomware-as-a-Service (RaaS) picking up steam, the barrier to entry for becoming a ransomware attacker has never been lower, so we can expect to see more headlines about companies under attack."

He cites one of the more high-profile examples in recent months, involving Norsk Hydro, which refused to negotiate with hackers and lost a reported $52 million.

"Hit with a ransomware demand, the company not only declined to pay, but has also become an example of how to deal with cybercriminals. Ethically, the firm made the right decision, but has suffered huge financial damage as a result." For others, the temptation to pay up and move is simply too strong. A Florida city council recently paid off attackers to the tune of $600,000 using 65 bitcoins - often the preferred method of payment.

"Payment of a ransom does not guarantee that a cybercriminal will co-operate, of course, and it could encourage further criminal behaviour," adds Aleem. "Then there is the question of insurance to cover the cost of recovery and remediation, and also whether a company's insurance would be affected if it paid a ransomware demand. No organisation should ever have to ask whether a ransom demand or investing in cybersecurity is the cheaper option. They should already be investing in cybersecurity - a patch management, incident response planning, backup solutions and training and testing end users - in order to be ready for such an attack."

How bad is ransomware right now? Some commentators suggest that, by the end of 2019, a business will be hit with ransomware every 14 seconds. "However, businesses cannot solve problems they do not recognise, so the first step in tackling ransomware is greater awareness," says Thorsten Kurpjuhn, European security market development manager at Zyxel. "Ransomware is a moving target, with threats and points of entry changing regularly, so it's important to develop an understanding of the subject and keep up to date. This applies not only to management, but to all staff: email attachments, links, insecure websites, downloads and malicious ads are all vectors through which ransomware enters systems, so everybody in the organisation must know how to handle them."

Also, operating systems and all software must be kept regularly patched and updated, and all data regularly backed up. "The 321 rule is helpful - have at least three copies of data, stored in at least two locations, of which at least one should be offline. It is also a good idea to keep an eye on account privileges; malware tends to operate at the level of the user who launched it, so limiting account privileges cuts the risk of ransomware spreading." A vulnerability that is frequently exposed by cyber criminals is Remote Desktop Protocol. "Left unsecured, RDP can easily become the cybercriminal's point of entry," warns Kurpjuhn. "However, while RDP is a popular entry point for ransomware, it is not the only one. Most malware attacks, via RDP or any other means, are brute force attacks, so the usual precautions [safe passwords, use of multi-factor authentication, restricting the use of untrusted devices, minimising user levels, particularly for accounts connecting to the internet etc] are more important than ever, for RDP users and non-users alike."

In an attempt to stay safe, many people are migrating data to the cloud, he adds. "It is, after all, a great repository for part of any data backup. But malware attacks the cloud, too. Syncing local files [especially shared files] from an afflicted machine to the cloud may allow the ransomware to spread. Furthermore, cybercriminals are attacking cloud services directly. In 2017, Microsoft acknowledged a huge increase in attacks on its cloud-based provision. That's why it is as important to scan and secure cloud-based systems and services as it is to secure local networks and machines."

Organisations can install security provision on cloud servers and cloud storage but often, particularly at SMB level, they may have outsourced these services. "In which case," Kurpjuhn advises, "the organisation must make sure it is working with a partner that provides a suitable level of protection, asking them to provide details of the systems used, detection rate, the speed at which the tools deployed detect ransomware and their file loss rate. If the provider cannot answer these questions satisfactorily, it may be time to look elsewhere."

Back in the early days of ransomware, cybercriminals would often cast out a wide net, hoping to catch at least one user with valuable data on their computer. Eventually, the wide net was reduced to focus on specific companies, with attackers trawling through online records to harvest corporate email addresses. The new targeted approach meant that the infiltration attempts became more cunning, often disguised as emails from customers, colleagues, and tax services.

"A recent example of this is the financially-motivated DanaBot Trojan that has matured into a very profitable modular crimeware project," says Kelvin Murray, senior threat research analyst, Webroot. "It continues to evolve its geo targets as more affiliates get added and has branched out to test ransom functionality. This change in tactics aligns with other shifts observed, in which criminals are performing more reconnaissance to profile a victim's worth, before executing ransomware from a domain controller. Threat actors are effectively reducing the quantity of attacks in favour of quality when they choose to profile their victim's worth."

Remote Desktop Protocol, or RDP, is a popular Microsoft system used mainly by admins to connect remotely to servers and other endpoints. "When enabled by poor set-ups and poor password policies, cybercriminals can easily hack them," he states. "RDP breaches are nothing new, but sadly the business world [and particularly the small business sector] has been ignoring the threat for years. Recently, government agencies in the US and UK have issued warnings about this completely preventable attack. RDP breaches have been the largest source of ransomware calls to our support teams in the last two years. They are totally devastating to those that are hit, so ransoms are often paid."

The likelihood of a target paying a ransom (and how much that ransom is likely to be) is subject to several factors, Murray adds, including the importance of the encrypted data, the costs associated with downtime and whether the target is a business or a private citizen - businesses are more likely to pay larger amounts. "Since the probability of success varies, based on the target's circumstances, it's important to note that there are ways of narrowing target selection using exploit kits or email campaigns, but they are more scattershot than other, more targeted, attacks.

"When we talk about selecting targets, you might be inclined the assume that there is a human involved. But, wherever practical, the attack will be coded to free up manpower. Malware routinely will decide not to run, if it is in a virtualised environment or if there are analysis tools installed on machines. RDP breaches are easier than ever, due to automated processes scouring the internet for targets to exploit."

What can businesses do? Here's Murray's suggestions:

• Secure your RDP by making sure Windows OS is up to date
• Use a proper password policy. This ties in with RDP ransomware threats and especially applies to admins
• Update everything!
• Back up everything. Think about whether a backup physically connected to your environment (as in USB storage). If so, it can easily be encrypted by malicious actors. Make sure to air gap backups or back up to the cloud
• If you feel you have been the victim of a breach, it's possible there are decryption tools available; however, this is only the case in some instances

The future ransomware landscape is impossible to accurately predict, he concludes. "However, looking at how much ransomware has evolved since its birth thirty years ago, it's evident that the possible impact is not on the decline.

"Attackers will continue to use malware to exploit businesses and hold them to ransom. As cybersecurity protocols adapt to the rise in ransomware, hackers will carry on looking for ways to enhance it."