Donald E. Hester

Mar 10, 20178 min read

Notes on Ransomware

Ransomware

“Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-initiation) from a compromised Web site.” Source FBI

Many of my notes have been taken from the RSA Conference in February 2017 and the sites listed at the end of this article.

Statistics

Dec 11, 1989 was the first Ransomware called AIDs
In 6 months of 2015 US Federal Government had been hit 300 times.
Time to discovery – almost immediately
Time to recovery – as fast as you can get bitcoin or recover from backups. Ransomware takes most victims a week to months to recover.
According to DHS, municipalities are at greater risk because they are easier targets, have larger budgets, have more to lose, and more likely to pay.
42% to 70% paid (Wide range is because different sources have different statistics)
93% of organizations that were hit by ransomware had antivirus
31% have been victims multiple time (recent news indicates this may increase)
25% did not get their data back even after they paid
25% did not report the attack
20% paid over $40,000
25% paid $25k – $40k
Demand range for small businesses or individuals seems to range from $500 to $2000
3x increase in one-quarter in 2015
Crime pays:
Estimated to be a $500 million market for cyber-criminals, and estimated to increase to $17 billion by 2021.
DOJ estimates $240 million in ransoms were paid in 2015.
DOJ estimates $1 billion in ransoms were paid in 2016.
Some hackers didn’t even encrypt the data just renamed extension
There were 10 different families of ransomware a few years ago now there are over 400 families as of the first quarter 2017.

Costs

Who is willing to pay more for your data than you?

Hollywood Presbyterian hospital was down for 3 days

San Francisco Muni lost revenue

Typical things to consider as cost to ransomware.

Ransom – most fees have been reasonable.
Consulting costs
Lost revenue 63% report loss and 48% report downtime
Incident response
Forensics – you need to prevent future attacks
Insurance? They typically are the group that wins in situations like this. For example in 2010 insurance against sea pirates (like Somali pirates) paid out $448 million in ransoms but brought in $1.85 billion in insurance premiums. The other problem is will they pay? Most cyber insurance carriers have stipulations similar to PCI. In other words, if you don’t have controls in place they don’t pay.

Consider the cost of the ransom versus the cost of prevention and assessment

Prevention and Mitigation

Back-ups are critical but not sufficient. Criminals have targeted online backups for encryption as well. Holding all data and backup hostage from organizations increases the likelihood that they will pay. Increasing the probability of payment by the victims in a goal of the criminals. Offline backups, true air gap.
Risk Assessment
Patch management
Configuration management
Vulnerability scanning
Whitelisting applications
Anti-malware is critical but not enough. One statistic was that 93% of those companies hit by ransomware had anti-virus installed.
Network isolation and segmentation
Insurance – the real winners
Have a bitcoin account established
Block IPs
Monitor activity on systems
Network segmentation
DLP or audit logs can help to determine how it happened
Reach out to FBI or police so they can track and assist if possible. If nothing else, they will have better statistics and possibly discover new hacker behavior.

Incident Response

Crisis management – contact the customer, explain what has happened and what they need to do.
Incident Response Plan - does it ransomware?
There are tools available to decrypt some of the ransomware. See https://www.nomoreransom.org/

Vector

What are the typical ways in which the ransomware gets into networks and systems? The modes discussed in the sessions are from actual events and are highly likely vectors.

Flash
Java
Browser
Email – one example was a wave file that looked like it came from the phone system
GoldenEye ransomware targets human resources departments because they're used to opening emails and attachments from unknown sources.
Unpatched systems
Internet facing servers

Hit local machine and network shares

Social engineering - users are still the weakest link, can’t patch ignorance and stupidity

Target

Office file extensions and picture extensions
Some do not copy the ransomware code to the hard drive. Instead, it only loads it to ram.
Cloud service sync will just sync problem to the cloud files. Some cloud services are now looking for indications of ransomware.

Typical Marks

There have been some typical marks that have been targets of cyber-criminals.

Medical

Transportation
Local Government
Education
IoT
Hotels (key card access)
Individuals have also been targeted, some with compromising photos, pay to get the photos to go away.
Organizations that lean to the left political spectrum

The Ransom

To pay or not to pay, that is the question. A risk-based question.

Paying the ransom is no guarantee that they will help you recover your data. One statistic is 25% do not give you the key once you pay. However, some cyber-criminals do have customer service to assist you in getting bitcoins and helping you decrypt your data after you have paid. After all, they want to get paid, and if word gets out that they don’t give you the keys after you pay, people are less likely to pay.

“The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.”

Paying the ransom feeds the beast and perpetuates the problem. Criminals will keep going where they can make money and if people are willing to pay the hackers will keep targeting them. An easy pay day for hackers. Don’t be an easy mark.

Options

Pay or don’t pay

If you pay, you will either get your data back or not.
If you don’t pay, you can try to recover and possibly recover your data.
You can try tools or backups.
New option criminals are offering is if you get two of your friends infected and they pay, you can get your decryption for free. This, of course, is not an ethical option but one that some people are willing to take. This becomes a force multiplier for cyber-criminals and grows their “business.”
Some of cyber-criminals will negotiate on time, money, or for proof the files can be recovered.
Report the incident to authorities. The FBI requests victims report incidents.

The Criminals

Financial incentives are typically the motivation of the hackers. Most cyber-criminals want to make money, true there are a few that just want to watch the world burn. However, most ransoms have been motivated by money.

Know your enemy. Most cyber-criminals treat this as a business. To the point they have customer service to assist victims.

Hackers have a reputation, and if they have a reputation for not giving your files back after you pay, word will get around, and people won’t pay.

They often target systems and data with high availability requirements, the more critical the more the organization will be willing to pay to have access to data back. The more likely the victim will pay. Criminals know this and can target organizations that have high availability and ones that have money to pay.

They don’t try to price organizations out of the market. Organizations without money are less likely to pay large ransoms. They know this and either have lower ransom fees or don’t target them.

Very similar to Somali pirate criminal organizations. Organized crime including back offices, security, investors, etc…

Cyber-criminals spend money on R&D to better perfect the process.

They also sell ransomware starter kit for anyone who wants to get in on the action, some for as little as 1 bitcoin.

Cyber-criminal organizations fight against each other as well. One hacker group hacked another group and released the keys to their ransomware. So there is competition between rival hacking cyber-crime organizations.

Recently some hackers have changed from encrypting data to threatening to release compromising information, photos, emails, or documents unless they are paid. Specifically, they have targeted liberal groups.

Predictions

It is not generally known if they get in and exfiltrate data and then encrypt the data and ask for ransom. The previous criminal behavior has been to get in and lock files out as soon as possible. It seems as if criminal had moved to this model to make money by holding data ransom rather than attempting to exfiltrate data and sell the records on the black-market. Criminals find making money faster by holding data ransom rather than having to sell data. It seems to that it is getting harder and harder to steal data and then sell data. This could be because of a saturation of records for sale on the black market, the increased security around credit card transactions, and the falling price for records.

Won’t stop, because the cyber-criminals are making money.

Governments are trying to investigate bitcoin transfers to look for patterns and hunt down the hackers.

Many software vendors are starting to address the issue.

We should start to see more sophisticated attacks.

We may see more targeted attacks and possibly a shotgun approach as well. Obviously, the hackers prefer big paydays with as little effort on their part as possible. A shotgun approach of just getting as many people infected as possible to make money by more smaller transactions. This is just like the financial market. You have companies that target the larger sales and those that thrive on the volume of smaller sales. This will be no different. The black market has the same forces the financial markets do.

We may see attacks on cars computers (IVI).

We will also see an increase in doxware. “With doxware, hackers hold computers hostage until the victim pays the ransom, similar to ransomware. But doxware takes the attack further by compromising the privacy of conversations, photos, and sensitive files, and threatening to release them publicly unless the ransom is paid. Because of the threatened release, it's harder to avoid paying the ransom, making the attack more profitable for hackers.”