When you used to hear the word “ransom,” you probably figured that someone was kidnapped or taken hostage where their return was contingent upon a payment or action. In many cases, meeting the demand of the hostage takers didn’t necessarily lead to the victim’s release.
Today, cybercrime appears to be much easier and lower risk than physical intrusion or armed robbery, and thus “ransomware” has worked its way into our everyday jargon, as criminals hold data or services hostage through the use of targeted malware.
Ransomware locks up data so it can only be decrypted with an encryption key, which is promised to the victim upon receiving the ransom payment – often paid in cryptocurrency such as Bitcoin.
Recent High-Profile Ransomware Attacks
WannaCry exploited a vulnerability in Microsoft Windows operating systems in the Server Message Block (SMB) protocol. It is believed that this was an outgrowth of the NSA’s activity to warehouse exploits to discovered vulnerabilities. Code developed for this exploit was termed “Eternal Blue” and was stolen by a hacker group called Shadow Brokers. Many vulnerabilities discovered by the government are not publicly released, but rather saved for future offensive operations.
Although WannaCry attacks began in earnest on May 17, 2017, Microsoft had announced a patch on March 14, 2017 through Security Bulletin MS17-010 and labeled it ‘Critical.’ Patched systems were protected, but many systems remain unpatched – particularly Windows XP – for which support had been discontinued but later provided for this vulnerability. WannaCry is estimated to have infected more than 300,000 systems across 150 countries in a matter of days.
It was later discovered that WannaCry was unable to determine which victims had paid the ransom, due to a code flaw which may have been intentional. Today, millions of Internet-connected XP systems remain in operation (netMarketShare estimates nearly 6 percent of desktops run Windows XP), most notably Britain’s National Health Service. I would surmise that a very high number of Windows XP systems remain unpatched today.
SamSam ransomware hit the City of Atlanta in March 2018. It infiltrates by exploiting vulnerabilities or guessing weak passwords in a target's public-facing systems (read more about weak passwords in my June SD&I column at www.securityinfowatch.com/12413836). SamSam has reportedly targeted protocols including Microsoft IIS (Internet Information Services), FTP (File Transfer Protocol) and RDP (Remote Desktop Protocol). Other victims include Hancock Health and Allscripts.
Ransomware by the Numbers
Verizon, in its 2018 Data Breach Investigations Report, reports a number of interesting findings:
- Email continues to be the most common social attack vector (96%) and malware vector (92.4%).
- Bad websites account for 6.3 percent of the malware vectors.
- 49 percent of non-POS malware was installed via malicious email.
- Within the 1,379 incidents where a specific malware functionality was recorded, ransomware (56%) is still the top variety of malware found.
- Ransomware accounts for 85 percent of all malware found in healthcare systems.
- On average, 4 percent of people in any given phishing campaign will click an infected link; however, just 17 percent of phishing campaigns were reported.
- Java Script, Visual Basic Script, Microsoft Office, and PDF files are the most common bad actors, often leading to the eventual installation of a Windows executable file.
Targeted: The Healthcare Market
At this year’s Cyber:Secured Forum in Denver, I had the pleasure of meeting Randall Frietzsche, CISO of Denver Health. I asked him about ransomware, given that his industry is a proven prime target, with life-or-death consequences.
“Unfortunately, the normal state in our industry does not reflect an all-inclusive approach to this problem,” he admitted. “At Denver Health, we have a very comprehensive and layered approach to the ransomware risk, coupled with an active employee education program and back-up strategy.”
Frietzsche agreed that past ransomware attacks prove that certain procedures should be a given, including continuous patch management, enforced use of strong passwords, multi-factor authentication, and disabling unused ports and services.
Further, “Defense in Depth” should address the following exposures along the data path:
- Perimeter: Scan inbound emails for threats using URL checks, experiential content data, and spam profiles.
- On the network: Use behavioral analytics to identify anomalous or unusual behaviors, analyze for malformed IP packets, and look for incomplete handshakes.
- End-points: Consider disabling user ability to be a local administrator, as this capability enables a hacker to not only gain local control but to escalate their way into the broader network. Use outbound URL filtering to terminate connections to known bad sites.
- End-users: Train, test, and then train some more.
Finally, prepare for the event by having an active backup and recovery strategy in place. This can range from off-site tape backups to continuous online synchronized backups with anomaly detection that can monitor file change activity.
In this regard, I also spoke with Disaster Recovery as a Service (DRaaS) provider Infrascale at the Cyber:Secured Forum and learned that its tool monitors activity for large-scale file changes, which may indicate the occurrence of mass encryption.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and the CONSULT Technical Security Symposium. Email him at [email protected], or contact him through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter: @RayCoulombe.