Like bandits lurking in the shadows of the internet, cyber criminals are holding us to ransom. Are we equipped to pay the price, or take a gamble on the forfeit for non-compliance? Taking the latest Cerber Ransomware threat as an example, Charl van der Walt, Chief Security Strategy Officer at SecureData, explores how cybercriminals are turning their hands to new techniques to get their mitts on our data – and now money – and how the industry needs to wake up to the issue by fighting the drivers behind the crime, not just the attacks themselves
The first recorded ‘hack’ took place in 1903, when a mischievous magician sent insulting Morse code messages through a projector during a public demo of secure wireless telegraphy technology. 114 years on and the security landscape is very different. While malware, spam and phishing continue to persist and pester, 2017 is the year of ransomware, with attacks such as TeslaCrypt, WannaCry and NotPetya infecting computers and networks the world over. Cyber criminals have even held the makers of Game of Thrones, HBO, to ransom by leaking emails, scripts and whole episodes in return for a hefty fee.
Ransomware as serious crime
While the latter example might be a little more light-hearted, ransomware is no joke. It’s a serious business, with serious consequences. While cyber security has certainly moved on, with new threats emerging every day, these new attacks are rooted in old vulnerabilities and exploits that have been adapted and monetised. The drivers behind cyber crime itself are intensifying, which makes ransomware and other 21st century cyber threats much more difficult foes to fight. Rather than address each and every instance of ransomware, it’s important to look at how cyber criminals are monetising exploits and, perhaps more importantly, why, to effectively stem the tide of attack.
Getting to grips with Cerber
Let’s take the recent Cerber Ransomware as an example. Cerber is an older strain of malware-cum-ransomware. In 2016, it infected 150,000 Windows users. The malware was delivered via exploit kit and, according to a security blog, is estimated to generate $2.3 million a year. If your computer is infected, it encrypts your data files, which are then held to ransom until you pay the price.
Just this month, security company Cybereason claimed to have found a vaccine for Cerber Ransomware – undocumented behaviour of existing strains of Cerber ransomware was discovered through the company’s free anti-ransomware tool. Following the discovery, industry experts questioned whether this specific technique could be used as a vaccine to other ransomware malware. This is where ransomware becomes tricky.
The method explained by Cybereason to try and prevent the malware from encrypting files (i.e. generating a bogus image file with anti-ransomware software) should not be seen as a kill shot for blocking all ransomware. Malware authors are constantly figuring out new ways to better obfuscate, evade and protect the integrity of their malware. There are hundreds of different ransomware strains in the wild, and not all of them function in the same way. The Cerber authors, in this instance, figured out that their malware was being blocked or stopped once the encryption process started. The newest strain that Cybereason has analysed has built-in functionality to prevent anti-ransomware software or tools to halt the process of the malware itself.
The malware will check directories first before allowing the ransomware to encrypt files. In this instance, if it picks up an anti-ransomware (bogus) file, the ransomware will halt operations and the directory will not be encrypted. This is good for the poor victim, as they can place these bogus files in various directories and prevent Cerber from encrypting those directories. However, it’s not a fix for all ransomware variants.
The generalisation of the concept as a strategy for engaging with attackers does bear consideration. Kelly Shortridge captured this idea very succinctly in her recent Black Hat talk entitled “Big Game Theory Hunting.” The principle is that we leverage the fact that we understand the local environment better than attackers, to increase the uncertainty and therefore the cost for an attacker. Cybereason’s suggestion of placing bogus image files is one example of this.
A recently announced Windows 10 feature called “Controlled folder access” promises to further limit the impact of ransomware attacks by restricting write access in key folders to specific applications on a whitelist. This is a promising move toward an even more generalised defence against ransomware. However, there is no all-round technical fix to prevent ransomware from infecting organisations. This particular vaccine might work with Cerber ransomware strains, but might not work with Locky ransomware strains. As such, it’s not advisable to bank solely on the method proposed to prevent ransomware attacks in organisations.
Prevention is better than a cyber cure
As with any physical disease, prevention is always better than a cure. Trying to prevent ransomware from spreading in an organisation’s network, or even being hit in the first place, should be the primary core disciplines that organisations concentrate on. Preventing one link in the whole ransomware infection chain could possibly halt the ransomware in its tracks. There are a variety of well-known mitigations that businesses can and should have in place to drastically limit the effect of a ransomware hit. These include, but are not limited to:
- Patch management: some ransomware can take advantage of unpatched vulnerabilities or bugs in software or operating systems. Software vendors constantly release new versions that fix vulnerabilities either detected by the vendor itself or reported by the community
- Anti-virus: AV doesn’t always pick up the newest strains of malware, so organisations shouldn’t put all their faith in this software to prevent attacks. Instead, it should be used as an additional mitigation technique
- Filtering, detection and endpoint protection: Ransomware samples are constantly picked up by anti-virus products. The more they are circulated, the easier it becomes to detect the sample. Blocking ransomware sample hashes, as well as originating IPs or domains could also greatly reduce the risk of being affected by a ransomware attack. Having at least another layer of security in place like a firewall, SIEM or IPS/IDS that has been configured properly could reduce the risk of being hit
- Egress Filtering: Too many business fail to monitor and control outbound connections from their networks. This is rooted in a fundamental misconception regarding the role of perimeter firewalls, which today primarily need to contain the impact when a desktop is compromised, rather than to block inbound attempts to connect to internal resources.
- Robust backups: Businesses should have a well-defined backup policy in place. Creating backups is one way to protect files from a ransomware attack in cases where all other mitigations fail. The backups should be stored on a machine that is not connected to the local network (air-gapped) to mitigate worming techniques that target backups as well.
A cyber threat to stand the test of time
Ransomware isn’t going anywhere quickly. While there are security tools to help prevent, defend and triage post-attack, the underlying motivations behind this specific type of attack complicate how effective these techniques alone can be. Working with vendors and the wider security industry, businesses need to collaborate on first understanding the wider ransomware ecosystem, who the key players are, and why they are using this specific attack to achieve their aims.
This means fighting the ransomware war on two fronts – at an individual level, by sharing information and protecting from attack on the front lines, and at a societal level, working together as a community to break down the very ecosystem in which cybercriminals thrive. Then, and only then, will we stop talking about ransomware.