Is the evolution of Ransomware an unstoppable force ?

Mark Cutting Analysis, Patching, Planning, Ransomware, Risk, Security, Training 6 Comments

In today’s evolving technology space, the exposure to cyber threat is an everyday occurrence, and unfortunately, the chances of running into one of the many threats at some point has increased from a possibility to a certainty. Ranging from crude and simplistic in their approach to powerful and advanced in their design and payload potential, these threats pose a significant security risk to organisations and individuals alike. Even the most basic phishing, whaling, or social media attack can be successful if presented at the right time to the right user. Whilst the most basic threats can easily be avoided, or quickly remediated in the event of inadvertently clicking a link, there are those that land silently on a system and execute arbitrary code that can deny access to files, and in some cases, an entire system. The malicious software arrives in many forms, and is mostly the result of a drive-by download, or legitimate software taken from a compromised site.

This not-so-new breed of threats is known collectively as ransomware. In general, this threat comes in three fairly distinct modes of deployment, and unless you pay the criminals who planted this software on your machine and encrypted your files, the likelihood of gaining access is virtually zero (in most cases).

In this article, we will look at the humble beginnings of what became the weapon of choice for today’s cyber criminal, and how it morphed into the destructive time bomb that it is today.

Threat origins, types, and variants

Ransomware first appeared in Russia around 2005, and was initially limited to that region. The financial potential of this threat vector quickly attracted the attention of cyber criminals. As a result, the threat gained momentum and began spreading, infecting systems across Europe and North America. In 2012, a popular French confectionery company unwittingly became the “Watering Hole” for this new threat, and with a significant user base in France and Japan, every visit to the website meant that the threat was successfully deployed to thousands of computers spread over a much larger geographical radius.

The threat has three focus areas as such. The first is to identify and encrypt the target files on the infected machine so they are rendered inaccessible. Early incarnations of ransomware targeted specific file types such as DOC, .XLS, .JPG, .ZIP, .PDF, and other commonly used file extensions. The targeted file types were zipped into an archive before overwriting the original files multiple times (mostly with padded zero values to render any file recovery options inoperable), leaving only the password protected archive files in their place. The ransomware also created a text file that effectively became the ransom note – typically informing users that their files could be recovered for a fee of around $420.

threat1

The second ensures the target’s attention by denying access to the entire machine using a modal overlay mechanism that prevents access to anything underneath. The same mechanism is then leveraged to extort money from the target in exchange for releasing the lock on their system.

Locker

The locker threat typically poses as a law enforcement agency and uses extensive social media techniques in order to extract payment. The malware locks the system completely, denying access to the end user. The extraction campaign uses shock tactics in order to extort revenue

systemlock

Crypto

The Crypto threat identifies key files and resources in typical locations and begins the process of systematically encrypting the target files using RSA. Once this process has been completed, the malware produces a pop-up notification informing the user that their files have been encrypted, and a ransom must be paid in order to restore access.

RSA-ransomware

Both of these malware threats are classified as extortion.

Reveton

The Reveton threat variant is an excellent example that uses impersonation techniques to imitate law enforcement agencies, and uses familiar locker techniques to prevent access. Commonly known as “Police Ransomware”, these types of threat display a notification page masquerading as the target’s local law enforcement agency, informing them that they have been discovered participating in illegal activity online.

In order to create a plausible facade, and appear as though the chosen local enforcement agency is applicable to the user’s region, the Reveton threat collects geographical information from the target after it has been successfully installed. Using this technique, a user based in the USA would receive a notification from the FBI while those based in France (for example) would be presented with a notice from the Gendamerie Nationale.

The Reveton threat leverages a newer payment method compared to earlier versions. As soon as a target is infected with the threat, users are requested to pay through a secure channel that offers anonymity to the attacker, and leaves virtually no financial trail of breadcrumbs that could lead back to the perpetrator, ultimately revealing their identity. The most common currency for ransomware threats today is BitCoin.

reveton

Quickly realising the potential of the crypto and locker threat vectors, cyber criminals began combining them as a mechanism to guarantee payment. There had been reports that some of the earlier locker threat based ransomware attacks had been successfully bypassed, disabled, and in some cases, completely eradicated. Out of the ashes in 2013 rose the new combined threat of CryptoLocker. This variant went to the next level in order to ensure it’s effectiveness. Not only did it take control of the entire system as it’s predecessor locker did, but also encrypted key files using the same mechanism as crypto. This meant that if the infected user did manage to remove the locker component of the malware, the encryption of the individual files remained.

CryptoLocker

The mechanism for extracting payment was essentially the same. Oddly, CryptoLocker’s ransom note indicates RSA-2048 as the encryption variant used, but further investigation reveals AES + RSA encryption is in fact being used. This means that a private and public key combination are required in order for decryption to be successful, whereas if the encryption really was AES, it would have used a symmetric key – ultimately meaning the key that locked the files could also be used to decrypt them.

RSA is an asymmetric based key cryptography, meaning it requires two keys. One key is used to encrypt the data (known as the Public Key), with the other used to decrypt it (known as the Private Key). The Private Key would need to be purchased (hence the ransom fee) in order to complete the decryption process. AES uses a symmetric key system – the same key to encrypt and decrypt data. If RSA had not been used, the key to decrypt the data would essentially already be on the system. It’s also important to remember that RSA isn’t really suited for encrypting large amounts of data owing to speed constraints caused by the asymmetric keys, whereas AES is much faster due to the symmetric key. From the cyber criminal perspective, it makes much more sense to encrypt as much data as possible in order to form a ransom request before the user realises what is happening.

What made CryptoLocker different in this case is that the files themselves were encrypted using an AES key, although the AES key was then encrypted with an RSA public key embedded in the malware threat – essentially, a private key was needed to decrypt it.

In 2014, the individual behind CryptoLocker was brought to justice

cryptolocker_fbi

However, despite this, CryptoLocker remains an active threat. Primarily relying on spam email to deliver the threat, it’s execution on a remote system can still be very costly. The current list of known spam emails that harbour this threat are shown below

cryptolocker_emails

The most recent ransomware threats to emerge are WannaCry, and Petya. In actual fact, Petya isn’t new – possibly why this particular attack is also known as “NotPetya”, yet has a similar payload.

WannaCry

wannacry

The first “iteration” of WannaCry was halted when a “kill switch” was found in the original source code by a security researcher. This was enough to stem the flow of the attack against the NHS – however, within hours, a second variant was released with this “kill switch” removed. This strain went on to infect major manufacturing plants in the UK and France, and has also had a major impact to financial institutions across the world. The main focus of this malware infection is money. The first variant relied on an unpatched and undisclosed security flaw within the Microsoft Operating Systems we all use on a daily basis (leaked by the Shadow Brokers via the NSA), whilst the second arrives in the usual form of malicious links and attachments.

Microsoft even released security patches for Operating Systems that are no longer mainstream, such as Windows 2003 and Windows XP in order to counter this threat. There are an estimated 1.3m systems globally that remain exposed in terms of vulnerability against this threat – 200,000 across 150 countries reported so far.

Countries

Petya

The Petya threat overwrites the computer’s Master Boot Record (MBR), which is typically found on the first few sectors of the hard disk. The boot record contains information as to where the installed operating system’s boot loader can be found, which usually leads to the machine being able to start. If the MBR is overwritten maliciously, or completely destroyed, the operating system of the infected machine will no longer start. Petya is also typically delivered through spam emails, but seems to be targeted at business, and the emails directed at Human Resources departments. The email itself typically contains a link to a self extracting archive located on DropBox. If this archive is downloaded and executed, the Petya threat is installed and becomes active.

Petya overwrites the Master Boot Record of the system, and triggers a reboot using a critical error notification known as a “Blue Screen of Death” (or BSoD). Post reboot, the system will launch a fake Windows Check Disk operation, which in most cases is normal after an unexpected shutdown. During this process, the Petya encrypts the Master File Table (MFT), which is the special file that identifies all partitions, files, sizes, and name mapping to an NTFS based system. Petya does not encrypt the entire contents of the disk itself – this process would take an inordinate amount of time to complete on target machines that contained a lot of data (photos etc.). Instead, the now encrypted MFT can no longer be read by the operating system, which in itself would render all files in accessible. It could be possible to recover some of the data using specialist software or forensic techniques if hit by this threat, although you would need to take fragmentation and data spanned across multiple disk sectors into consideration. This would add to the recovery time, and also prove very expensive.

petya

After the MFT encryption process is completed, the replacement Petya MBR will display the ransom message like the one above – usually accompanied by a skull drawn in ASCII characters. The message instructs the treat target to access the cyber criminals’ designated site on the TOR network (note the “.onion” URLs), provides them with a unique code identifying their computer, and prompts them to pay the ransom – usually around $430 USD, or 0.99 BTC (Bitcoins). Once the ransom is paid, the decryption key is provided (well, sometimes..). Petya initially targeted systems in Germany, but as other threat campaigns have shown, this can spread to other regions very quickly. For those hit with Petya, there is some hope. An individual using the twitter name of “LeoStone” announced that he (or she) had found a way to decrypt the threat. As a result, thiswebsite appeared.

Should you pay ?

Now that you know what Locker, Crypto, Reveton, CryptoLocker, WannaCry, and Petya are, and the real threat they all present, should you pay the ransom if you get hit ? My immediate answer is NO. You need to be mindful that this is nothing more than extortion and theft, and if you pay to unlock access to your computer or files once, then you WILL be targeted again. Remember “your personal decryption code” that identifies your system (Petya)? Well, there is a very high chance that this code is added to a sucker’s list somewhere – and those lists are sold onto other cyber criminals via the DarkNet (TOR), who use this as intelligence to target those who have paid before, and will likely pay again. For everyone who pays, this is another incentive for cyber criminals to continue with extortion campaigns.

Below are some simple steps you can take to provide the best level of protection

  • Maintain regular backups for all files and data that you consider to be important. Regular backups are a critical element to rapid data recovery without having to pay a ransom to get your data back. Consider storing the backup data independently and offline – this can also limit the damage that this threat poses.
  • Purchase and install an Anti-Virus product (more applicable to Windows, but can also apply for Linux and MAC), and ensure that this is kept up to date in terms of new threats. New attack vectors emerge on a daily (sometimes hourly) basis, so ensure that your product has access to these updates, and deploys them when available and required.
  • Only open email attachments from those sources that you trust. Note, that email addresses are easily harvested and an attacker may be masquerading as someone in your address book to increase the chance of success. TorrentLocker (another threat variant) is known to harvest at least 2.6m email addresses, which further increases it’s reach and chances of infection elsewhere.
  • Never open attachments unless you can be absolutely sure of their origin.
  • Never attach an unknown USB device to your computer – this action alone can trigger the threat and commence the encryption process without you being aware.
  • CryptoWall (yes, another threat variant) can encrypt files in network shares. Ensure that all remotely connected systems under your control, or those that hold data belonging to you have adequate protection

As you can see from the above, there are many ransomware threats in circulation, but they all have the same common goal. Money. Your money – you know, that what you earned and they didn’t…?

Would you pay ?

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of Phenomlab.com and Inocul8r.net. He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

6
Leave a Reply

avatar
3 Comment threads
3 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
Jessica BillAntonio SandraMark CuttingAntonio SandraMandy Robinson Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Mandy Robinson
Guest
Mandy Robinson

I hate when stuff like this happens, but nope I am not going to pay them. My husband can fix this type of stuff, so I let him have it.

Antonio Sandra
Guest
Antonio Sandra

Nice article anyway. Now i understand the basics of Locker, Crypto, Reveton, CryptoLocker, WannaCry, and Petya and their real threat. You talked about bitcoin being affected by ransomware. Why is it so? Is it that bitcoin is not secured? or the fact that they are injected or not well encrypted? Please, clear this.

Jessica Bill
Guest
Jessica Bill

Ransomware is an unstoppable force that will be so hard to eradicate. Why? the internet is full of attackers. Who knows the reason behind bitcoin segwit issue? Is it an attack? a malware? who knows? My point is ransomware cannot be stopped!