Before you go all torches and pitchforks on me, hear me out.
I hated writing this article. Truly. My industry is, at its core, a service industry. Overwhelmingly I meet people who go into IT service, support and cybersecurity that have a real desire to help others.
All too often, we get calls from clients, customers, friends and family panicking because they cannot open a critical document or are in tears that their most treasured memories have been taken away from them and they now have to pay some criminal somewhere to get them back.
Nothing angers, and terrifies, a person more than being separated from something that is integral to who they are. If I had it my way my job wouldn’t even exist because the world would finally be rid of the people that would do this to another human being for profit. It’s tantamount to cyber-terrorism on a very personal level. If I never saw another virus infection of any kind, I would be beyond thrilled.
So, why would I title this article as such? It’s simple, really. Ransomware makes my job easier by enumerating the many flaws in computer security. It is done so effectively that those I am fortunate enough to help with these issues quickly understand why the conventional wisdom regarding data protection is flawed.
We are witnessing a Viking funeral of sorts in the IT industry and sadly, the boat is taking way too long to burn down. Who or what is on the boat, you ask? Every software-based anti-virus scanner people install on their computers. Time and again these virus scanners (basically insert your favorite anti-virus software company here) are so ineffective that article after article has been written about how horrible these scanners really are.
However, this article is not about anti-virus scanners, though they contribute to the problem by giving people a false sense of security. This article is about Crypto Ransomware, how it can easily evade a virus scanner, and the most effective methods to prevent its infection or spread.
As a primer to this article, I highly suggest you read Victoria Shaw’s excellent article on ransomware to understand what it is, as well as some of the basic techniques any user can do to help protect themselves from it.
My article is more geared towards toward business, enterprise and education, and covers Crypto Ransomware (just “ransomware” from now on) delivery systems. So strap yourselves in, people. We’re going full out nerd technical on this one.
Ransomware can be delivered in a few different ways, though the most common infections come from hijacked websites and email. These files often bypass virus scanners because the actual coding of the infection is encrypted itself, so the scanners cannot open them up to look at the code.
There is a plethora of FUD (Fully UnDetectable) tools and delivery systems available on the Dark Web for sale that a malware developer can purchase to wrap their code in. A recent example is a FUD known as Cryptex Reborn, which was being very widely used to protect malware from scanners. Available for $90, it is one of the easiest ways to pass files through a security system.
Last year, two malware developers were arrested for selling the software and running a website that was a resource for malware developers. It is not technically illegal to own FUD tools. I actually own a few so I can keep up with the latest threats out there. I also use them as delivery systems to ethically hack my clients to test their defenses. What is illegal is using FUD tools to hold people’s data hostage for money.
Now that the ransomware is wrapped in encryption and can bypass software-based virus scanners, it’s time to go to work. The ransomware, typically downloaded via a user clicking a bad link or opening up an infected email, will decrypt and unpack the files into the computer for installation. This is the trickiest part of the infection for malware developers to handle.
At this point, there is malicious code in the computer, however, it’s not yet performed a function call to begin its installation. An up-to-date virus scanner may scan these currently dormant files, detect malicious code and kill the files. It is for this reason that the developers of ransomware are constantly changing the coding in their files, sometimes multiple times a day.
For example, the Angler exploit kit evaded detection for quite some time until it had infected about 90,000 websites worldwide. This is the inherent flaw in anti-virus scanners. Their parent company needs to identify the threat, then analyze the threat to understand what exactly it does, then write an inoculation for the code. After that, they make this inoculation available for its virus scanners, then your computer has to download it and update it. This can take a good deal of time and most people don’t update their scanners immediately.
Often it can take days, at which time the ransomware code has changed a hundred times and the anti-virus scanner company has fallen behind since it’s still going through a variant from 50 code changes ago. It is for this reason alone that I never ever recommend a virus scanner as a primary line of defense for anything and the only reason why I love ransomware. The flaw is so obvious it hurts, but I digress.
So, we have our unencrypted, recently changed ransomware code files that cannot be detected from the out-of-date anti-virus scanner. The ransomware now installs itself and immediately phones home via the internet to retrieve an RSA encryption key as well as the images for the ransom note. This connection is usually to an IP address or addresses that have been hijacked by the developers.
In some cases, such as the Locky ransomware strain, it will also use a Domain Generation Algorithm (DGA) to ensure that even if the IPs originally listed in the code are compromised by law enforcement, it will phone home to a new location. DGA generates domain names that match the developer’s DGA creation on his or her end, thus ensuring the ransomware can phone home until both ends are compromised.
The infection now has an RSA encryption key and unfettered access to the computer, so it goes to work. Depending on which ransomware has been installed, the infection will attack, encrypt or spread in different ways. For example, CryptoLocker has a built-in whitelist, so it’s looking for specific files such as Office documents, PDFs, pictures, videos and other personal file types, as well as any mapped drives it can find.
CryptoWall will infect everything CryptoLocker does, plus it will also change file names and also sideload other malware to try and steal the user’s passwords and Bitcoin wallets. And on and on. Until recently, most strains of ransomware stayed away from backup sets and images.
Ransomware developers realized this mistake on their part and have now changed the code so even backups are at risk of being encrypted and locked out. Even newer versions are now looking for UNC paths. This means any computer or server on a network that is broadcasting any kind of folder for sharing even if the infected computer is not connected to it directly can potentially be encrypted and infected.
These last two have essentially replaced the digital white whale in most IT support personnel’s nightmares. Basically, the infection can spread to computers and servers that many non-cybersecurity-centric IT technicians have traditionally considered “safe.”
At this point, the computer is infected and the user has no access to their personal documents or server shares. The ransomware will then display an image saying that they’ve been infected and to get the data back they will need to pay a ransom.
Most ransomware payments are made in Bitcoin or another cryptocurrency because this currency is essentially untraceable once transferred to the developer and can be converted to their local currency if need be. There is always a timer on these kinds of infections because the developers have to use rotating encryption keys and codes in an effort to avoid being caught by the international law enforcement who hunt these people 24/7.
If the user has no backups and want their stuff back, payment must be made. However, there may be some good news on this front for some. If they’re infected with an older ransomware variant the decryption protocols may be online for them to use! A recent example is that the developer of TeslaCrypt, a newer ransomware targeting gamers, “retired” and released his public decryption keys online so infected people could unlock their computers for free. Sometimes checking online will reveal a white hat hacker who has found a way to crack the encryption algorithms and has released a tool to help.
So, how do we defend an infection that can bypass virus scanners, encrypt backups and change its code daily to evade security? The easy answer is: don’t download it! The long answer is…a bit longer. The best approach is a layered security approach and it all starts with the first and best line of defense: firewalls.
Firewalls are the most critical piece in the cybersecurity arsenal and also in threat mitigation. Not all firewalls are built the same. The better firewalls have integrated Unified Threat Management (UTM) with an anti-viral inoculation cycle known as Zero Day.
In a Zero Day firewall, an unknown threat to one of the firewalls will trigger it to stop the suspect traffic and forward it to the firewall maker’s virus sandboxing cloud service. This sandboxing will let the suspect traffic do its thing, usually letting the infection download, install and run itself.
This way the firewall company can analyze its characteristics and develop an inoculation, plus create variants of the code based on behavior so new code changes may also be covered, and then push this out to every firewall that is subscribed to this service worldwide.
To be considered a Zero Day firewall, this entire turnaround time should take no more than 24 hours from detection to anti-viral inoculation. Not all Zero Day firewalls are built the same or as effective at filtering out bad traffic. There are definitely leaders in this field who have more aggressive detections and without naming names (you can check the citation link here if you’re interested) one firewall company even has a turnaround time for Zero Day in as little as 5 minutes.
These firewalls stop and kill the infections at the edge of the network so between the effectiveness of the turnaround time and stopping the infections at the front door, this makes the firewall incredibly critical and vastly superior to a local computer-based virus scanner, which can’t update as fast and will only detect the infection once it’s in the system.
The best firewalls will have everything listed above and also have options like Application Whitelisting, which only allows the approved traffic of specific applications. Traffic is still scanned for threats, just in case a good application is compromised, and allowed through to the users.
Following the firewall is a good DNS-based web filter. Basically, many infections can be avoided if the user simply cannot go to the website that has the infection in it. There are many DNS web filters available, and Zero Day firewalls will also do this kind of filtering as well. If web-based is needed, the biggest player in this space is OpenDNS, now owned by Cisco. Anyone can use their product for free, though businesses will want the analytics their licensed software will bring.
A cloud-based spam filter for email is also a must since email is still a major delivery system for ransomware. Cloud-based spam filters are able to turn around Zero Day inoculations better than on-premises spam filters, unless the spam filtering is part of a good Zero Day firewall. It also has the added benefit of improving internet bandwidth performance in that the only email a company will see come into their on-premises email server is legitimate email. Let the cloud take all the bad traffic that is spam and give the internet connection a rest!
With all of these safeguards in place, we can vastly mitigate an infection that will cost time, money, reputation and even heartbreak. The final major aspect needed for security is the human element. Educating users on good web surfing habits, replicating backups to off-site locations not directly accessible by the network, and creating network policies that are unobtrusive, but keep employees in line with the company’s needs go a very long way to making choices that will help keep everyone safe.
One of the best things I can hear from a client, and I may have written this before, is “We haven’t had any problems in a long time. Why on earth do we even need all this equipment and all of these policies?” It always puts a smile on my face when I lead that horse to the virtual water on this one.
So, yes…I love ransomware and now you know why. It really is helping us make the world a safer place in its own disastrous way.
Check out this Ransomware Infographic:
Post Author : Nick Espinosa, CIO & Chief Security Fanatic, BSSi2 LLC
This post was initially posted here & has been reproduced with permission.