By Denan Erasmus, channel manager Palo Alto Networks & Firemon at Westcon-Comstor Southern Africa
Picture this: You receive an email from a person or organisation that you trust. In it, there is a link they ask you to click and you do it. Suddenly, a message pops up on your screen demanding money or you will lose everything on your device. This is the stuff most users’ nightmares are made of, and it’s called ransomware.
Whether you fear ransomware because you don’t completely understand it, or because you realise exactly how powerful it really is, knowing what it is, how it works and how to prevent – or recover from – a ransomware attack is vital. You have to understand the ransomware beast, if you are going to have a hope of taming it, and by taming it I mean learning how to handle it.
What it is and where it started
A recent research paper from Unit 42, the Palo Alto Networks threat intelligence team entitled “Ransomware: Unlocking the Criminal Business Model” unravels ransomware in a way that perfectly summarises why you should be wary of it, but also understand that with the right protection and recovery processes in place, paying a ransom will be a last resort.
So what is it really? Ransomware is malware that cybercriminals use in a specific model like spear phishing, to generate profit and hold digital assets hostage through encryption technologies, or other methods. In a few years it has gone from being a niche attack to becoming a widespread threat and one of the greatest cyber-threats facing businesses and organisations around the world.
Ransomware and the cybercriminals behind it aren’t picky about their victims, which according to Unit 42, makes this one of few cybercriminal business models where the same type of attack could affect “a Fortune 500 company, a local restaurant down the street, and your grandmother”.
Though ransomware has itself existed for decades, starting way back in 1989 with Dr. Joseph Popp and his AIDS Trojan, it was only in the last three years that cybercriminals managed to perfect the key components of these attacks. What this has led to is an explosion of new malware families that have increased the technique’s effectiveness and lured new malicious actors into launching these lucrative schemes.
There are massive financial implications when it comes to ransomware, with several high-profile infections having already lead to millions of dollars in ransom being paid to attackers. According to Unit 42, ransomware attacks have up until now primarily affected Windows-based systems but have begun to target other devices, like the Mac OS X operating system.
Bitcoin, a type of cryptocurrency, has been leveraged as a payment mechanism in successful ransomware attacks and as Bitcoin has no central authority against which law enforcement can take action, it will continue to fuel ransomware’s success.
How it works
To complete a successful ransomware attack, Unit 42 says that a cybercriminal must be able to:
- Take control of a system of device. It could be a single device, computer or system capable of running software. Most ransomware attacks start with social engineering that tricks users into opening a malicious attachment or clicking on a malicious link. This opens the door for attackers to install malware onto a system and take control.
- Prevent the owner from accessing it. This can be achieved through encryption, lockout screens or simple scare tactics.
- Alert the owner that the device is being held ransom, as well as indicate the payment amount and method. While this may seem obvious, it often happens that the victim and the attacker speak different languages, live in different parts of the world and have vastly different technical capabilities.
- Accept payment from the victim. If the cyber-attacker cannot get paid or more importantly get paid without getting caught by law enforcement, then the first three steps were a waste.
- Return full access to the owner of the device after payment has been received. While accepting payments and refusing to return access to devices can yield multiple payments, this will be short lived and destroy the effectiveness of the scheme. No person in their right mind will pay a ransom if they don’t believe their data or assets will be returned.
Preparation, prevention and response
The first thing Unit 42 recommends you do in preparation of possible ransomware attacks is backup all data, so that it can be easily recovered following a successful ransomware attack. Next, re-assess network share access control and ensure that it’s limited to the smallest number of users and systems possible.
Preventing ransomware from achieving success involves the beefing up of security. That includes network- and endpoint-based security because where one may leave holes, the other closes them. Ransomware often comes in the form of an email containing a Windows executable and these types of files can be identified and blocked by a next-generation firewall.
Unknown malware-detection will require signature-based detection systems. While network-based security devices are sometimes blind to attacks, endpoint-based controls can stop the execution of malicious files before they start. And lastly, trust your common sense, if something looks suspicious don’t click on it until you’ve gotten the go-ahead from IT or a professional.
The first step in responding to a ransomware attack is understanding the threat. Unit 42 reports that there have been cases where security vendors have managed to decrypt files without paying the ransom. It is also possible to identify some ransomware using clues like a ransom note left on your system using malware analysis or intelligence systems. Your last resort to dealing with a ransomware attack of any kind should be paying the ransom.
The future of ransomware
One thing is certain about the future of ransomware; it’s not going anywhere and in fact is only set to grow. You can expect to see more platforms and higher ransoms, especially following the high-profile ransomware attacks against hospitals this year that have resulted in the paying of a total ransom sum of well over $10 000.
Another treat the future of ransomware holds is targeted ransomware attacks. This type of attack, which has already seen success utilising SamSa malware, assists cybercriminals in getting inside a network, identifying high-value files, databases, and backup systems and then encrypting the data all at once.
I hope for your sake that you never have to experience the ransomware beast, but if you do, I’ll assume that you’ve heeded this warning and will understand how to prevent, protect against and recover from it. You may not be able to completely tame this beast, but you can definitely stand up to fight it.