NEW: Uncover the Latest Cyber Threats!
Stay ahead in cybersecurity with insights from the 2024 Cyberseer SOC Threat Findings Report.
Ransomware has become one of the most widespread and damaging threats that businesses or organisations face.
Since CryptoLocker first appeared in 2013, there has been an ever-increasing number of file-encrypting Ransomware variants commonly delivered through attachments from the spammed e-mail, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems. The current wave of Ransomware shares a common goal – to extort money from victims through intimidation.
The rise of ransomware can be attributed to its undeniable success. Variants such as ‘CryptoLocker’, earned an estimated $3m before it was taken down by authorities [1], and ‘CryptoWall’, which has been estimated to have accumulated over $325m in payments [2].
The damage of becoming a ransomware victim and not having effective safeguards and prevention strategies in place is considerable and at times, potentially life-threatening. as seen recently when a US-based hospital had its computer systems infected [3].
Like others before it, this infection started with a seemingly routine email but contained a malicious attachment, upon execution, all the hospital's files, including patient data were encrypted. In the end, the hospital was required to pay the $17,000 ransom in order to regain access [4].
Ransomware uses asymmetric encryption to hold a victim’s information at ransom. Asymmetric (public-private) encryption generates pair of keys used to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim with the private key to decrypt the files stored on the attacker’s server.
Variants of the malware will look for files with specific file extensions to encrypt network shares even when they are not mapped to a local drive. For example, the Locky variant will look for dozens of file types, such as:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg,
.wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes,
.ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv,
.djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif,
.tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd,
.sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd,
.MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3,
.asc, .lay6, .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam,
.docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx,
.pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks,
.xltx, .xltm, .xlsx,.xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc,
.dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx,
.DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT,
.stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
Any data stored in these files will be encrypted and unusable until the ransom is paid.
Over time ransomware variants are becoming more sophisticated, the most notable new technologies include:
Use of cryptocurrencies such as Bitcoin to establish an anonymous method of receiving payments;
Use of the Tor Network to hide Command and Control channels and reduce the chance of attacker infrastructure being located;
Polymorphic attacks whereby the malware server morphs the payload often (In some cases every 15 seconds) to generate unique hashes;
Inclusion of credential and password stealers;
Dropping "autorun.inf" on all attached removable drives introduces worm-like capabilities to spread;
Ransomware-as-a-Service (RaaS) allows anyone to set up a campaign and earn a percentage of the profits.
Common methods to prevent infection include filtering e-mails that contain malicious attachments or enforcing user permissions. While blocking known attacks works to prevent a high number of infections – it is not possible to block all variants, attackers are always one step ahead.
With this limitation, it is essential to employ security solutions that are first able to detect ransomware when it lands and second provide an effective method to defend against its malicious actions.
An effective way to detect a ransomware threat is through the use of anomaly-based threat detection. Such a system will detect ransomware at three important stages:
By flagging such events and observing these types of behaviours it is possible to identify an infection and restrict the amount of damage it can do.
Integration of a reliable endpoint solution can stop a threat from ever being able to execute.
An important first step is to step away from traditional solutions which only rely on whether a file is known as good or has previously been flagged as bad. Solutions no longer rely on this approach to detecting Ransomware. In addition to known good and known bad, they utilise an additional “unknown” category, for detecting advanced threats that have never previously been seen, and bypass traditional tools.
An endpoint solution that runs as a kernel-level driver, can monitor all the input and output of applications as they run. With this in mind, if suspicious behaviour is detected it can be blocked therefore stopping malicious activities from occurring.
Another approach is the use of journaling or rollback features. If a file is unknown the file is only allowed limited processing and monitoring and journaling features are activated:
When a known ransomware variant is downloaded, it will automatically be quarantined and prevented from executing. When a variant that has not been previously seen before is executed, its actions are monitored. When a file is later flagged as bad it is possible to then reverse its effects and encrypted files returned to their previous state.
Ransomware is growing in popularity because it has the ability to be indiscriminate. Any organisation, regardless of size, is a potential target. This is why attackers are spreading malware by any means possible.
Fortunately, Cyberseer’s approach uses a combination of cutting-edge technologies and human expertise to offer a truly intelligent and flexible defence that all organisations now require.
Cyberseer leads endpoint security / EDR service with Microsoft Defender, by enabling organisations to disrupt advanced attacks, deploy the best prevention strategies and shift the power back to security teams.
It shields businesses from infections on the endpoint within your network and stops malware from around the globe the moment they are discovered. Having a cost-effective cloud-based management solution running behavioural analysis on the endpoint with unique journaling and rollback features provides organisations with effective threat mitigation.
Cyberseer’s threat detection and analysis service bridges the gaps in an organisation's cyber defence system. Read more about our detection service and cyber security solutions.
Sources: [1] BBC [2] PR Newswire [3] The Guardian [4] The Tech Times
Stay ahead in cybersecurity with insights from the 2024 Cyberseer SOC Threat Findings Report.