Transcription
WHITE PAPERRansomware 101Key ways to combat ransomware
WHITE PAPERRansomware is a growing problem for organizations ofevery size with the numbers of attacks and the moneyspent to clean up the damage on the rise. Ransomwarenow regularly steals the headlines and gone are thedays when it is just a minor corporate issue.So, what exactly is ransomware? It is a type of malwarethat holds network data “hostage.” Ransomware attackstypically target vulnerabilities on endpoints, preying onorganizations that may not be fully up to date in their“security hygiene.” This translates into basic securitypractices, such as patches, antivirus and loggingcritical data, which are especially important in today’sworld of cybersecurity where it can be difficult to stayahead of adversaries. Although security hygiene canbe time-consuming and difficult to maintain, it’s thesefundamentals that are the most important focus areasfor enterprise organizations.The Landscape – Who Are thePlayers?Multiple variants of ransomware continue to appear onthe threat landscape. Here is a look at the ransomwarelandscape from 2017 to 2019.2017Since that time, ransomware attacks have onlygrown in sophistication and ease of delivery thanksin part to the internet. Europol, the European Unionbacked organization that fights major crimes andterrorism, recently declared ransomware the secondmost dangerous online threat to consumers andorganizations. The crime-fighting organization also saidransomware attacks show no signs of slowing down.Europol’s warning was highlighted in May 2017when one of the worst ransomware attacks seen todate struck globally. The WannaCry attack disabledcorporate computing systems worldwide, becomingwhat was likely the largest and possibly most damagingWindows-based ransomware attack seen.Also, threats just don’t go away when a particularattack is out of the news cycle. Legacy ransomwareattacks such as Locky and Spora have re-emerged ashigh-profile threats even after long periods of relativelyfew mentions.2019NotPetya (lockand toss key)SamSamGandCrabRyuk ockerThe Evolution of RansomwareThe sheer volume in the variety of types ofransomware attacks has increased since 2014 withimproved encryption capabilities and the growingadoption of cryptocurrency driving cybercriminals.But the origins of ransomware attacks trace back tothe 1980s when malicious actors used floppy disksto install malware on unsuspecting victims.2018Notable RansomwareSamSamSamSam either used vulnerabilities in remotedesktop protocols (RDP), Java-based web servers,or file transfer protocol (FTP) servers, or employedbrute force efforts against weak passwords to obtainan initial foothold and gain access to the victims’network. Turning an understanding of corporatepricing behaviors to their advantage, the SamSamhackers seemingly perfected their pay model toachieve results, setting ransoms at amounts thatmany organizations could quickly decide to pay.GandCrabDistributed as ransomware-as-a-service (RaaS) by aRussian crime group through a profit-sharing affiliatepartner program, GandCrab is considered the mostpopular multi-million dollar ransomware of 2018. Oneof the few widely deployed ransomware variants, itdominated the market. Multiple infiltration vectorsincluded exploit kits, stolen credentials, phishing emailsand compromised websites. GandCrab also reliedheavily on MS Office macros, VB Script and Powershellto avoid detection.Ransomware 1011
WHITE PAPERRyukRyuk debuted August 2018 and is specifically andexclusively used in targeted, tailored attacks on bigenterprises that can pay a lot to recover their files.Covering its tracks, it deletes all files the dropper usedto deploy the malware, making it difficult to determinethe exact cause of infection. It’s also able to identifyand encrypt network drives and resources whiledeleting Shadow copies on the endpoint. Additionally, itdisables the Windows System Restore option, making itimpossible to restore encrypted files without a backup.Filling Out the Ranks WannaCry occasionally still infects targets, butremains one of the biggest, if not the biggest,coordinated ransomware attack. LockerGaga arrives via compromised credentials. Itmodifies the passwords of infected systems’ useraccounts and prevents the infected systems frombeing rebooted. RobbinHood arrives via insecure remote desktopsor Trojans and encrypts each file with a unique key. MegaCortex is purpose-built to target corporatenetworks. Once attackers penetrate the network,they roll out the ransomware to all servers andworkstations using the organization’s own Windowsdomain controllers. MedusaLocker makes sure mapped network drivesare accessible, erases Shadow Volume copies,removes backups and disables Windows AutomaticStartup repair. Following encryption, it sleepsbefore scanning for more files to encrypt. Further, itcreates scheduled tasks that relaunch the programevery half hour.Infection VectorsAlthough ransomware has been around for some time,creators are getting more sophisticated in how they infectsystems, avoid detection and foil decryption efforts.Email. Email is a popular cyber weapon because itcan exploit social engineering by creating a sense ofurgency and legitimacy to perform various actions. It’snot surprising that it continues to be the most commonvector for attack, with attachments disguised asinnocuous files or links to a software download. Onceclicked it leads to the ransomware infection.Drive-by download. The ransomware infection iscaused by visiting a compromised website, usually withan old browser, software plug-in or unpatched thirdparty application. The infected website runs an exploitkit that looks for unpatched vulnerabilities.Remote Desktop Protocol (RDP). Internet-exposedRDP sessions are common means of infectingcomputers. Ideally, such sessions are used to remotelylog in to Windows’ computers and allow the userto securely control the computer. Unfortunately,hackers have become skilled at brute force attackingthese exposed computers. In compromising RDPvulnerabilities, hackers use both brute force methodsand credentials purchased on Dark Web marketplaces.Free software. Despite the promises, free softwarecomes with a hefty price. The deliverable comes inmany forms and preys on human desire for somethingfree to get past firewall filters. Downloads of files frominfected websites and torrent sites include crackedversions of games, music, free software, game mods,adult content and screensavers.Common TargetsIn 2018, enterprises accounted for 81% of ransomwareas the shift from consumer to business targetsaccelerated. The chief infiltration vector was emailcampaigns (Symantec ISTR19). There was also apivot to targeted attacks and big game hunting, whereattackers break in, survey a network, move laterally, anddelete backups before encryption.In 2019, cybercriminals increasingly targetedgovernment agencies, municipalities, schools, hospitalsand healthcare providers, either directly or throughmanaged service providers (MSPs). Ransomwareoperators furthered their strong-arm schemes bycompromising mission-critical systems, intimidatingorganizations and demanding hefty payments. Notpaying ransom often means replacing equipment andstarting over, leaving leadership faced with difficultbusiness decisions. Targeted organizations oftenbelieve that paying the ransom is the most costeffective way to get their data back. This may be thereality, but it directly funds the development of the nextgeneration of ransomware.Ransomware 1012
WHITE PAPERNotable Attacks of U.S. CitiesLocation:Date:Ransomware Variant:Ransom Amount:Total Estimated Cost:City of New Bedford,MassachusettsSeptember 2019Ryuk 5,300,000 USDOffered 400,000/Recovered own filesCity of BaltimoreMay 2019RobbinHood 100,000 USD 18,200,000 USDLake City, FloridaJune 2019Ryuk 460,000 USD 460,000 USD (insured/negotiated)Multiple Municipalitiesin TexasAugust 2019Sodinokibi (REvil) 2,500,000 USD totalRansom was not paid/total cost unknownRansomware as a BusinessRansomware is marketed openly on the Dark Web.More than 230,000 new sites and over 350,000 newmalicious malware programs and potentially unwantedapplications are produced every day — and this ispredicted to only keep growing.For example, GandCrab was offered as ransomwareas-a-service. Marketed as an affiliate model, thedevelopers provided technology to enterprisingcriminals (a.k.a, affiliates) and ransoms were splitbetween the affiliate and the GandCrab crew at a60/40 split or 70/30 split for top affiliates.Additionally, GandCrab was responsive to securityresearchers. In their ads on the Dark Web thedevelopers often included references to reportsabout the ransomware and how they adapted themalware in response.Escalations like these in RaaS and open-sourcemalware kits in the first half of 2019, made it easy forcriminals with very basic coding skills to grab theirpreferred variant, customize it and launch attacks.City of AtlantaMarch 2018SamSam 50,000 USD 17,000,000 USDTown of Riviera Beach, FloridaMay 2019Ryuk 800,000 USD 625,000 USD(insured/negotiated)Advertising is also involved. RaaS developers runads on the Dark Web and sell their technology as akit — eliminating many of the risks and hard work ofdistribution while still allowing them to collect a cut ofthe proceeds.Enablers and the Rise ofRansomware AttacksCyber insuranceRisk management specialists are concernedcyber insurance companies are increasing therate ransomware attacks in both the private andpublic sectors. While law enforcement warns thatorganizations should never pay ransom demands,there is increasing evidence that the system of cyberinsurance is exacerbating the problem, enabling criminalactivity and emboldening ransomware crime groups.Insurance companies are incentivized to pay theransom, and are nudging organizations to meet theransom demands because it is less expensive, fasterand easier to pay the ransom than cover the costof rebooting an organization from the ground up.Ransomware 1013
WHITE PAPERBecause hackers are aware of this mindset, theytarget firms that have cyber insurance and conductreconnaissance to determine the size of the policy andhow likely it is that the organization will pay — settingthe ransom slightly below the cost. While insurancefirms provide negotiation services and supportrecovery from a ransomware attack, the bottom line isthat firms with cyber insurance are more prone thanothers to pay the ransom.CryptocurrencyPayment methods were limited in the early days ofransomware. The odd hacker could deliver a messageto send money via Western Union or to a bank account,but the transfer was traceable once the authoritiesbecame involved. Then came Bitcoin.Bitcoin offers a secure and untraceable method ofmaking and receiving payments. It is more flexible thantraditional payment methods, which require specificfinancial or login details to use. By operating as adecentralized currency, in which people anywherein the world pay each other without a middleman,oversight or regulation, it provides an acceptable levelof anonymity.While Bitcoin is the best-known cryptocurrency,industry analysts are taking note of Monero, whichis being heavily used on Dark Web marketplaces andis becoming a new payment method of choice forransomware demands because of its privacy features.The potential for cryptocurrency to enable ever biggercybercrime is hard to assess, but extortion attemptstaking place are now skyrocketing.Ransomware TrendsRansomware creators are getting more sophisticatedin how they infect systems, avoid detection and foildecryption efforts. Ransomware trends include:Blended campaigns. Nation-state threat actors areblending cryptocurrency mining and ransomwarecampaigns to generate revenue and/or distract fromother threat campaigns.Big game hunting. Spray and pray methods are beingreplaced by big game hunting, where one big target,such as a hospital or large corporation, gets hit for a bigpayout. Ransomware is being custom-built for a targetto cause the most damage and demand higher ransoms.Intelligence gathering. Ransomware crime groupsgather intelligence on intended victims. In additionto penetrating the network and performingreconnaissance, threat actors study SEC filings for anorganization’s financial position and use the informationto scale ransom demands.Increased stealthiness. Strategies to get below thelevel of detection include: Slowing down the encryption process by spreadingit out over a longer period of time Randomizing the process instead of encrypting in alinear fashion Delaying the attack by laying Easter eggs that laydormant for a period of time before activating Using polymorphic code that changes Deploying multi-threaded attacks that launch childprocessesIncreased impact. Strategies to both increase theimpact and thwart recovery include: Encrypting the hard drive and master boot record Attacking shared network drives Attacking files stored in Infrastructure-as-a-Service Deleting Windows Shadow copies and any fileswith backup extensions Targeting high-value assets like web servers,applications servers and collaboration toolsAttacks on managed service providers (MSPs).Managed service providers are a growing target forransomware attackers. An attack on an MSP hasthe potential to devastate virtually any business. Byexploiting vulnerable security systems typically seen inresource-constrained service providers that managemultiple businesses and municipalities, attackers canget economies of scale and exert pressure for payment.Attacks on cloud services providers. Ransomwarewriters are now targeting cloud service providerswith network file encryption attacks as a way to holdhostage the maximum number of customers possible.The fallout from ransomware attacks against cloudservice providers is devastating because the businesssystems of every cloud-hosted customer are encrypted.Ransomware 1014
WHITE PAPERWiperware. Ransomware is being used as a foil to coverup serious incidents such as data breaches. Althoughthe attack looks like regular ransomware, typicallydelivered through phishing emails, the goal is to distractthe organization from other security events happeningon the network and delete breadcrumbs of the ancillaryattack. The hope of the attacker is that the organizationis so relieved to have recovered from ransomware thatit doesn’t investigate further.Oldies but goodies. Ransomware continues to exploitolder vulnerabilities and those with lower securityscores. Research has found that vulnerabilities as farback as 2010 are still trending. Organizations that useCVSS scores as an exclusive way to prioritize patchingvulnerabilities for patching will likely miss vulnerabilitiesbeing used by ransomware. (RiskSense EnterpriseRansomware Spotlight Report, September 2019)Leaked data. Ransomware attacks have taken anunwelcome turn as ransomware attackers havestarted to leak the victim’s files as a way to exertadditional pressure to pay the ransom. With such anescalated attack, victims now need to be concernedboth about recovering their encrypted files and whatwould happen if their stolen unencrypted files wereleaked to the public.Impact on BusinessRansomware drains billions from the global economyand shows no signs of slowing down. Beyond theransom itself, the greatest cost is the financial damagethat consists of downtime, lost data, tarnishedreputations, system rebuild and recovery costs, andregulatory fines. Sadly, the effects to businessescontinues to mount:Ransoms in excess of 50,000 to 400,000 are nolonger uncommon. Depending on the target, ransomdemands have reached into the millions. Globalransomware damage is predicted to reach 11.5billion by year-end 2019 and 20 billion USD by 2021.(Cybersecurity Ventures Ransomware Damage Report)Data (and Splunk) Is the Answerto the ProblemFortunately, while organizations should be wary ofransomware threats, they don’t have to be scared ofthem. This type of malware can often be prevented.For instance, keeping track of suspicious networktraffic with endpoint detection-and-response systemsthat block a hash and prevent new processes fromspawning from nefarious executables, or detectingany domains associated with known ransomware aretwo options. Automating security responses accordingto well-known ransomware variants and behaviors isanother route.Additionally, there are methods that can be developedfor specific ransomware variants, especially with SplunkSecurity Suite. In the case of SamSam, searches thatdetect and investigate unusual activities that mightrelate to the SamSam ransomware — including lookingfor file writes associated with SamSam, RDP bruteforce attacks, the presence of files with SamSamransomware extensions, suspicious psexec use, andmore — can be leveraged.More specifically, Splunk can look for file modificationsacross your hosts, as well as for evidence of batchfiles being written to paths that include "system32."This activity would be consistent with some SamSamattacks and is, in general, suspicious.This can all be done by ingesting data that records thefile-system activity from your hosts to populate theEndpoint file-system data-model node. If using Sysmon,a Splunk Universal Forwarder on each endpoint can beused to collect data.But what if you do if you’re too late in catching theransomware attack?Management and executive boards must considerin what circumstances they would or would notpay a ransom, and then set processes for decisionmaking and launching an investigation. A policyand communications strategy guided by legal andbusiness factors will reduce stress and allow for aninformed response.Ransomware 1015
WHITE PAPERHere are additional tips from experts on how to preparefor and defend against ransomware attacks: Understand what techniques are being used.Emotet and Trickbot infections can signal thecoming of Ryuk, typically starting about one totwo weeks before the delivery of the ransomware.Perform a full compromise assessment at any signof intrusion. Recognizing that threat actors are attacking thecloud, ensure you have full visibility over cloudservices. Keep all software up to date, including operatingsystems and applications, as well as clearinventories of all digital assets and their locations. Identify valuable data and segment the network.Avoid putting all data on one file share accessibleby everyone in the organization. Perform daily backups, including data on employeedevices. Consider online, local and secure offsitelocations. Perform penetration testing to find and patchvulnerabilities, ensure Remote Desktop Protocolports can’t be accessed by default credentials, andmaintain good security hygiene. Train staff on security practices, emphasizing theimportance of not opening attachments or linksfrom unknown sources. Endpoint security software will block manyattempts at infection through email, but securingthe endpoint is no longer sufficient. Employ a multilayered threat defense solution. Create an isolation plan to remove infected systemsfrom the network. In mitigating an attack, perform research to see ifsimilar malware has been investigated by other ITteams and if it is possible to decrypt the data onyour own.To learn more about how you can prevent or deal withransomware attacks read the Splunk blog.Try the Splunk Online Demo Experience—Endpoint where you can use sample data to safely practice security investigationtechniques. Also try the Online Demo for Splunk Security Essentials to get started addressing different malware use cases andunderstand how to build a strong security portfolio.Learn more: www.splunk.com/asksalesSplunk, Splunk , Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States andother countries. All other brand names, product names or trademarks belong to their respective owners. 2020 Splunk Inc. All rights reserved.www.splunk.com2020-Splunk-SEC-Ransomware 101-105-WP
Ransomware 101 1 WHITE PAPER Ransomware is a growing problem for organizations of every size with the numbers of attacks and the money spent to clean up the damage on the rise.
