Understanding Ransomware
Posted on by Christian Hendrix
Setting the scene
Sheila from an IT Helpdesk was trying to go home. Traffic was building up, and a 30-minute trip back home would become an hour’s trip shortly. Just as she’s about to shut down, she receives an email appearing to be from a very important customer, with an attachment claiming to be a screenshot of a problem. Always keen to do her bit for the company, Sheila stays a few minutes late to help. She opens all the files in the attachment, looking for a screenshot that wasn’t there. So she replies to the email and leaves for home. Little does she know it, but her PC’s toast.
So what happened?
What Sheila had unwittingly done was unleash ransomware on her system. By the time she’d battled the traffic and reached home, all the files where encrypted with very strong encryption, making them unreadable to her or to anyone else. The next day, she can’t access any of her files, except one “Help” document on her desktop. The “Help” document reveals what’s happened and claims to be able to get them back for her – if she visits a certain website and pays in around £1,000 in Bitcoins. What we have seen here is unfortunately a very common scenario. Sheila’s the victim of a very popular cyber extortion technique called ransomware. Ransomware is a type of malware that encrypts the contents of a user’s hard drive, preventing users from accessing their files or folders on a system until the ransom is paid. It’s rapidly grown to be one of the most widespread and damaging threats the computer users are facing today.
A global threat
Even though most companies today have extensive security mechanisms in place, such as AV, firewalls, IDS, anti-spam filters (etc), the security company Trend Micro has labelled the recent attacks a Global Threat. Ransomware has invaded Europe and Asia with a vengeance. The hackers have been clever in designing different mechanism to infect to their victims. One of the common scenarios is the one mentioned earlier. Another common infection vector is a malformed MS Word document , which when opened will download and execute a payload from the Internet. The most common variants are:
Reveton
CryptoLocker
CryptoLocker.F and Torrent Locker
CryptoWall
Locky
CTB Locker
How does it work?
Ransomware generally uses Public Key (PKI) Cryptography, which uses an asymmetric encryption methodology for its stealth. This is where a pair of keys Public Key and a Private Key are used.
The ransomware connects to a server run and maintained by the hacker, and downloads a public key unique to the victim’s computer.
It then generates a random key via a symmetric encryption methodology for each file (keeping it only in memory) and encrypts the file with AES.
Lastly, the ransomware encrypts this random key with public key downloaded from the hacker’s server, along with each file. Remember the trick here is that PKI relies on two keys: a pair of public keys and a private key. Hence, you would need the private key to be able to get back your files which is on the hacker’s server. This means the hacker is the only possible source of the unique private key needed to unlock the random keys, that in turn will unlock your files.
Could I hack the hackers?
You might think you could try to brute-force the encryption to reclaim your files. Unfortunately, this isn’t as easy as it sounds, even if you had access to supercomputers. The reason that we use encryption like AES for legitimate reasons is that it’s very hard to crack. So what works for us is also working for the cyber criminals. Believe it or not, it would probably be cheaper (and certainly quicker) to pay up. Losing files completely is a definitely a painful blow, and if like most business you have shared folders and networked drives, the problem can be even worse: it’s not unusual for ransomware to encrypt these too! But you can lose data in lots ways. For example, you could drop your laptop in a river (it happens), a thief could run off with your computer (it happens), or you could leave it on a bus (this definitely happens). In many ways, other, more common malware can be more directly damaging: imagine having your online banking details stolen, or having your identify cloned. Identity theft in particular can be a lot harder to recover from – not least because you have to realise that it’s even happened before you can react.
What can I do?
This is one of those times where prevention is infinitely better than the cure. Here are some of the tips that you can employ to protect yourself from being hit by a ransomware. Some of them might seem simple, even obvious, but a little bit of common sense and secure thinking really does go a long way:
Keep a recent backup copy of all your important files
It’s certainly of no use if you keep the backup on the same machine. Always use different forms of storage like a USB Drive or a portable hard disk. As a best practice, encrypt the backed up data to prevent being infected by the same ransomware when you plug it in. Preferably back up data off-site if your organisation is big enough.
Keep the Anti-Virus software always updated
This implies that you have AV installed in the first place, but I think – or at least I hope – that’s a fair assumption to make. Most of the leading AV providers update their systems with the latest malware signatures and push them as updates on a daily basis. Always make sure you’re up-to-date. For larger organisations, this can extend as far as creating and enforcing AV policies.
Keep your Operating Systems updated
Most (realistically: all) of the major operating systems have security holes. That’s just the way life is. But they’re often patched in the form of updates. Malware LOVES spreading through these unpatched holes, so always get your OS updated. Again, for larger business, this will become a security procedure but a technical process.
Stay safe from dubious attachments
This advice has been around since the 90s, but it’s as important now as it was then: think twice before opening an email attachment. Even if the email looks like it’s from your boss, it might not be your boss who is sending it (instead it might be some pretending to be your boss). Never open any attachments unless you are sure of you expecting something from someone. This ‘email hygiene’ is very basic but very effective.
Train your staff
Something as simple as informing your staff of a few basic infosecurity dos and don’ts can be the difference between you having a business and becomming a crime statistic. Ideally, this should be given by a seasoned security professional and refreshed regularly.
Don’t give user accounts admin privileges
More privileges mean more destruction. This cannot be put in simpler terms. Avoid giving administrator privileges to your system if you are to share with someone else. Make sure that each user gets only the required access and privileges to carry out their day-to-day tasks.
Ransomware is very present and has been victimising people on a large scale. It is a very challenging threat for both users and antimalware companies, boasting impressive capabilities and an unprecedented success rate in extorting money from its victims. Cyber extortion has gained significant notoriety, with ransomware leading from the front. I hope that by following some of the simple tips outlined in this blog, you can stay safe and better protect yourself from ransomware infections. After all, if you don’t have a backup you have two choices: pay up, or start from scratch.
Christian Hendrix
