With a countless number of reported ransomware attacks every month, it seems like the cybersecurity industry is losing its battle with cyber-criminals. Verizon reported that ransomware attacks increased 13% in 2022, a larger increase than the prior five years combined.¹ Human error is the primary reason for ransomware effectiveness, making it even more difficult for businesses to defend against it when their own employees unknowingly fall for common tricks from cyber-criminals. Whether you are a CISO responsible for the cybersecurity of a large enterprise or a small business owner protecting valuable digital assets, this guide will help you understand ransomware at a high level and protect your business from the detrimental impact of a ransomware attack.
What is Ransomware and Why Does It Matter?
Ransomware is a particularly dangerous form of malware due to its ability to strongarm businesses into paying a ransom or otherwise risk losing their data entirely. After a user runs a malicious executable or script on their local machine, ransomware scans network resources and the local storage device for critical productivity files and encrypts them with a cryptographically secure cipher. Usually, ransomware has a very long list of file extensions it encrypts, but here are a few examples:
- Microsoft Office files: .xlsx, .docx, .pptx, and older versions (e.g., .xls, and .doc)
- Images: .gif, .jpg, .png, .svg
- Data: .sql, .db, .mdb
- Video: .mp4, .avi, .wmv, .mov
- Archives: .zip, .rar, .tar
- Email: .eml, .msg, .pst
- Virtual machines: .vmx, .vdi
- Developer source code: .php, .cpp, .java
- Encryption keys: .key, .pfx, .pem
Files are encrypted and stored on the local network, but newer ransomware transfers data to the perpetrator for additional extortion. Should the company decide not to pay, cyber-criminals threaten to publish the stolen data publicly until the ransom is paid. The additional extortion strategy attempts to persuade businesses into paying the ransom even when they have recovery options by damaging their reputation and making sensitive data publicly available.
Ransomware uses cryptographically secure encryption ciphers that cannot be reversed, so decryption cannot be brute forced. In other words, you need the encryption key to decrypt and recover data. On rare occasions, coding errors allow researchers to stop ransomware, but in most cases companies are forced to start disaster recovery or pay the ransom in a desperate attempt to get their files back.²
In addition to standard ransomware, evolution of ransomware has motivated authors to develop Ransomware-as-a-Service (RaaS). With RaaS, people unable to create their own malware can rent the service from cyber-criminals. Payments are made directly to ransomware authors, and buyers use the central service to launch ransomware campaigns of their own and collect payments. RaaS removes technical know-how from the equation and allows anyone to be a “hacker.” The introduction of RaaS makes the threat of ransomware even more dangerous.
After falling victim to ransomware, corporate databases are no longer available, servers are no longer operational causing network crashes, users cannot access critical productivity files, and some companies with no backups are put out of business. Responding and cleaning up after ransomware costs millions in incident response, investigations, containment, productivity loss, revenue loss, brand damage, and litigation. IBM reports that the average cost of a ransomware attack is $4.54 million.³
Anatomy of a Ransomware Attack
The inner workings of ransomware varies based on source code and author goals, but the anatomy of an attack can be summarized in general phases common to most ransomware. Knowing the anatomy of a ransomware attack will help you build strategies to stop it.
The following phases highlight the general strategies behind most ransomware, but know that ransomware authors continue to adapt their code to bypass common cybersecurity defenses and make changes to avoid detection. CryptoLocker was one of the first well-known ransomware threats, and it has been the blueprint for many of today’s variants and new malware creations.⁴ The following phases cover the basic anatomy of a ransomware attack similar to the CryptoLocker attack.
Phase 1: Determine an Attack Vector
Email is the primary attack vector for ransomware criminals. An incredible 86% of ransomware attacks start with a malicious email.⁵ Delivery of the malware could be via an embedded link in email messages, a Microsoft Office document with malicious macros, or an attachment that either runs a malicious executable or uses scripts (e.g., PowerShell or Visual Basic scripts) to download ransomware files. Even with security awareness training, human errors are extremely effective for ransomware attacks, as emails use a spoofed known sender address. In addition to spoofing sender addresses, messages often convey a sense of urgency causing recipients to forget their security training and rush to resolve the issue without pausing to stop and think.
Phase 2: Initial File Download and Installation
After delivery, the user must initiate and activate the ransomware. Scripts and macros will connect to an attacker-controlled server, download the ransomware, and install it on the local machine. A well-crafted script will automatically run the executable, and ransomware files will be distributed on the local network and workstation. This phase is fast so that users are unaware of what is happening and don’t realize that they have been tricked. If ransomware can run as a system process or administrator of the network, it could have more reach to alter server files or deliver executables on privileged network resources. Some ransomware attempts to spread to other machines in a worm-like fashion so that it takes much more effort to contain and eradicate it during incident response.
Phase 3: Encryption of Files
After ransomware activation, encryption of files begins. It is this phase where ransomware performs various strategies to avoid detection and uses methods to stop businesses from recovering data without paying the ransom. Additional extortion was mentioned earlier, but ransomware also takes necessary steps to avoid leaving victims open to recovery using discovery of encryption keys.
In older ransomware, authors hardcoded the symmetric encryption key into the software, which is terribly inefficient. When the malware was reverse engineered, the symmetric key would be discovered and used to then decrypt files for every victim. As we said earlier, ransomware authors adapt their methods to bypass any cybersecurity defenses, so authors developed a way to protect the symmetric key using additional asymmetric encryption.
Asymmetric encryption uses a public key to encrypt data, and a private key to allow only the intended recipient to decrypt data and read it. In a ransomware attack, asymmetric encryption (usually RSA) is used to encrypt data, and the attacker holds the private key to decrypt it. It is this private key that victims need to decrypt the symmetric key to then decrypt data.
Symmetric encryption is necessary for speed, so most ransomware uses the symmetric algorithm AES-256. Asymmetric encryption would take hours to encrypt all business files, but AES-256 and other symmetric encryption algorithms will encrypt files in seconds. However, symmetric encryption uses one key to encrypt and decrypt data, so it must be hidden from discovery on the local machine but made available after the victim pays the ransom. Attackers need asymmetric encryption – usually RSA – to encrypt the symmetric key and hide it from discovery.
The typical strategy for ransomware is to first generate an asymmetric public and private key pair from the attacker-controlled server. The private key is held by the attacker, and the public key is available on the victim machine. The public key for encryption of the symmetric key is then embedded into the malware. When a user triggers the ransomware payload, a symmetric key is generated on the local machine, used to encrypt data, and then deleted from memory but stored on the local machine. The attacker’s public key generated earlier is used to encrypt the symmetric key file, so it cannot be read by anyone except the attacker with his private key. After the victim pays the ransom, the ransomware connects to the attacker-controlled server, and the private key is used to decrypt the symmetric key file so that business files can be decrypted.
Note: Not every ransomware author provides a private key for decryption after payment, and bugs in code can interfere with decryption or encryption of the symmetric key, leaving victim files unrecoverable without backups. Security researchers advise not to pay the ransom, but some companies have no other option.
Proactively Protecting Data from Ransomware
Without a way to decrypt files, the only way to recover from ransomware is with a good disaster recovery plan, mainly using backups. Even with backups, recovery could take days, which is damaging to any business. The better approach is to proactively defend against ransomware and develop recovery plans in the event of a compromise. Here are several preventative steps you can take:
Conduct employee cybersecurity awareness training. The first phase of a ransomware attack is finding methods to trick employees into running malicious software or scripts on their workstations. Although training should not be your only defense, it’s a first line of defense when employees know not to open suspicious files, run macros from email attachments, or click links where they are asked to download files.
Adopt the “least privilege” principle data access model. Although administrator privileges are not always needed in a ransomware attack, most malware will attempt to gain local administrator privileges on the workstation. Credential theft is common in ransomware delivery, allowing attackers to obtain account permission in the business environment. Using the least privilege principle, attackers have limited access to data based on the credentials they stole and used for the compromise. Restricting access to data adds a layer of security if account permissions are a component in the ransomware attack.
Deploy multi-factor authentication (MFA) for your local network. If an employee or contractor falls victim to a phishing attack, stolen credentials would be useless without the secondary authentication factor when MFA is integrated. Users should still change their passwords after being phished, but MFA is a good failover after credential theft.
Test backups regularly. Many organizations create backups of all critical files, and then consider themselves protected. Various bugs and network issues can affect the integrity of backups, which leads to data corruption of numerous backup files. Corrupted backups are useless to your organization, and they can greatly hinder your recovery efforts. Occasionally restore data from backups to ensure that they are undamaged and backup schedules are working properly.
Back up data using the 3-2-1 rule. Another common mistake is backing up data in one location, and then losing access to it when ransomware cuts off access to the backup system. Even worse, some ransomware scans the network for backup files and encrypts them too. The 3-2-1 rule says that you should have three copies of your backups, two stored on separate media, and one copy should be located off-site. Most companies use cloud storage for at least one copy, which covers the off-site rule and often can’t be reached by ransomware scans.
Perform disaster recovery exercises. Recovering from ransomware is stressful for everyone involved. A number of issues can arise, from network resources crashing to users losing access to critical productivity tools. Administrators should practice disaster recovery plans by simulating a network outage or data loss. They should then recover data at a secondary location in the same way that they would recover production data. In many cases, businesses need consultants to guide them through the simulation process and help them make changes to current recovery plans to make them more efficient and effective.
Install email and content filters. Since email is the primary attack vector, it is a high-risk system. Email filters use artificial intelligence to scan text and attachments and quarantine suspicious messages. By stopping malicious messages from reaching inboxes, administrators cut out much of the human error involved in ransomware and email-based attacks. Web content filters use DNS-based blocking to stop user browsers from opening malicious domains, blocking users from downloading potential malware.
Ensure that SMBv1 is not being used. Although Server Message Block version 1 (SMBv1) is outdated and upgraded in newer versions of the Windows operating system, some small businesses still use older Windows XP. SMB is used to share files and printers on a Windows environment, and it has several vulnerabilities that can be leveraged with ransomware. It allows ransomware to propagate similarly to a worm, and it is the primary vulnerability used in the infamous WannaCry attack.⁶ Microsoft has a PowerShell command to let you identify systems using SMBv1, and any system using it should be patched immediately.⁷
Patch software when security updates are available. Having a patch management strategy reduces risk for a large number of threats. Developers release patches prior to vulnerabilities being published to the public when researchers find them. Any vulnerabilities found in the wild or being exploited are also patched. Regularly check for updates on all installed software, hardware, firmware, and operating systems and install security patches as soon as possible.
Scan the environment for vulnerabilities. Vulnerability scanning can be automated using sophisticated tools. These tools will scan every network resource – including custom tools developed in-house – for any vulnerabilities. Many of today’s threats start with a simple scan of your systems, and scanning for vulnerabilities at a regular cadence can proactively identify them so that administrators can patch software before it can be exploited by ransomware.
Perform a risk assessment. Most businesses don’t know where to begin to identify risks and vulnerabilities. Experienced consultants like those here at Access Point can help you assess risk, identify windows of cybersecurity opportunities, and help build a strategy to protect your business assets. In addition to identifying risks, it is just as important to know how to remediate vulnerabilities and build systems to protect from threats. Our consultants will help you identify and manage your risks so that you can proactively avoid ransomware and other impending threats.
What to Do If You Experience a Compromise
If you think you’ve been compromised, the first step is to cut network connectivity for all workstations and servers suspected of being compromised. This step will limit spread of the malware, but it will not entirely eliminate it.
You need to contain the threat and eradicate it from the environment. Scan your backups to identify if they too have been compromised, and if not, they can be used to recover data only after the malware has been eradicated from the environment. Brainstorming with administrators and cybersecurity consultants can improve incident response so that the vulnerability can be identified and remediated. Remediation of the vulnerability is an important step to avoid becoming a victim again. Most cyber-criminals attempt the same exploits after they identify a vulnerable environment.
Cybersecurity experts discourage businesses from paying the ransom, and recovery from backups might not be enough to fully remove ransomware. Experts suggest contacting law enforcement and consultants to help investigate and determine if recovery is possible, particularly if backups are not available.
If you have cyber liability insurance, contact your agent to find out what to do next for coverage. Businesses under compliance regulations must contact affected individuals. Check your local laws to determine how long you have to send notifications to other affected individuals and businesses in your network.
Responding to an incident is much smoother when you have the right team and a well-rehearsed disaster recovery plan in place. It is imperative that you contain the ransomware as quickly as possible, find the vulnerability exploited to remediate it, and eradicate it from the environment. During this process, you must restore files from backups as soon as possible and keep evidence for law enforcement and investigations. For most businesses, this requires experienced analysts to guide you through the process and help build a disaster recovery plan to make the entire process more efficient.
Meet with a subject matter expert today and discuss how you can protect your data from ransomware.
Sources
¹ https://www.verizon.com/about/news/ransomware-threat-rises-verizon-2022-data-breach-investigations-report
² https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
³ https://www.ibm.com/reports/data-breach
⁴ https://en.wikipedia.org/wiki/CryptoLocker
⁵ https://www.verizon.com/business/resources/reports/dbir/2022/results-and-analysis-intro-to-patterns/
⁶ https://www.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf
⁷ https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server
