TR-57 - Ransomware - Effects and precautions

Introduction

Ransomware, in this context specifically Cryptoransomware, is a term for a malware type that blocks access to data on resources of the victim unless a ransom is paid. Cryptoransomware is not a new phenomena. The first Cryptoransomware was released in 1989 (‘AIDS Trojan’), however the technique to make the data inaccessible was different to today’s cryptographic approaches. In addition, no anonymous payment system was available at that time. To deal with this, money was requested to be sent to a postbox in Panama. Carrying out such attacks for profit wasn’t lucrative due to the associated risks.

In 2013, with the upraising of anonymous payment methods like Blockchain based Bitcoin, Cryptoransomware became a lucrative and somehow safe model for attackers to demand money from victims.

CIRCL released in 2015 a technical document to warn and give proactive and incident response tips for Cryptoransomware attacks in https://www.circl.lu/pub/tr-41/

Since then we at CIRCL see a steady threat of new Cryptoransomware strains, which are often distributed in waves, using new social or technical elements to trick users into running the malicious code.

How does a ransomware attack work technically?

To carry out successfully a cryptoransomware attack, in a first step the attacker has to generate a cryptographic public and private key pair.

Cryptoransomware, once executed on the target system, enumerates all accessible drives (local, including attached USB flash drive and remote locations like connected network shares) and starts immediately with the encryption process of all the files of interest it has write-access to, using the previously generated public key. This is a very effective method to prevent a victim from accessing his data ever again without knowing the correct decryption key. Assuming the implementation of the encryption process is done correctly (yes, sometimes also malware authors produce bugs in their code or don’t understand all elements correctly), there is no other way than using the private key generated by the attacker to decrypt the files.

Obviously, the attacker demands the payment of a certain amount of money in exchange for the cryptographic key. Usually, once the money is received, the victim receives a decryption tool containing the key to decrypt all files back. There is, of course, no guarantee that the attacker delivers the key or decryption tool after payment.

How is ransomware being distributed?

We know different ways of distributing this kind of malware. The attack is most of the time carried out in an opportunistic approach. Bulk mail containing the malware or a downloader to the malware is sent via spam lists to the victims. The content of the mail usually a more or less well-written social theme to persuade the victim to click and execute the malware. This kind of mail has probably seen by almost every email user in Luxembourg, regardless if private or professional. Some of those email themes are well-designed social engineering attacks and it can be difficult to distinguish between malicious or benign, even for computer literate people.

Other attacks are much more targeted. We’ve seen attackers breaking in through Remote Access facilities (e.g. VNC, Microsoft Remote Desktop, Teamviewer) and deploying the malware themselves.

Sometimes a computer is already infected with other malware such as Dridex. Such malware has the capability to install additional software components. If the attacker doesn’t see any other way to monetise the information on a victim’s computer, he has the possibility to take the data as hostage and demand a ransom.

How many ransomware attacks have been detected in Luxembourg in recent years?

A quick search through our system revealed that we dealt with around 200 documented cases throughout the last 6 years. Needless to mention that this is only the view we have about people and organisations seeking help with us and who belong to our constituency. Apart from that, it can be estimated that there is a certain amount of unreported cases.

What has been the impact of those attacks (financial cost, lost time, stolen data, etc)?

If people, privately or professionally are affected by a successful cryptoransomware attack, they face serious problems. While the usual private person is afraid of losing all their family pictures collected of the last decade, companies might have lost access to their customer information, intellectual property or ways to control their manufacturing machines. The impact can be devastating, we have seen companies being at the edge to close their business.

Financial loss doesn’t start with the potential payment of a ransom. It starts at the moment data is no longer accessible. The IT department has to identify the computer(s) running the malware, identify the way of distribution, identify and fix security problems and vulnerabilities, and inform the other users of potential similar emails in the inbox. A team will then check the availability (and consistency) of a recent backup and ideally be able to restore these backups. Under certain circumstances, for instance if discovered that large parts of the network are compromised since a long time, the entire infrastructure has to be re-built from scratch before restoring backups of data.

These are time-consuming tasks, while the company at the same time is perhaps not able to operate. The financial loss can be huge, despite the fact that an opportunistic attacker only demands usually small amounts of money (in a corporate context, less than 1000 EUR is not much - however for private people it can be a lot).

In more targeted cases, we saw significant ransom demands of 500.000 EUR and 1.500.000 EUR.

Ransomware attacks are usually not mixed with exfiltration techniques. The ‘beauty’ of a ransomware attack is that the attacker is completely unconnected to the victim. All actions on the victim’s machines are performed in an isolated stand-alone process. Also the payment is relatively anonymous. The danger to get caught is low. By nature, exfiltrating data means connecting to a server of the attacker and sending huge amount of data there. This brings more risk to the ransomware attacker, which he wants to avoid.

What can be done to be prepared to Cryptoransomware attacks?

Certainly, the layers of security mechanisms should be preventing the company or individual computer from executing malware in general or even let them reach the computers. There are countless approaches to establish a good perimeter and endpoint security, it would go beyond of the scope of this article. But even with a great setup things can go bad and a malware could be executed at a machine, encrypting large parts of the data. The focus in this context should be what can be done to recover from such an encryption attack?

Only an offline backup system can guarantee the recovery from such an incident. It must be incremental, in working condition, backups must be complete and recent, and backups must be tested frequently. The backup system must be built as an offline backup system. This is because if the data is accessible by attackers, they will either encrypt the files too or destroy the data otherwise.

An additional approach is a write-append data storage, where data cannot be overwritten. Changes are only appended to the data storage. A proof-of-concept implementation can be found at the website of CIRCL https://www.circl.lu/pub/tr-55/

How well prepared are Luxembourg organizations (private, public and non-profit) for ransomware attacks?

A generalisation is not possible here. Many private people don’t have backups at all or no offline-backups. They would lose everything accessible on their computer in case of a successful attack. In professional environments we have seen good and bad preparedness, regardless of the size of the company/structure. It should be advised to review regularly the state of the backup system, configuration, and strategy as well as perform a regular test.

Are there certain sectors that are doing a particularly “good” or “bad” job? What could be improved?

A generalisation is not possible. What always helps is to be connected to a community about Threat and IOC sharing like MISP (https://www.misp-project.org and https://www.circl.lu/misp/) to know about recent malicious activities and to be able to prepare for them.

How seriously should Luxembourg organizations take the threat of a ransomware attack? Has the topic been sensationalized in the media? What are the real risks?

We couldn’t see any sensationalisation. The threat is real and a serious risk, the outages are high, the time-to-recover can be large and the ransom payments substantial. Assessing what is at stake, this risk is to be considered massive.

What is your advice for Luxembourg organizations before a possible ransomware attack (to be prepared)? What actions should they take during a ransomware attack?

Technically recommendations are listed in the document at https://www.circl.lu/pub/tr-41

Preparedness to a computer incident starts with the setup of a local incident response team and building local capabilities. To support companies to be prepared for such attack or in case of an incident, CIRCL can be reached via info@circl.lu or +352 247 88 444.

Information about this document ——————————-

A reporter from Delano was recently interested in retrieving background information about Ransomware and their effects on the economy of Luxembourg. For transparency reasons, we publish our original input as this document.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version - 19 Dec 2019