The Definitive Guide To Ransomware

By
Praveen Yeleswarapu
July 7, 2021

What is Ransomware and why do you need to protect your data from it?

Ransomware, true to its name, is a formidable cyber weapon, often deployed to attack organizations in the hope of a large payoff. Ransomware is a particularly devious form of malware that is concealed and disguised as something else, usually an innocuous document. When an unsuspecting individual clicks on the file, they execute the malware which goes on to encrypt the organization’s data set with a specific encryption key, effectively locking up the data.

Other, more aggressive formats can take advantage of holes in cybersecurity and may not need to trick individuals into opening the file. Either way, once Ransomware has ensnared the system, the owners lose access to their own data sets.

The hijacked files can include documents, videos, pictures, even whole databases. Ransomware can even block source codes.

The perpetrators of the attack then demand that the data owners pay a ransom fee in exchange for the decryption key and restored data access. The victims are given details in some manner on exactly how to go about delivering the payoff. Bitcoin is often the currency of choice for Ransomware criminals.

Ransomware can cost companies big time, as most have no option but to pay up. The average Ransomware payout amount has touched nearly $234,000 per attack. The year 2020 saw a huge increase of 435% in Ransomware, plus hundreds of millions of cyberattacks irrespective of size of an organization!

What defines Ransomware’s targets?

Ransomware finds it easier to target systems with user bases that share a lot of files, and frequently strategic establishments and financial organizations are at the receiving end. That said, victims are often vertical agnostic. In a majority of situations, the target doesn't have well-defined incident visibility/ management capabilities due to lack of trained cybersecurity teams and fewer resources to combat such cyberattacks.

Ransomware attackers fall into two main categories: The “Commodity” attackers target computers indiscriminately, relying on sheer volume to land ransom payouts. These are facilitated by Ransomware as a Service (RaaS) platform. The other category of attackers target highly vulnerable institutions or market segments.

Most Notable Ransomware

Ransomware was first encountered in 1989 and has only burgeoned since. There is an established cybercrime ecosystem that actually offers Ransomware as a service. Source codes and building blocks of Ransomware are sold in the cyber black market. As a result, the amounts, as well as types of Ransomware, seem to be expanding.

Below are some notable names in Ransomware:

REvil

In July 2021, over the Fourth of July weekend, the world became aware of the Kaseya breach, also known as the REvil cyber attack which impacted global supply chains, brought down a Swedish department store, and showed us that in just five years, ransomware has become an organized crime, and is today being carried out using tools that are otherwise legitimate. REvil highlights the need for stronger cybersecurity tools that can detect and respond to a threat in real time, often neutralizing it well before it becomes an issue.

To read more about the REvil attack, and ways to prevent such an attack in the future, please give this article a read.

Apocalypse

Discovered around mid- 2016, Apocalypse has been dealt with by now. It is notable, however, because it used a custom-designed encryption algorithm rather than a standard one. In a system infected by Apocalypse, the files get an extension that says ‘.encrypted.’ For each encrypted file, there is corresponding payment info generated with a similar filename.

CryptoWall

From when it surfaced in 2014, CryptoWall is in its fourth avatar (version) now. It uses RSA and AES algorithm to encrypt files.

CryptoWall Ransomware adopts RSA and AES algorithm in encryption procedure, leveraging CryptoAPI which is present in Microsoft Windows operating systems.

Petya

Petya Ransomware has an identity of its own. It stops the normal initialization process of Windows by overwriting the bootstrap code in the master boot record. It also encrypts master table files instead of the victim’s personal files, unlike other Ransomware. In other words, the computer stops booting and the screen shows the ransom note.

WannaCry

In May 2017, the world woke up to WannaCry, a malware attack spreading across devices using Microsoft Windows. WannaCry, apart from being the most notorious crypto ransomware attack up until then, also highlighted what outdated systems and not installing those system updates can do. Experts believe that the attack could have largely been prevented, had the affected users updated their software in a timely manner.

Decrypting Ransomware: Standard/ Required steps

To decrypt encrypted files locked by custom-designed encryption algorithms, a decryption algorithm is needed in addition to the decryption key.

For a 1-level encryption algorithm, the decryption key is needed. For a 2-level encryption algorithm, either the first-level or second-level key is needed to decrypt the files. Similarly, for the 3-level encryption algorithm, at least one of the 3 keys is needed to restore the other two levels and finally decrypt the victim’s personal files.

Vulnerabilities in Ransomware

The existence of vulnerabilities in certain kinds of Ransomware makes it easier to crack. For instance, Ransomware that incorrectly deploys the standard encryption algorithm can be cracked. In other scenarios, custom-designed algorithms that are possible to crack owe their vulnerability to their code not being as strong as that of more standard encryption algorithms. Yet others may lack cryptographic strength. Vulnerabilities in servers may also make it possible for victims to retrieve their decryption keys.

In my experience, decryption is almost always a failure and the organization has nothing left but to pay out the attacker and establish operations back, and manage reputation damage.

Rapid Ransomware: Explanation and analysis

In 2019, a new ransomware attack “aka Rapid Ransomware” has surfaced. Similar to previous variants, Rapid Ransomware will scan the system for data files and encrypt them. This variant will append “.rapid” as extension to the encrypted file's name.

Once done with encrypting the system it will open "recovery.txt" ransom notes in Notepad.  These ransom notes tell the victim to send an email to "frenkmoddy@tuta.io" to receive further instructions on restoring files and payment.

This post is an overview of the analysis been made by BluSapphire.

ANALYZED SAMPLE:

MD5: 46f5092fcedc2fee4bfbd572dd2a8f6f

BEHAVIORAL ANALYSIS:

Upon execution of the sample, it deletes the existing shadow copies within the infected machine making it almost impossible to recover.

Attacker used windows utility "bcdedit.exe" and disabled windows automatic repair mode. Also executed "taskkill.exe" commands to kill any running database processes if they exist.

Noticed that the malware places a file named "info.exe" in folder "%APPDATA%/Roaming/" and configures itself to auto-run on every login by setting a new registry entry under key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\".

With the ability to run on every logon, it appears that the malware is capable of checking for newly created files and encrypt them.

How to protect your organization from Ransomware attacks

  • Thwarting Ransomware takes multiple levels of cybersecurity policies and measures across the organization. It is a must to implement behavior-driven detection via EDR & EPP functionalities. Antivirus tools are great for cutting down on noise but not advanced attacks! Other measures include making passwords mandatory, select authorization for every app, and an infrastructure containing highly secure VPNs, Wi-Fi, and routers.
  • It is important to have a robust incident response process built, and practice a mock periodically and see how the cycle is performing and address respective gaps. It is super important the security and IT teams do not operate in silos especially when responding to an attack.
  • The focus should be on faster detection with accurate data insights, while prevention comes next since it is super hard to predict adversary moves. Business users are to be involved in regular training and are to be informed on potential cyber risks.
  • Damage control is rather difficult once the attack has taken place and the files have been encrypted. Therefore, organizations must go on the defensive early on, keeping their operating systems updated with the latest patches. Standard antivirus programs are often unable to catch encryption malware as it is constantly being rewritten and tweaked by its creators.

And the fact remains that when push comes to shove, companies do pay up the ransom to get their files back. However, data gathered from a ransomware attack has often found its way onto the dark web, even when the ransom has been paid up.

In a weird catch, Ransomware attackers even offer ‘discounts’ on the ransom amount if paid quickly. And then again, there is no guarantee that they will hold up their end of the deal and give you the decryption key once the money has changed hands.

It is possible to remove the malware by rebooting Windows in safe mode, installing and running antimalware software, but not mathematically possible to decrypt the encrypted files without a decryption key. It is a Catch-22 situation: by removing the embedded malware, you lose a shot at recovering and restoring your encrypted files by paying the ransom. Therefore, this is an approach made possible only if you have a separate and complete backup of all your data.

Cybersecurity alertness and awareness, along with good practices must be cultivated in every member of an organization. One such practice is backing up their personal files constantly to avoid the loss of valuable data sets. Employees must be aware that they are never to download random software and worse, give it administrative privileges.

A simple example here could be the permissions we grant to third-party applications to sign into and modify data on our Google accounts. Every time a third-party app is breached, it affects every account that the app is linked to. This seemingly straightforward piece of advice, when not followed on employee networks and systems, can result in a massive ransomware attack.

If an organization falls victim to a ransomware attack, the immediate steps include response and remediation using the most advanced tools available today. If you have concerns around ransomware, please reach out to us using the chat feature on your screen, and we are happy to assist.