[BreachExchange] The Why and How of Ransomware

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 7 18:56:17 EST 2016 

http://www.infosecurity-magazine.com/opinions/the-why-and-how-of-ransomware/

Ransomware is undeniably becoming one of the biggest threats facing
businesses today. The last year or so has seen an incredible rise in the
number of ransomware attacks; some reports have claimed that 40% of
businesses have been hit in the last 12 months, encrypting files and data
until a ransom is paid.

Fears over the rise and potential impact of ransomware have even caused
Europol, the European Union law enforcement agency, to label it the,
“leading cybercrime threat in Europe,” and point out that it is
increasingly targeting sectors that will pay a higher ransom, rather than
individuals who will only pay a smaller fee to unlock their files.

What’s more, companies certainly are paying out to regain access to their
files. The FBI announced that in the first three months of 2016 $209
million was paid to cyber-criminals; at that rate it’s possible that 2016
as a whole will see over $1 billion paid out in ransomware attacks.

We are also seeing a trend emerge in terms of the types of organizations
that are being targeted – public-facing organizations where data is the
lifeblood: councils, hospitals, schools, for example.

So why now? What’s behind the rise of ransomware as a cyber-attack tool?
Well, the short answer is it works. The figures above show that it’s an
effective way of extracting financial gains from victims. Blocking access
to vital data or files can cripple an organization and render it useless,
so it’s not surprising that some pay up as soon as possible so they can get
back to work. Can you imagine the potential damage if a hospital, for
example, couldn’t access patient data?

So that leads to the next question – why is it so effective? There are a
couple of things about ransomware that separate it from other pieces of
malware we’ve seen. The first is that it’s polymorphic. This means it can
change tiny little details about itself frequently, so that antivirus
programs no longer pick it up; it appears as a brand new piece of malware
each time it undergoes a little change.

The second is that all it needs to start encrypting user files is standard
user privileges...the kind of privileges that the vast majority of workers
in an organization will have. That means its barrier to entry, as it were,
is very low.

So now we know a little more about why ransomware is becoming the attack
vector of choice for cyber-criminals, let’s look at how it spreads across a
business. What we’ve discovered so far is that generally ransomware arrives
via a targeted phishing email. Once the attachment is opened the ransomware
makes contact with its C&C server to generate and retrieve an encryption
key. From there the ransomware begins its scan of the infected machine,
looking for files. It then builds its inventory.

As well as building an inventory of files, it also scans for other machines
on the network and, if it can, it grabs credentials. It then connects to
those machines and infects them. Once this process is complete, the
ransomware encrypts files and announces its arrival to unsuspecting users.

However, it doesn’t have to get this far. The key is where the defense
lies. It’s difficult to stop ransomware at the perimeter, and while it’s
easier at the point of the server callout, that can sometimes be too late
to stop the damage. So that leaves the file level, and that has proven to
be most effective in our lab tests, where we have so far examined 157,000
ransomware samples.

Using application control at the file level means whitelisting good, known
and trusted applications and blacklisting anything that’s unknown, not
trusted or known to be bad. In the middle you have greylisting, where
applications you’re not sure about can run in restricted mode – with
limited access to files and data, no internet access and no access to
network shares or servers.

Taking this approach and combining it with tighter control over user
privileges is the best way of combating ransomware. In our tests
application greylisting and using least privilege proved to be 100%
effective in stopping ransomware from encrypting files, rendering it
useless.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161107/6aee59cb/attachment.html>

More information about the BreachExchange mailing list