[BreachExchange] The Growing Ransomware Threat and Trends

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 13 18:57:14 EDT 2018


http://www.securityinfowatch.com/article/12401246/the-
growing-ransomware-threat-and-trends

Reports of one ransomware attack after another continue to fill the news,
including recent attacks on healthcare providers, suppliers, and even
governments. Ransomware has emerged from an obscure security incident just
a few years ago, to a major threat impacting the operations of many
organizations.

It is important for all organizations to look at the contributing factors
and motivations behind the increase in ransomware, and then use those
observations to explore ways to help slow the trend, and identify methods
to reduce the adverse impacts.

The motivation is money

The individuals behind ransomware attacks appear to be motivated by money.
Ransomware is pure extortion, whereby the attacker takes control of a
victim’s valuable asset (e.g., data), encrypts it, and holds it hostage
until a ransom is paid. If organizations don’t pay within a specific amount
of time (generally a few days), the extortionist claims he/she will delete
the encryption key which renders the data useless and prevents future
decryption.

Some organizations that make a business decision to pay the ransom will
receive the unlock key, while others will get demands for more money, and
some won’t receive any response. With the exception of last summer’s
Not-Petya ransomware attack, which was characterized as a cyberwar-attack
from one nation against another’s economic infrastructure, ransomware
attacks typically contain instructions on how to pay a ransom to recover
the data.

The reason behind the rise in ransomware is complex, but there are three
basic assumptions. First, it was only a few years ago when hackers
primarily stole data and used that sensitive data for nefarious purposes.
For example, stolen credit card numbers could be used to create counterfeit
cards, then those cards could be used to purchase goods. As the credit card
companies improved fraud protection, the half-life of stolen cards kept
getting shorter and shorter, so their street value dropped. The credit card
issuers also tightened up controls so that fraudulent use must be
geographically close to where the stolen cards are located, or else it
triggers extra scrutiny. This made international use of stolen credit card
numbers risky, so international hackers started losing interest. While
breaches of retailer credit card systems still happen, there are other ways
to monetize hacks.

Second, complex hacks that involve stealing data and monetizing it
increases the risk of being caught. In healthcare, for example, we used to
see massive data breaches involving millions of patient records. While some
of the largest breaches appear to have been orchestrated by nation-states,
others were used for identity theft and fraudulent billing. Insurance
companies and the government have successfully leveraged ‘big data’ to
identify providers who profit from these activities. Consequently,
criminals find it harder to avoid being caught.

Finally, one can speculate that the emergence of cryptocurrencies has only
compounded the problem. The anonymity of financial payments (e.g., ransom)
has paved the way for individual hackers, organized criminals, and
nation-states to exfiltrate money from their victims, then spend later
without a trace. Cryptocurrencies are also used by nation-states looking to
evade tighter sanctions, as the flow of cryptocurrency is thought to be
untraceable.

How fast does ransomware strike?

There are several observations to derive from recent ransomware attacks.
The first is that once the malware has gained a foothold on an ‘index
machine,’ the rate of infection to reach all vulnerable devices is very
rapid. The infection spreads exponentially and can only be stopped by
isolating uninfected vulnerable devices from the network. In recent
attacks, two organizations with several thousand endpoints were compromised
in under one hour. The first organization did not have a robust reporting
and alerting system, so the infection did not stop until every vulnerable
device was compromised. The second organization had a security incident and
event monitoring tool and an anti-virus console which alerted the IT staff
and allowed them time to isolate some of the network. Both organizations
detected the event but because of the zero-day nature of the attack, these
tools were unable to automatically stop the spread. Eventually, most of the
vulnerable devices in multiple geographic areas were compromised. The rapid
response of isolating all network segments saved a few devices but not
enough to continue operations.

I’ve been infected with ransomware, so what should I do?

First, remember that law enforcement officials encourage organizations to
not pay the ransom because it only fuels the criminal elements and leads to
more attacks. Regardless if a victim pays or not, the decryption keys only
allow organizations to decrypt their data, but those keys will not remove
the malware that delivered the encryption payload in the first place.
Removing the malware is a huge effort that can take even midsize
organizations weeks to accomplish because every infected device must first
be identified, then reimaged. Removing the malware is also very expensive —
for example, it cost one organization 60 percent of the annual IT budget
recover from the ransomware attack. Another reason for the long recovery
time is that normal operations cannot resume until the vulnerabilities that
allowed the systems to be attacked in the first place do not magically get
mitigated with a decryption key. Left untouched, there is a high
probability of reinfection, especially if the ransom is paid.

Organizations that need to recover from ransomware should expect to be down
for weeks, regardless of if the ransom is paid or not. This outage means
that all business operations that depend on IT systems will need to operate
in their ‘downtime’ mode. As an example, other organizations have
experienced a total loss of their timekeeping systems, which impacted their
ability to calculate and issue paychecks. Automated supply chain management
systems had to temporarily revert back to paper and fax machines, which
impacted supply levels because of the additional time it took to keep
inventories of critical supplies. The move to paper records, especially in
hospitals, significantly slows the process of documenting work and
submitting claims to insurance companies for payment. This resulted in one
a hospital getting $60 million behind in cash flow in less than one month.
Once systems are back online, it is important to re-enter the data so that
the inventory and payment processing systems can restart.

How can I reduce the probability of a successful attack?

The attack vectors used by the ransomware controllers vary, but the primary
path is thought to be through emails containing links to malicious
websites. Some emails are broadcasted to a large mailing list while other
attackers use spear-phishing attacks to target specific individuals who are
thought to have administrator accounts. Regardless of the vector, the first
line of defense is to limit the number of individuals who have
administrator privileges and the ability to execute untrusted/unauthorized
code. The second line of defense is to mandate that all administrators have
two separate user accounts — one ‘routine’ for use for general day-to-day
work and a separate account with administrator privileges that is only used
for functions requiring elevated privileges. The account with administrator
privileges should not have email access, especially if that email address
is published or can be easily guessed. It also helps to educate IT staff
about the importance of not publicizing their roles on social media, as
this can help reduce the information available for an attacker to attempt a
spear phishing attack. Anytime an administrator account is accessed
remotely, a multifactor solution should be used.

On the technical front, the use of next-generation firewalls that perform
deep packet inspection can be used to identify domains where malicious
software is stored, then it can stop the download until other measures can
be deployed. This requires a lot of trust in the tools, something that
requires extensive documentation and testing.

Valuable Lessons

Studying the history of ransomware will help organizations better prepare
for an attack. The most valuable lesson is that as long as humans are in
the decision loop, ransomware will win the race to infect nearly all
vulnerable machines that it can find. This knowledge increases the
importance of having a robust incident response process where those
individuals monitoring systems can alert senior decision makers with
authority to shut down an organization’s entire network on a moment’s
notice. It is also important that staff have access to the technical tools
that allow them to isolate networks once the decision to execute the
incident response plan is given.

Second, as the event unfolds, the incident response team needs to be
augmented with all key stakeholders whose processes are impacted, including
non-technical executives. Incidents may impact the ability to deliver
services as well as create invoices for past work. Internal operations such
as timekeeping and payroll may need to use manual or operate using downtime
procedures. There also needs to be non-automated procedures to order
supplies from vendors and suppliers that normally provide materials.

Finally, a strong incident response process needs to be developed and
exercised regularly in order to proactively prepare for an attack. The
response speed is paramount when responding to a ransomware attack so
exercises should be planned with minimal people knowing the agenda and
timing ahead of the exercise.

Ultimately, it is about planning for the worst case, and hoping for the
best.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180313/328ccea9/attachment.html>


More information about the BreachExchange mailing list