[BreachExchange] Past and Present Tactics of Ransomware Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 12 13:58:13 EST 2018


Ransomware has been getting a lot of press lately, and understandably so.
In recent months, there has been a tidal wave of ransomware attacks
targeting numerous well-known organizations, and the threat is expected to
continue to wreak havoc across the world in the future.

The aim of a ransomware attack is to infect users’ systems, and deny them
access to their most valuable assets. Typically, this is accomplished by
encrypting the most important documents on the target machine and making
them unreadable and inaccessible.

The Evolution of Ransomware
Initially, ransomware attackers used the same key for encryption and
decryption. Reverse engineers were able to develop decryption tools for
each variant, so encrypted files were easily restored in a relatively short
period of time. Ransomware authors quickly learned from their mistakes so
most ransomware variants now use asymmetric-key cryptography, where data is
encrypted with one key but decryption requires a different key that is not
so readily available to the victim.

Alternatively, the data is encrypted using a symmetric key, but then that
key is encrypted using an asymmetric key. Either way, it’s now much more
difficult to restore files without paying for the decryption key.

This is one of the key reasons why ransomware has recently become such a
success for cyber-criminals. There is no easy way for victims to get their
data back and there are no standard one-size-fits-all decryption keys.
Additionally, in cases where criminals are still using symmetric keys and
security analysts are able to figure out the decryption key and release it,
the attacker can quickly release an updated version that uses a different
decryption key.

Commonly Used Attack Vectors
Choosing the ransomware delivery mechanism is mostly a question of money.
Spreading spam is cheaper than writing new malware exploits or leasing
encryption keys, but there is greater uncertainty as to the effectiveness
and ultimate success of the attack. Today infection vectors most commonly
used by ransomware actors are email attachments, links in emails,
compromised websites, and malvertising.

Emails attachments and links – The attacker sends an email to victims
trying to trick them into opening a document attached to the email or click
on a link embedded in the content of the email.

Malvertising – Threat actors use web advertisements–banner ads delivered
via legitimate ad services–to spread malicious code and ransomware. The ad
services try to block any malicious ads, but the criminals are very good at
evading detection.

Compromised websites – Cyber-criminals are able to compromise legitimate
websites by embedding malicious code. When a user visits a compromised
website, it redirects them to a landing page that installs the ransomware
payload. Alternatively, criminals develop spoof websites that look nearly
identical to the legitimate one and are reached via a URL that is nearly
indistinguishable from the original. When a victim mistakenly visits these
sites, they too will install the ransomware.

Mitigating ransomware attacks on compromised websites
While mitigating email-based and malvertising attacks also warrant careful
attention and techniques, the focus of this article is on mitigating
ransomware attacks that use compromised websites.

When an attack is using a website that security products have already
identified as having been compromised or hosting malicious behavior, it can
be blocked by looking at the domain or IP used in the link embedded in the
email or the URL visited by a user. In practice, however, simple
blacklisting approaches suffer from the relatively short lifespan of these
drive-by landing pages.

To cope with this problem of blacklisting short-lived content, security
solutions must find the attack “on the wire”. This means that the system
either proactively probes for the content of a website, or it waits until a
real user is tricked into following the link to the exploit site and finds
the attack in the live traffic.

A particularly effective method of attack is by finding suspicious
modifications of web page content, such as the use of inline frames with
hidden attributes or obfuscated JavaScript. When such an anomaly is found
in a page in transit, a security product can block a user from accessing
any additional content from this site. This prevents exploit kit code from
reaching and exploiting a user’s browser.

However, not all attacks make use of exploit kits: often, victims are
simply tricked into downloading and running the ransomware payload. Thus,
security technologies need to intercept these downloads and evaluate if the
file is safe to be opened by a user – typically by running the program
inside a sandbox.

Ransomware is one of the most dangerous attack vectors around today and it
is generating a healthy return for cyber-criminals across the world. It is
also critical that the security industry takes aggressive steps to
understand advancements in ransomware as only then can the threat be
properly held at bay.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180112/b6fa770b/attachment.html>

More information about the BreachExchange mailing list