Ransomware: ePirates of the 21st Century

Ransomware notice via: Wikimedia Commons

On February 5, 2016 Hollywood Presbyterian Medical Center detected a breach in its network. Although electronic protected health information (ePHI) was not stolen, the attackers encrypted the medical records system and held it hostage. The medical center reluctantly paid a ransom of 40 bitcoins, about $17,000, to reacquire access to its software twelve days later.

In March 2015, New Jersey school district Swedesboro-Woolwich also found that its network was locked and a 500 bitcoin ransom, about $124,000 at the time due to fluctuation of bitcoin’s value, was required to unlock the system. The school district did not pay the ransom and was able to restore its network from a previous system backup.

The city of Detroit, a Tennessee sheriff’s office, schools, churches, and hospitals, and more commonly, private businesses and personal computers have all been victims of ransomware attacks. Even Androids, iPhones, and iCloud accounts have been the targets of ransomware.

What is ransomware?

Ransomware is a type of malware that restricts access to data on the infected device by encrypting files. Attackers then demand a ransom – often in bitcoin – to provide the decryption key and restore access. The ransom demand usually increases as time passes. This type of malware has been around for many years, and previously attacked mainly Windows machines due to Windows’ widespread use with little difference across versions. Now, ransomware is targeting a variety of operating systems and software, and targeting both individuals and organizations.

Ransomware comes in a variety of flavors. Some ransomware uses encryption within encryption to lock files. In this scenario, files on the infected device are first encrypted with, for example, 256-bit AES encryption. Then those keys (for the encrypted files) are themselves encrypted with a different type of encryption like 2048-bit RSA encryption. The attackers keep the second private key that unlocks the first set of keys, which can then be used to decrypt the files. In most cases, the decryption key is erased from the device’s volatile memory and if found, can’t be brute-forced. As ransomware attacks increase, many vendors and security professionals have released free tools that can be used to successfully decrypt some types of ransomware, such as Kaspersky’s Ransomware Decryptors, Cisco’s TeslaCrypt, and many more as listed by Tripwire.

Ransomware has increasingly become the tool of choice for cyber criminals. According to a recent article in Business Insider, ransoms on average range from $300 to $500 per device, depending on the software or system held hostage. In 2014, iPhones and iCloud users in Australia and the U.S. were expected to each pay $100 to unlock their devices. Estimates as to the total cost being extorted from victims worldwide have been reported from $5 million per year to $30 million in 100 days. With payouts like that, it is reasonable to assume that ransomware will only increase in popularity as well as accessibility among cyber attackers.

How easy is it for attackers to deploy?

Unfortunately, Ransomware is very easy to deploy and there are even Ransomware as a Service (RaaS) providers to make it easier to implement and maintain. Amateur cyber attackers can purchase RaaS that will teach:

• How to install your bitcoin payment server
• How to configure your bitcoin payment server to best meet your needs
• How to choose your victims
• How to set your ransom based on the current market

With RaaS, the steps and technical help are all laid out for anyone to use to exploit systems. Technical support is just a phone call, email, or chat away. Underground RaaS advertising campaigns have increasingly appeared in the past year and have peaked the interest of cyber attackers with limited technical skills.

For the criminally minded, Ransomware kits are also available for free for anyone to download and deploy. The developers of one of these kits, Tox, takes a 20% cut of any successful ransomware campaigns that its users run. The kits require minimal technical skills to use and can be deployed in as little as three simple steps.

How easy is it to defeat?

Performing regular backups is the most crucial step to successfully recover from a ransomware attack. Backup important files regularly, and set certain restrictions for the files (read only, lock access to modify or delete). This will provide a backup copy of files to restore information from. It is also highly recommended that you create two backup copies, and store them in two different places: one in the cloud, and the second recorded to a physical device that is separated from your network, such as an external hard drive.

In November 2015, Kaspersky Lab published 10 Tips to Protect Your Files from Ransomware, including:

1. Backup important files regularly.
2. Check your backup files to make sure they are not damaged and could be restored.
3. Be wary of phishing emails.
4. Trust no one – even friends on social media or online gaming partners.
5. Enable ‘show file extensions’ option in the Windows settings. Ransomware frequently arrives in a file that is named with the extension “.PDF.EXE”. Also, filter emails with .exe extensions or deny email sent with files that have two file extensions.
6. Regularly update operating systems, browsers, antivirus, and other programs.
7. Use a robust antivirus program.
8. If ransomware is discovered, then disconnect the Internet connection immediately. There is a chance that the ransomware did not have time to erase the encryption key from the computer.
9. Don’t pay the ransom. Each payment fuels the unlawful business and there are many cases where the decryption key has never arrived or failed.
10. Try to find out the name of the malware. If it is an older version it may be relatively easy to restore the files.

Regularly performed backups helped the New Jersey school district to restore encrypted files, and its servers were restored to remove any evidence of the ransomware. Ransomware serves as a good reminder to us to be proactive in securing our systems, monitor our system backups, and test restoration along with the importance of training employees to be cautious of links they click on or files they download. As always, send any questions or comments to [email protected].