InfoSecurity Europe: Ransomware, Evolved
Ransomware was a common theme at InfoSecurity Europe this year. Mikko Hyppönen, Chief Research Officer at F-Secure based in Finland and InfoSecurity Europe Hall of Fame Alumnus, gave the keynote address, Profiling the Connected Cybercriminal. His talk covered what’s changed and what’s stayed the same when it comes to ransomware threats and how they spread.
What’s Old is New Again
Essentially, old problems come back to bite us - that is, the kind of problems that we thought we’d already solved. One example is the AIDS Trojan discovered in 1989. It’s considered the early example of ransomware, which is now targeting hospitals, governments and enterprises alike.
The software ranks you based on your risk of getting HIV. If it was installed without paying the license fee, it would overwrite your master boot record, encrypt your data and display a ransom demand to send payment to a P.O. Box in Panama.
Similarly, Petya, a type of ransomware found in May 2016, infects your system, reboots, checks disk, runs and encrypts your files. Both old and new ransomware encrypt the master boot record and indexes, then demands ransom; however, the new one asks for bitcoin money transfers.
How Does Ransomware Spread?
Old macro viruses like ILOVEYOU and Melissa from 1995 would spread and infect computers via Microsoft Office documents, like Word.
What would happen is, an attacker would send an email with a Word document attachment. If the document was opened and macros was enabled, the virus would run and propagate itself by sending itself to the first 50 contacts in your Outlook Address Book. Very wormy.
Why would anyone enable macros? Sometimes the documents would contain scrambled text and a button that would ask users to enable macros to read the message. System administrators can defend against these viruses by disabling macros.
Studying Modern Ransomware
Mikko mentioned that all of the many different ransomware types come from ransomware gangs that compete against each other. In his research, he’s tracking over 100 different groups.
Each group is looking for a return on investment and new customers to infect to make a profit. In April, the first ransomware Trojan to target Macs appeared. This Mac ransomware scans your network looking for Time Machine servers, that is, it tries to locate and encrypt your backups.
While Mac users represent a smaller percentage of users overall, there is no other ransomware competition in the market - meaning it’s a profitable one. As a cryptocurrency, Bitcoin transactions are made public, and anyone can download the ledger to see the anonymized ransomware transactions that show online criminals are making hundreds of millions of dollars, according to Mikko.
Continuing Evolution of Ransomware
Another speaker, Martin Lee, the tech lead of security research at Cisco Talos gave a tech talk on The Continuing Evolution of Ransomware, finding new features of ransomware that have evolved to become more advanced.
The Locky ransomware is the first of its kind to go after servers. Another type, Cryptowall, is a variant of cloud-based encryption malware. When the malware infects your endpoint, it will connect with a command and control server, request a public key, send the public key, verifies the public key, then encrypts your files. The private key only ever exists on the cloud server - never on the device itself, meaning you can’t reverse engineer it.
Ransomware can spread via malicious advertising. When you visit a website, you get served ads, but you also get get Google tracking, images from a third-party server, clickbait, etc. Attackers may just also legitimately buy ad space to serve up exploit pack landing pages that try to compromise and infect your device.
Protecting Against Ransomware
According to Martin, protecting against ransomware is possible by having proper backups and updating devices to ensure they’re fully patched for vulnerabilities that are at least five years old.
Updating devices can stop an attacker from exploiting a vulnerability in your operating system, browser, plugin, etc. in order to install malware on your device and spread it throughout your networks.
With an endpoint remediation tool, you can detect any outdated devices and block them from accessing your applications until they update to the latest version of Windows, Flash, Chrome, etc. This makes administration more automated to help out busy admins, and eliminates the threat of any unmanaged, outdated devices.
Using a monitoring tool to detect activity early on can help you block the attacker’s connection to command and control servers, so even if you have malware it won’t have the key to activate. Additionally, having a backup and incident response plan in place for data recovery can be a life-saver.