How Does Ransomware Work?: Beating the Cyber Criminals

Threats come and go, but one thing remains the same: the ability of cyber criminals to adapt to circumstances. A brief decline of interest in ransomware as criminals focused their attention on cryptojacking during the previous year appears to have come to an end and ransomware attacks are once again escalating. Here, Patrice Puichaud explains what ransomware is, how it spreads, how prevalent it is and what today’s organisations can do to protect themselves against it.

As the name implies, ransomware is a kind of malware that demands some form of payment from the victim in order to recover control of their computer and/or data. Within that broad definition there are a few twists and turns that are worth noting.

First, there are variants with regards to exactly what the victim is being held to ransom for. Typically, the attacker encrypts personal files on the victim’s computer in such a way that they cannot be opened unless the victim has a decryption key. Access to the decryption key is what the attacker wants the victim to pay for.

Encryption ransomware has been seen on the mobile platform, too, with SimpleLocker reportedly infecting over 150,000 Android devices.

In other cases, depending on the target, the attacker may threaten to publicise or leak sensitive information found on the victim’s device, giving rise to the names “leakware” and “doxware” for this kind of attack. That could be personally compromising photos or e-mails, but more likely in the case of targeted attacks against businesses it may be data the company wouldn’t want to be made public. That could be anything from client data to a movie script.

In a leakware attack seen recently, criminals targeted developers and threatened to make the hijacked code public or “otherwise use” the developer’s Intellectual Property if the victim didn’t pay the ransom.

Denial of Service attacks

Other forms of ransomware such as the infamous WinLock malware from all the way back in 2010 are a form of Denial of Service attack, only in this case the service being denied is access to the victim’s own device. Such “blocking” attacks have found a new outlet on the iOS and Android mobile platforms. On Apple devices, for example, the technique deliberately tries to leverage compromised iCloud credentials in order to lock users out of their devices unless they pay a ransom.

In the more common case where the ransomware has encrypted a user’s files, what happens next is some form of demand accompanied by a threat. Usually, but not always, the demand comes in the form of a ransom note that appears on the screen. This tells the victim what has happened, how much they have to pay and how they can pay it.

Ransom notes themselves can range from simple text files with multiple spelling and grammar errors through to graphical layouts with icons designed to ease and encourage the steps necessary for payment.

In a recent case of targeted ransomware, rather than asking for a fixed amount, the criminals chose to vary the amount of ransom depending on their attacker’s assessment of the victim’s financial worth.

How does ransomware spread?

You might well be wondering just where all of these ransomware attacks are coming from and how they’re able to access victims’ machines.

Ransomware isn’t especially complicated to code. The encryption functions exist natively on both Windows and Unix-based machines like macOS and Linux. Some attackers choose to package their own encryption framework to avoid detection by AV software, but there are plenty of open source projects from which attackers can choose.

What’s more, with the appearance of Ransomware-as-a-Service such as Cerber RaaS and Shifr Raas, attackers can simply buy off-the-shelf malware to distribute to victims. Reports indicate that portals for accessing these kinds of services are even breaking out of exclusive Dark Net forums to open websites that any would-be hacker can access.

Once an attacker has a ransomware project in hand, they only need to decide how to distribute it. As is the case with other forms of malware, typical infection vectors rely on socially engineering victims into downloading an infected file either from a website or via a phishing e-mail. Often, an MS Office attachment or a malicious PDF file is used which, upon being opened, executes hidden code that, in turn, downloads the malware payload.

In other cases, the ransomware could be the payload delivered by a script on a maliciously-crafted website or downloaded by a fake software installer.

Behind the scenes

It’s particularly important to note that, once the victim has opened the malicious file and given authorisation, everything else happens invisibly behind the scenes. The unsuspecting victim may not know for some minutes, for several hours or even for a matter of days that their machine has been infected, depending on when the malware is coded to trigger the encryption and announce its presence.

In the first-ever recorded case of ransomware, the program wasn’t set to activate until the victim’s machine had been booted 90 times. Creating a delay between infection and encryption is intended to help cover the attacker’s tracks and make it harder for security researchers to find the infection vector. Criminals are usually in it for the long haul, and they don’t mind waiting for the payday if it helps ensure greater returns.

However, not all ransomware requires user interaction. The SamSam ransomware that was prevalent in 2016 targeted weak passwords on connected devices once it gained a foothold on an initial device. In a recent case, a zero-day vulnerability in the popular Oracle WebLogic Server allowed attackers to send ransomware directly to computers and execute the payload without any user interaction at all.

Is ransomware on the rise?

Is ransomware on the rise. Yes, it is. Throughout 2018, most threat intelligence reports were seeing a marked drop-off in ransomware attacks as criminals made a move to cryptojacking. Both web-based and malware-based cryptominers had offered criminals a digital gold mine with virtually no risk. Unluckily for them, with the demise of CoinHive, cryptojacking has been crippled to the point of unprofitability. At least for the time being, anyway.

Cue a corresponding uptick in ransomware, with LockerGoga, Troldesh, Golang Shifr and Sad ransomware all making an impact in recent months, hitting infrastructure companies like Norsk Hydro, developers and ordinary end users alike.

Even in the latter half of last year while cryptojacking was in full swing, ransomware never really went away. New variants of Ryuk and KeyPass came to light, the latter coming with features such as manual parameter settings, suggesting that the ransomware could be dropped and tailored to a specific victim by a remote hacker.

Defend against ransomware

As we’ve seen, reports of ransomware’s untimely demise were overly exaggerated. That means users and enterprises need to be on their guard to avoid being infected to start with and to have a response plan if they are.

Back-ups are a good first line of defence, so long as you back-up regularly and rotate back-ups so that at least one recent back-up is offline at all times. Be sure not to rely on Windows built-in Shadow copies, as deleting these is one of the first things most ransomware does.

Patrice Puichaud

Patrice Puichaud

Second, use a security solution that’s ransomware-proof. For enterprises, the best defence against ransomware is to use an automated endpoint solution that can not only block threats on execution, but can also roll back any attacks that do pass through the security net without needing to rely on back-ups.

For end users caught out by ransomware with no way to restore or roll back, you’re left with some unenviable options. If you’re in luck, you may find a public decryptor that will help you to restore your files. If you’re not, your choices are to accept the data loss or risk paying off the criminals.

Of course, no-one wants to reward crime, and there’s no guarantee that the criminals will uphold their end of the deal. In some cases of ransomware, the attackers didn’t even keep a copy of a decryption key and any victims who had paid up would have been both out of pocket and unable to recover their data.

Easy pay-day for cyber criminals

Ransomware offers an easy pay-day for criminals with a low chance of being caught. It also represents one of the most devastating attacks for victims, who can potentially lose everything from personal data to the very infrastructure upon which their business relies.

NotPetya and WannaCry remain the two most devastating attacks we’ve seen so far, but there’s every likelihood that they will be eclipsed by something worse if businesses don’t learn the lessons of automated protection sooner rather than later.

Patrice Puichaud is Senior Director (EMEA and APAC) at SentinelOne

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts