We are now seeing one of the largest global Ransomware attacks in history. Those in the cyber security field knew this was inevitable but the speed and scale has taken many by surprise. You can track infections in real time here. Here I explain what we know to date about the Wanna Decryptor ransomware, also known as WannaCry.
It spreads by infected machines joining a network, rather than the traditional ransomware attack vectors which previously required each machine to be infected separately through malicious attachments. It uses a known Windows exploit called EternalBlue was created by the NSA, and released to the public in April 2017 by a hacking group known as the ShadowBrokers. Microsoft did fix the problem in April but it seems that many system administrators have not updated their systems with the latest Windows patches. What is scary is that organisations like the NHS are running 15-year-old operating systems such as Windows XP which are unsupported for some time now. Microsoft have taken the unprecedented step of releasing fixes for Windows XP on this occasion.
The scary and powerful feature of this malware is its ability to perform network scans over TCP port 445 (Server Message Block/SMB) and compromise other machines. The end result is encryption of files and the demand of a ransom payment in the form of Bitcoin. It also installs a persistent backdoor to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware.
The spread of the attack was brought to a sudden halt when one UK cybersecurity researcher found and inadvertently activated a “kill switch” in the malicious software. In fact this may turn out to be an incorrect conclusion as some believe the malware was simply querying an intentionally unregistered domain which would appear registered in certain sandbox environments in order to determine if cyber security experts were analysing the malware in a sandbox environment – so it could exit thus preventing analysis.
By the way, I really do like Mattias Geniar’s “Ways in which the WannaCry ransomware could have been much worse“. yes, he has a point, if it did infect, encrypt files but remain hidden for weeks, then it would be very bad.
How to Protect yourself
The number one preparation for potential ransomware infection is to employ a proper backup policy. The backups should be serialised, with previous versions of files stored. Of course, these backups should not be stored on network attached drives as ransomware can infect shared and removable media. A good rule of thumb is the 3-2-1 backup strategy which is shorthand for 3 total copies of your data where 2 are local but on different mediums e.g. external hard drives and 1 which is off premises.
Other preparations include deploying firewalls, active attachment scanning and web filtering in addition to IDS’s and anti-malware. Restricting user privilege is important as malware executes with the same privileges as the victim is running with.
Best practice with regards timely patching of systems is crucial so take steps to make sure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied. Organisations with SMB publicly accessible via the internet (ports 139, 445) should block inbound traffic.
You could also block connections to TOR nodes and TOR traffic on the network as known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.
Of course, the most effective way for ransomware to gain a foothold on people’s computers is when people to click on links. This can be done by placing these files online and tricking people into downloading them or more commonly, by sending people ‘phishing emails‘. Phishing emails are simply emails which can look legitimate either containing attachments or links which then lead people to clicking on them and installing the destructive software. The first line of defence to stop these attacks apart from the firewalls, anti-virus software and intrusion detection systems is to simply educate employees about the dangers of clicking on links. Only a fraction however will listen and learn. It generally takes people to make a mistake before they learn. That can be too late however. There is is a new movement where security teams send phishing emails containing fake malware to their employees which when activated simply lead them to a site telling them about their mistake and educating them on the dangers of what they did. Education is crucial.
What else can we do?
As I outline above, the main strategy to ensure ransomware is ineffective is to have a proper staged backup plan in place. Files which are backed up offline can simply be substituted for encrypted files and no ransom need ever be paid.
Other measures however include authenticating in-bound emails. This helps as the majority of infections arise from opening ransomware attachments. Implementing a Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain Message Authentication Reporting and Conformance (DMARC) can help guard against spear phishing and other attacks coming through spoofed email. These work together to validate the IP address and domain of the originating email server but sadly, not enough organisations adopt these standards. It also helps to have active scanning of all email to detect potential threats. Having ad-blocking enabled can also help as ransomware is distributed through malicious advertisements served up to users when they visit sites. Some organisations have implemented separate networks for employees surfing the web.
If I am hit with ransomware, what steps should I take?
There are limited options once an attack is underway due to the rapid file overwriting which is also the main indicator that ransomware is present. Activity-monitoring tools can potentially scan for distinctive patterns that indicate this and take the system or entire network offline to prevent the spread of the virus. Later, disk forensics techniques can be employed to recover unencrypted files.
With the current wormable ransomware, then simply pulling the plug on the network/computers may prevent utter devastation but unfortunately computers are quite quick to execute code. Here is @hackerfantastic, Co-Founder & Director of myhackerhouse demonstrating the speed of infection from 1 PC to another in real time.
Should you pay the ransom?
In an ideal world, we would like no-one to pay a ransom to the criminals. Paying the ransom not only enriches them but also could encourage them to further develop more sophisticated ransomware and target more victims. There is also no guarantee that the payment of a ransom results in the files being unlocked. This has been the case on many occasions (although a German news article claimed that Bitcoin Suisse Ltd, a currency exchange office told them of a client getting their files back.)
Payment of the ransom really comes down to the value of those files lost. If they are deemed worth the ransom then most people will simply end up paying. Quite often the ransom is far cheaper than the actual costs of losing access to those files.
Was ransomware possible before the advent of cryptocurrencies?
The trend for ransomware is showing worrying trends. The Security vendor Malwarebytes used a ‘honeypot’ to attract attackers and they discovered an increase from 17% in 2015 to 259% in 2016. Imagine the future however when our smart home devices are held hostage and owners must pay a fee to have access to their lights and Internet of Things (IoT) appliances. We may also see ransomware appearing on our smart cars, planes, trucks & trains. It might only a matter of time before we see people left helpless, on the side of the road unable to drive their vehicles until they pay a ransom.
Cryptocurrencies like Bitcoin of course have enabled the rise of ransomware. Bitcoin along with the use of the correct ‘mixing’ techniques can also provide almost perfect anonymity which is also important for a great many people. Existing non-block chain currency or payment technologies cannot offer such a solution. We have a reached a pivotal moment in global society where financial transactions can take place without being traceable. We are starting to see virtual currencies forming the modus operandi of trading in illicit goods, such as weapons, drugs, child abuse material, as well as for the payment of services that may be regulated or criminalized in certain countries, like online gambling. The existence of these currencies is ideal for criminals wishing to hide their tracks and we should indeed look at the implications for society when such a powerful anonymous virtual currency exits.
It is fair to say that prior to the arrival of cryptocurrencies, it would be difficult to scale an attack such as ransomware to any degree. Yes, the odd hacker here or there could launch cryptolocker type malware and deliver a message to send money via Western Union (a old favourite of the scammers) or to a bank account but that money transfer was always traceable once the authorities were involved. What we would have most likely seen is a patchy scattering of scammers who became too greedy and thus ended up being tracked down and arrested. Ransomware in fact did predate the integration of Bitcoin. When it first arose in Russia and Eastern Europe around 2005, the victims in Europe and the US were instructed to pay via SMS messages or with pre-paid cards. Yes, ransomware simply does not scale without the anonymity offered up with cryptocurrencies.
Do the scammers make much money?
We are looking at the creation of the first genuine business model for malware. According to the National Crime Agency Cyber Crime Assessment 2016 report, cybercrime accounted for 53 per cent of all crimes in 2015. This percentage is rising steadily each year. We can expect to see cybercrime continue to develop into a highly lucrative and well organised enterprise. Cyber criminals whether state sponsored or not are even beginning to devote funds to research and development. Criminals are increasingly moving online because that is where the money is. We are also seeing terrorist groups beginning to exploit cybercrime to fund their evil aims.
We have seen estimates of how lucrative ransomware is from ‘captured’ command & control servers with some scammers bringing in 1 million+ per year. In addition to locking files, the threat to bring a website to its knees via a ‘distributed denial of service (DDOS) attack’ is also closely related due to cryptocurrencies being the unit of payment.
Again, malware business models were limited previously. Most relied on redirecting infected users to websites loaded with third party ads where the ad generation was the business model. Others relied on selling antivirus solutions to the infection. There was a limited scope for malware authors due to the traceability of payments.
Can malware be decrypted by researchers?
There are variations of ransomware. Some can be quite easy to remove while others impossible. Simple ones are generally the ‘scareware‘ type that proclaim your laptop has been locked by the FBI or a local police force. These can usually be removed with anti-virus programs. Others may encrypt the Master File Table or individual files. The nightmare ones encrypt files with military strength encryption. Unfortunately, if properly implemented, then the maths holds up and they cannot be retrieved (without the private key being released to you – which sometimes happens after paying the ransom).
There are however programs out there which can decrypt ransomware which has not properly implemented the encryption part. Security companies such as McAfee, AVG, and Kaspersky release these for free. Kaspersky’s site at noransom.kaspersky.com for instance, has many tools such as Rakhni, Rannoh, Convault & Widlfire decryptor software which can decrypt files affected by Rakhni, Dharma, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Cryptokluchen, Lortok, Democry, Bitman version 3 and 4, Chimera, Crysis and other forms of ransomware. Ultimately, there is more ransomware out there than decryption utilities so a certain amount of luck is needed for you to be fortunate enough to find a tool which decrypts your strain of ransomware.
An interesting twist on the ransomware story happened last year when a developer whose encryption code was used by a strain of ransomware simply released the decryption keys for the malware. It turns out that the developer intentionally inserted a backdoor into his code when he first developed it to make sure he could check any abuses of his code by scammers. The ‘backdoor access’ allowed him to obtain a list of decryption keys, which are now available to download for anyone affected by the strains of ransomware which used his code. If only it was always going to work out like this…..