Sunday, February 24, 2019

Ransomwares - Trojan to Cryptolocker


History of Ransomwares

Ransomware attacks started decades back, with the first one released in 1989. It was called AIDS Trojan, which infected systems via 5 and 1/4 inch floppy. AIDS Trojan had similar characteristics that of today's  ransomwares where it encrypted files and asked the victim for ransom to provide key for decryption. Back in those days, though security was weak, the ransomware was not robust enough to gain traction.

After the first one in 1989, there weren't any ransomware attacks recorded until the mid-2000s, when attacks began using stronger encryption algorithm like RSA which were difficult to decrypt, the popular one being Trojan.Gpcoder family seen around 2005. Gpcoder was the first kind of 'crypto-ransomware' followed by TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive.

In 2011, another variant of ransomware appeared, a first kind of "locker-ransomware". It was called Trojan.Winlock which instead of encrypting files displays a fake windows activation page which will go away only when victim input windows activation code upon calling costly international premium number.

Cryptolocker was the most threatening crypto-ransomware variant appeared in 2013 which alone infected more than 250,000 systems and generated more than $3 million before the Gameover Zeus Botnet, the backbone of Cryptolocker, was taken down in 2014.

During 2014 - 2015, the most prominent ransomwares were CryptoWall, Cryakl, Scatter, Mor, CTB-Locker, TorrentLocker, Fury, Lortok, Aura, and Shade, the most revenue generating one being CryptoWall, Cryakl and Scatter which accounted for 71% of attacks during 2014 - 2015. According to Kaspersky's research in 2015- 2016, TeslaCrypt, a form of crypto-variant, accounted for 50% of attacks during 2015-16.

Influence of Cryptocurrency

Cryptocurrency is an intangible digital currency which exists only in internet backed by a decentralized system (crypto algorithm), and was originally created (Bitcoin born in Oct 2008) to bypass the current government controlled centralized monetary system.

With the advent of Bitcoin, the first cryptocurrency, it became easier for the attacker to be anonymous when a ransom is paid. The cryptocurrency uses an unique software/algorithm which hides identity of sender and recipient favouring anonymous transactions over the internet. Anyone could easily get a bitcoin address and send/recieve payment a bitcoin address without being traced. Cryptolocker was the first kind of crypto-ransomware which started demanding Bitcoins as ransom in 2013.

Over the years 2014 - 2016, various cryptolocker variants - Cryptowall, TorrentLocker, TeslaCrypt emerged targeting primarily high valued organisations - hospitals, banking and government sectors. All of them had one thing in common: ransom demands by Bitcoin.

In 2015, Armada group launched the largest crypto attack in the history targeting banking industry, a series of crypto attack on Greek Banks, demanding over $7 million from each bank. However, the banks were able to increase their security and get away from it without paying a penny.

In early 2016, hospitals in US like Los Angeles hospital, Hollywood Presbyterian Medical Center (HPMC), Ottawa Hospital, Kentucky Methodist Hospital, Chino Valley Medical Center, Desert Valley Hospital in California were hit by cryptolocker-variant ransomwares, one of them named "locky",which cost HPMC $17k, though rest of the others get away without paying.

In March 2016, petya, a unique cryptolocker-variant ransomware hit many businesses around the world. Apart from usual cryptolocker-variants, it encrypts a computer’s master file table and replaces the master boot record with a ransom note, rendering the computer unusable unless the ransom is paid. Petya was also the first of the kind to be offered as ransomware-as-a-service by its creators, followed by Cerber.

KeRanger, one of the first ransomware created in 2016 to target Apple OS X, hit around 6500 machines but couldn't do significant financial damage.

In 2017, Wannacry, a cryptolocker-variant ransomware hit the thousands of machines around the world. It was the first of the kind which could propagate quickly over the network. One of the target was Victoria where 55 speed cameras were taken down. The damage couldn't multiply as an english guy named Marcus Hutchins found the "kill-switch" for the ransomware and stopped it.

In Aug 2018, Ryuk, the first kind of cryptolocker-variant which had ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint, hit the world costing victims around $600k. Using Ryuk, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.

How to protect against ransomware attacks

As the technology evolves, different variant of cryptolocker ransomwares will be seen in coming years. The only way to fight them back is at the least you do regular offsite backup of your systems.

Below are the things you can do to protect against these attacks:

1. Implement 3-2-1 backup rule.

3-2-1 Backup Rule:

The most accepted rule for backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
At least three copies,
In two different formats,
with one of those copies off-site (Disaster Recovery - DR Site)

Let’s go through each of those rules. They’re all based on one concept, really: redundancy. Each of those rules is meant to make sure that your data is stored in multiple ways, so that at least one backup will survive.

Three different copies means three different copies in different places. (Different folders on the same hard drive or flash disk does not count.) Why three? In the digital era, it is very easy to make digital copies, and it’s better to have more copies than too few. By keeping them on different places, it reduces the risk of a single event destroying multiple copies.

Now, why two different formats? What this means is that you must use at least two different methods to store your data. For example, burning your photos to a DVD from your PC’s hard drive counts (hard disk and DVD). However, copying them to an external disk does not (as they’re both hard disks.) If you do both, then you satisfy this rule (and the first one as well). Again, using different formats reduce the risks that all your backups will be damaged, as different formats have different strengths and weaknesses when it comes to redundancy.

Keeping one copy off-site ensures that even if something happens to where your data is – like a fire, or a break-in – at least one copy is safe somewhere else. If something does go wrong where you are, at least your data will be safe.

Having said that, the backup should be tested in regular basis for its validity.

2. Implement regular patch policy:
Most of the softwares including OS vendors release patches frequently. The security patches are the critical ones that need to be applied ASAP to make the software more secure against known threats. Every company should designate a team for patching softwares.

3. Proper Anti-malware and mail filtering system: 
Most of the ransomwares attacks (more than 70%) were in the form of phishing emails containing malicious URLs or attachments. Having updated anti-malware and mail filtering system is a must for any company. Also frequently organising training to non-technical staffs on how to detect suspicious websites/emails is proven to be helpful in decreasing the successful attacks.

4. Sensible Restrictions: 
Certain limitations should be placed on employees and contractors who:
- Work with devices that contain company files, records and/or programs
- Use devices attached to company networks that could be made vulnerable
- Are third-party or temporary workers

5. Proper Credential Tracking: 
Any employee, contractor, and person who is given access to systems create a potential vulnerability point for ransomware. Turnover, failure to update passwords, and improper restrictions can make result in even higher probabilities of attack at these points.


Sources:
https://digitalguardian.com
https://blog.trendmicro.com
https://medium.com
https://www.theguardian.com
https://blog.malwarebytes.com