InfoSec: Ransomware

Introduction to Ransomware

Ransomware is a type of malware that attackers use to blackmail victims by encrypting the data (also known as crypto-ransomware) or simply locking the system rendering the system / data inaccessible to the victims. Tactics adopted by attackers to press the victims to pay the ransoms, usually in the form of cryptocurrency, evolve over time. Some attackers will threaten to make public the stolen information if victims fail to pay up.

Ransomware uses a complex set of evasion techniques which makes it harder for traditional anti-malware software to detect, let alone many businesses which are lacking in visibility tools, IT professionals or other related resources to detect and prevent ransomware. Some ransomware variants can spread and encrypt files that are stored on local drive, network drive, or even cloud storage without the knowledge of the end-user. If a computer or network is infected with ransomware, there are some warning signs requiring special attention such as device’s screen locking, scrambled or encrypted files, disabled anti-malware software and last of all, receiving ransom notice.

According to a global cyber threat report published by a network security company in 2021, the ransomware attack volume in the first six months increased by 151 percent over the same period in 2020 with some 304.7 million attempted attacks logged. Ransomware remains the most prominent threat that the attacks keep evolving and applying different extortion methods for a greater amount of ransom payment.

Recent ransomware attack tactics and trends:

Figure 1: Extortion tactics evolution

1.

Double Extortion - Attackers extract a large quantity of sensitive information from victims before encrypting data and threaten to release or sell the stolen information, exerting greater pressure on victims to pay the ransom.

2.

Multiple Extortion - Apart from threatening to sell or exfiltrate the sensitive data, attackers may also threaten to contact victims’ customers and partners about the data breach, launch a on victims’ systems and etc. to put pressure on the victims to pay ransom.

Ransomware-as-a-service workflow diagram

Figure 2: Ransomware-as-a-service (RaaS) workflow

3.

Ransomware-as-a-service (RaaS) - Ransomware developers create custom exploit codes and package them as infrastructure or service for sale or lease to attackers who then launch ransomware attacks and extort organisations.

Impact of Ransomware

Ransomware will cause adverse impact on an organisation in a variety of ways.

Figure 3: Impact of Ransomware attack

1.

Financial Loss
Business revenue will drop and a substantial loss will be incurred as a result of the associated incident response and mitigation efforts made.

The cost of ransom payment (if paid)

Labour cost of restoring data and backlog of production work

The penalty and related legal expenses imposed by regulatory authority for a data breach (if there is any data exfiltration and leakage)

The cost to contain the incident and deploy security measures to fix the problem (e.g. to procure new hardware, anti-malware software, and acquire cyber security professionals / services)

2.

Data Loss
Data loss will cause widespread impacts, ranging from disruption to permanent business failure.

Inaccessible to encrypted data or locked system

Sensitive or confidential data (e.g. Personally identifiable information and financial data) exfiltration for illicit purposes such as selling commercial data of a company to its competitors

3.

Business disruption
The operation of an organisation will be severely affected by the inability to access data and interruption of system processes.

Production shortages

Service outages

Damage to brand and reputation

Example: In 2021, an oil pipeline company suffered a DarkSide ransomware attack that shut down operations and cut off fuel supplies to millions of individuals, causing massive economic disruption across the Eastern United States.

Common Ransomware Attack Vectors

Figure 4: Common ransomware attack vectors

1.

Phishing
Ransomware is often spread through watering hole phishing or malware-based pharming from a fraudulent website. Once users are deceived into downloading the malicious programs, ransomware can be installed onto users’ computers to initiate ransomware attack without users’ knowledge.

Example: In 2020, Netwalker ransomware group targeted the healthcare sector, tricking staff into injecting the malware through COVID 19-themed phishing emails. The attacker threatens to expose the sensitive data stolen from the government network of the Austrian city – Weiz.

2.

Exploit Security Vulnerabilities
Attackers may use exploit kits to attack vulnerabilities in systems so they can install and launch ransomware attack (e.g. unpatched security vulnerabilities or hidden programs).

Example: In 2020, WastedLoader exploit kit was identified to exploit two scripting engine vulnerabilities in unpatched Internet Explorer browsers for ransomware attack.

3.

Supply Chain Attack
Attackers can access to systems of multiple organisations through trusted third-party vendors. Ransomware attack can be carried out by exploiting interconnected supply chain systems’ vulnerabilities to steal sensitive information, and block access to files by encrypting them.

Example: In 2021, a software company was attacked by the REvil hacker group by injecting malicious code into an IT management software update that automatically pushed out to thousands of organisations.

4.

Unauthorised Remote Desktop Protocol (RDP) Access
Attackers can gain access to victims’ network remotely through RDP brute forcing or vulnerable RDP software, install and launch ransomware attack on victims’ system.

Example: In 2020, a transportation and logistics company victimised by Netfilim ransomware which attacker distributed ransomware through exposed remote desktop services. In the attack, a corporate server was infiltrated and around 2 GB data was leaked.

5.

Compromised Websites
Attackers often initiate , taking advantage of known vulnerabilities in the software of legitimate websites. When victims visit the infected website, the ransomware will be downloaded and executed automatically without user’s knowledge.

Example: In 2021, a life sciences research institute suffered a Ryuk ransomware attack and lost a week’s worth of vital research data due to an unlicensed software installed by a student. The cracked copy of the software also accompanies by a malicious info-stealer.

6.

Infected Removable Media
USB devices and other removable media offer an easy and convenient way to spread ransomware between computers that are not directly connected to each other or to the Internet. Connecting an infected external media can lead to installing and launching attack on local computer and potentially spreading across the network.

Best practices for preventing ransomware attacks

The following practices can be adopted to reduce the risk of potential ransomware attacks:

1.

General Recommendations

Figure 5: General recommendations for preventing ransomware attack

Implement security measures on personal computers (refer to this website for more information);

Avoid opening any suspicious or unexpected attachments and do not follow unsolicited web links in emails (refer to the Phishing resources found on this website for more information);

Disable or restrict all unnecessary services and functions such as Remote Desktop Service (RDP), macros of Microsoft Office applications and unnecessary browser plugins; and

Install software and mobile apps from trusted sources, do not install apps that require suspicious permission rights.

2.

For Organisations

Figure 6: Recommendations for organisations on preventing ransomware attack

Adopt additional security measures such as enabling and login notification, if available;

Apply access and re-authentication control to grant all users the minimum level of access with the ability to assign and elevate privileges where necessary;

Deny unknown devices like USB drive access, and install a Zero Trust environment so that everything on network must prove that it is safe before getting access;

Protect and store the backup data separately (both online and offline) to prevent overriding by ransomware encrypted files;

Conduct security risk assessment and audit regularly according to the organisation’s information security policies;

Establish, maintain and implement plans for incident response, backup operations and disaster recovery for organisational information systems to ensure the availability of critical information systems and continuity of operations in emergency situations; and

Review system logs regularly to identify any abnormal system or network activities that may be due to possible cyber attacks.

Response to ransomware attack

It is inadvisable to pay ransoms since there is no guarantee that encrypted data will be successfully recovered, stolen data will be destroyed as promised, infected system will be unlocked and potential attack will be eliminated in the future.

In the event of a ransomware attack, individuals or organisations should consider taking the following actions to effectively respond to and contain the incident:

Figure 7: Response to ransomware attack

Immediate Response

1.

Disconnect the infected devices from network and perform a comprehensive scan of the devices concerned to verify if malware has been installed.

2.

Cut off power connection and isolate the computers or devices that shared the same network with the infected computer(s) but have not been fully encrypted by ransomware.

3.

Check carefully to ensure that the backup data is offline and secure.

4.

Take note of the incident details (e.g. date, time, affect files/devices, infected source, etc.) for preparing the incident report and requesting assistance from professionals.

Notify and report

1.

Report to appropriate parties (e.g. IT administrators) immediately for investigation and cleansing.

2.

Report to law enforcement or regulatory bodies such as the Hong Kong Police Force and the Office of the Privacy Commissioner for Personal Data if criminal activities and leakage of personal data are involved. Seek advice from the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) on incident response and recovery, where necessary.

Recovery

1.

Use a clean computer to download legitimate decryption tool to decrypt files (if applicable). Do not download suspicious decryptor from untrusted source.

2.

Recover the data from backup to a clean computing device.

Infographics

Extended Readings and Other Resources

Cyber Security Information Portal - Learning Centre, Beware of Malware Infection

Cyber Security Information Portal - Safety Centre, Secure My Mobile Device and Computer

CyberDefender - What is Ransomware?

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Fight Ransomware Campaign

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Ransomware Evolved: Double Extortion and Fake Decryptor

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Ransomware Keep Evolving: Multiple Extortion

InfoSec website - Common best practices to protect computers from malware infection

InfoSec website - Types of Malware and Protective Measures

SingCERT - Protect Your Systems and Data From Ransomware Attacks

“The No More Ransom Project”

US-CERT - Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

US-CERT - Alert (AA20-245A) Technical Approaches to Uncovering and Remediating Malicious Activity