Ransomware: What is it? Is it possible to be prepared?

Overivew

Ransomware is a form of malware that attacks individuals and organizations by blocking access to computing resources and potentially to critical information assets. Specifically, ransomware employs encryption to lock data so that it remains locally unreachable to the victim individual or organization. To regain access, an attacker demands payment within a limited time period. If the ransom is not paid, the data remains permanently locked. Ransomware is a multi-million dollar industry, and the forms of ransomware are rapidly evolving (McAfee, 2015).

To illustrate how ransomware works, the case of Hollywood Presbyterian Medical Center (HPMC) is explored. On February 5, 2016, IT staff identified that hackers locked HPMC out of critical healthcare systems computers (Winton, 2016). Attackers demanded 40 bitcoin or about $17,000 in ransom in exchange for the encryption keys that would unlock their systems. Bitcoin is a form of virtual currency that does not have the funds tracking mechanisms of bank or wire transfers. This incident resulted in the hospital turning away patients and using pen and paper for records management. HPMC paid the ransom, and systems were restored about ten days later on February 15, 2016. HPMC notified legal authorities and is not identifying details of the attack, but a phishing attack is suspected as the cause (Gallagher, 2016).

The Propagation Cycle

Ransomware is malicious computer software that incorporates encryption technology (Gada, 2016). Malware may be written in many programmatic languages, but the language must function on its victim computer with respect to programming language, operating system (OS), and file system compatibility. For example, ransomware written for an Android phone would not be compatible with the Apple OS. Once written, ransomware is deployed to a distribution network. These networks are often known as Command-and-Control centers or botnets that are built for malware distribution (Scott & Spaniel, 2016).

The primary distribution channels for malware are email phishing attacks, advertising malware links, and drive-by download infections (Scott & Spaniel, 2016). In phishing attacks, a user clicks on a hyperlink that connects to a botnet or on an attachment that contains software such as a Trojan which also reaches out to a botnet distribution channel. Either attack vector results in the download of ransomware. Advertising malware links may be served through malvertising sites or legitimate advertising networks such as the New York Times. Clicking on the link results in download. Drive-by-download a malicious direct installation of software. Other channels such as middleware vulnerabilities also exist and may be more likely for use with organizational infestation of malware.

Once the ransomware is on a victim computer, it unpacks and begins to install. Installation may begin with reconnaissance which is scanning a system for file types and location of files. Installation also includes setting up and initiating encryption. Encryption effectively locks the victim out of a system or out of information assets. Ransomware may also take other actions such as shutting down OS services and interrupting a computer boot process so that it has complete control of a system. Once set up, a ransom note is displayed. The note will provide instructions on how to obtain the encryption keys for release. The typical request is for the purchase of bitcoin or other virtual currency.

While the Federal Bureau of Investigation (FBI) officially recommends that ransomware should not be paid. The decision to make payment depends on the risks associated with recovered encrypt data. Some U.S. police departments who have been victimized by ransomware have refused to pay and have paid the consequences of deleted files (Francescani, 2016). Meanwhile, others police departments such as Lincoln County, Maine, have paid due to lack of other options. In most cases, payment results in the distribution of the encryption key to unlock the victim system.

The Actors and Targets

Ransomware is an attractive option for cybercrime syndicates (Scott & Spaniel, 2016). Ransomware is distributed toward individuals and organizations who are considered likely to pay ransom. For a crime syndicate, ransomware is not expensive to rent or distribute and ransomware can be broadly deployed for a cost-effective ransom that victims are likely to pay. Many victims are willing to pay up to $500 for ransom, and Americans are more willing to pay (Arsene & Gheorghe, 2016). The current consumer marketplace creates an environment for potential extortion.

According to McAfee Labs (2015), ransomware propagation increased 165% versus 2014. The proliferation included the development of more sophisticated ransomware variants that were able to infect a broader range of target devices. In 2014, ransomware began targeting Android mobile devices (Arsene & Gheorghe, 2016). By 2016, a ransomware variant named KeRanger appeared in the BitTorrent per-to-peer file sharing network (Finkle, 2016). Apple quickly responded to this news by revoking the security certificate associated with the malware, and companies such as Palo Alto networks continued performing network scans to locate potential copies of KeRanger. While companies such as Apple respond on an incident by incident basis, the actors continue to aggressively develop and distribute new ransomware variants. Having a response plan to address the possibility of a ransomware attack is important given the increased proliferation.

Ransomware Prevention

As ransomware continues to successfully extort money from victims, attackers are likely to become more brazen in use of malware. An example of the financial success is CryptoLocker. It is estimated that ransomware variant CryptoLocker has earned attackers as much as 325 million in 2015 (Wong, 2016). With this type of earning potential, effective prevention begins with end user education and continues with the development of security program measures that accounts for the risk of ransomware.

To date, the primary attack vectors for ransomware have been user initiated events such as email phishing campaigns (Arsene & Gheorghe, 2016). With humans being the primary source of infection, education and awareness should be important avenues to address ransomware risk (Luo & Liao, 2007). Education many take place in the form of formal training programs or in the reinforcement of policies, procedures and access controls. For organizations, interviewing employees to assess risk may facilitate better gap analysis to preemptively address risk associated with user behaviors.

In addition to educating users, there are several precautionary best practice steps that reduce the risk of ransomware infestation. These steps are historically best practice components of information security and are analyzed in IT audits (Keele & Mortier, 2005). These practices should be part of an overall information security management program that is focused on risk reduction (Ferrillo & Veltsos, 2016). First, regular backup of information systems and critical information assets substantially reduces the risks imposed by ransomware. If alternative sources of information assets exist, the decision to pay ransom shifts away from assets becomes a decision about information systems. However, a second best practice requires testing performance of backups. If a ransomware attack should take place, an organization with experience in disaster recovery will be less impacted, and this includes the restoration of backup data and systems (Raywood, 2016). Disaster recovery requires practice to ensure reliable restoration of backups. Third, for critical information systems, a virtualized version of the system or appropriate back-up for easy restoration is critical for business systems. Critical business systems differ from information assets in that system process information for a business. Bringing business systems online may be more critical than immediate restore of information assets. Fourth, maintain systems and antivirus updates. Maintaining the most recent firmware and software updates reduces the risk that a foreign software will be able to properly function (Raywood, 2016). Fifth, develop and maintain a network monitoring solution with emphasis on defense-in-depth services such as denying all but accepted sources within a network. Continuous monitoring solutions such as advance firewall-intrusion detection systems and network monitoring systems can identify suspicious network traffic and activity as well as potentially shut down suspicious network sources.

Incident Handling and Remediation

Preparatory steps reduce risk, but a ransomware attack may occur and incident handling reduces the overall risk of loss and ability to quickly recover (Ferrillo & Veltsos, 2016). The first assessment may be whether to pay ransom or restore data. This step is critical for two reasons. Paying ransom should provide quick access to locked data, and the ability to analyze the affected system. Payment of ransom is also critical since most ransomware imposes a time limit. However, paying ransom could make a victim a likely future target. At this phase, it may also be critical to contact an attorney experienced in ransomware since there may be regulatory obligations to report an attack or the compromise of customer data such as credit card data. For an individual, protocols such as the NIST cybersecurity framework may provide guidance, but the guidance should be adjusted for the particular scenario. After the decision to address ransomware is considered, the next step is remediation. This team should be highly knowledgeable in tools for malware removal (Gada, 2016). If an organization has an incident response team, then this team should be used. If not, then any prior emergency planning and use of backups become important. Even if ransom is paid, there may be risk to loss of data. Once the decisions regarding malware payment and remediation have started, further investigation should continue to understand the possible threat of malware propagation and prevention of future incidents. In some cases, law enforcement or potential future legal action may also require preservation of evidence and regulatory notification. The last step should be a post-mortem to understand future preventions. Additionally, organizations with advanced capabilities may transform their incident response plans into “red teaming” which is advanced and potentially unknown persistent threat analysis (Ferrillo & Veltsos, 2016).

References

Arsene, L., & Gheorghe, A. (2016). Ransomware: A victim’s perspective. Bitdefender. Retrieved from http://www.bitdefender.com/media/materials/white-papers/en/Bitdefender_Ransomware_A_Victim_Perspective.pdf

Ferrillo, P. A., & Veltsos, C. (2016). Next-Level Cybersecurity Incident Response Trends 2016. Corporate Governance Advisor, 24(3), 6-8.

Finkle, J. (2016, March). Mac ransomware caught before large number of computers infected. Retrieved from http://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX

Francescani, C. (2016, April). Ransomware hackers hold U.S. police departments hostage. Retrieved from http://www.nbcnews.com/news/us-news/ransomware-hackers-blackmail-u-s-police-departments-n561746

Gada, P. (2016). The Magic Of Being Hacker: Volume 1 – Disinfecting 101 (5th ed.). Group Flexi.

Gallagher, S. (2016, February). Hospital pays $17k for ransomware crypto key. Retrieved from http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/

Goodin, D. Nov 8, 2012 Mushrooming ransomware now extorts $5 million a year. ARS Technica   http://arstechnica.com/security/2012/11/mushrooming-growth-of-ransomware-extorts-5-million-a-year/

Keele, A., & Mortier, K. (2005). Certified information systems auditor. Indianapolis, IN: Que.

Intel, R. (2015). McAfee Labs Threat Report. McAfee Labs. Retrieved from http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf

Luo, X., & Liao, Q. (2007). Awareness Education as the Key to Ransomware Prevention. Information Systems Security, 16(4), 195-202. doi:10.1080/10658980701576412

McAfee Labs. (2015). 2015 McAfee Labs Threat Report. Retrieved from www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf

Raywood, D. (2016). How to avoid the hazards of ransomware. Computer Weekly, 22-24.

Scott, J., & Spaniel, D. (2016). The ICIT Ransomware Report: 2016 Will Be the Year Ransomware Holds America Hostage. Retrieved from http://icitech.org/the-icit-ransomware-report/

Winton, R. (2016, February). Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Retrieved from http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

Wong, S. (2016). Pay up or your medical records will be toast. New Scientist, 229(3062), 26.