December 22, 2016
On Feb. 5, employees at Hollywood Presbyterian Medical Center in Los Angeles, California, started having network access problems that prevented electronic communications. Over the next few days, they learned that the hospital was the victim of a ransomware attack that encrypted files on multiple computers.
After several days during which staff had to resort to pen and paper for some record keeping, the hospital decided to pay the $17,000 ransom -- the equivalent of 40 bitcoins that the attackers had requested. It was deemed to be the fastest way to restore the affected files and systems.
This was to be the first in a string of ransomware attacks that affected multiple healthcare organizations in the U.S. over the following months, including the Chino Valley Medical Center, the Desert Valley Hospital and Methodist Hospital in Henderson, Kentucky.
It also highlighted a worrying trend: While in the past, ransomware attacks primarily targeted consumers, attackers were now shifting their focus toward businesses.
Over the past two years there has been a dramatic shift in the type of ransomware being used by attackers, said Ed Cabrera, chief cybersecurity officer at antivirus vendor Trend Micro.
In 2014, 80 percent of ransomware attacks used traditional techniques that involved, for example, locking the desktop screen and telling users that they needed to pay fines. However, in 2015, the statistics flipped and 80 percent of attacks involved crypto-ransomware, the malicious programs that encrypt files.
"Another ransomware evolution is the transition from targeting consumers to enterprises," Cabrera said. "Many of the new crypto-ransomware families detected and blocked in 2016 have targeted more enterprises than ever before."
This change in targets is not entirely unexpected. After all, business records are much more valuable than personal documents, companies can afford to pay higher ransoms than consumers and their security posture can vary greatly based on their geographic location, size and industry segment.
"We’ve begun noticing that ransomware has been focusing on small and medium businesses for the past year, as they’re more likely to pay larger ransomware fees than the average user," said Liviu Arsene, a senior e-threat analyst at antivirus firm Bitdefender. "Considering that the Hollywood Presbyterian Medical Hospital paid $17,000 when hit by a single ransomware infection, it stands to reason that cybercriminals would be far more interested in targeting organizations."
A recent IBM survey of 600 business leaders in the U.S. found that one in two had experienced a ransomware attack in the workplace and that in 70 percent of cases their companies paid to get their data back.
Emails distributing ransomware programs made up nearly 40 percent of all spam e-mails sent in 2016, and criminals are on track to make nearly $1 billion this year from this type of malware, IBM X-Force said.
A ransomware attack can be crippling to a company's day-to-day activities and human resources and financial departments are common targets because it's easy to disguise malware as a resume or an invoice. If the victim happens to be a hospital, public transport service, water utility or some other critical infrastructure provider, ransomware-related downtime can have a serious impact on lives.
In November, hackers compromised and encrypted data from around 900 systems from San Francisco’s Municipal Transportation Agency. The incident did not affect the transit service, but the agency had to open the gates and provide free transport to passengers to minimize customer impact.
When it comes to ransomware, prevention is critical since there are very few options aside from paying cybercriminals once systems are affected. Companies should have a complete response plan in place and simply having a data backup routine is not enough.
Organizations need to regularly verify the integrity of their backups and test that the restoration process works without glitches. Otherwise, they might discover that restoring data through their own process might take too long compared to just paying the ransom.
Ransomware programs have traditionally been distributed through email spam, and many of them still are, but attackers have diversified their infection methods over the past year.
The second most common infection technique is through exploit kits -- web-based attack tools that contain exploits for vulnerabilities in browsers or browser plug-ins like Flash Player, Adobe Reader, Java and Silverlight.
Users get redirected to exploit kits through compromised websites or through malicious ads that attackers manage to sneak onto ad networks. These are known as drive-by download attacks and unlike phishing emails, users can't be trained to avoid them, because they can be launched from trusted websites and are usually completely silent.
But it's not just workstations that organizations have to worry about. Attackers are also increasingly exploiting vulnerabilities in server software to get ransomware onto corporate networks.
In April, MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area was infected with a ransomware program dubbed Samsam. Researchers later established the Samsam was installed through a vulnerability in the JBoss application server and found 2,000 such servers at schools and other organizations around the world running vulnerable JBoss installations.
According to a report from Symantec, the Samsam campaign was also interesting because the cybercriminals behind it were using techniques and tools typically seen in cyberespionage attacks to perform lateral movement inside corporate networks. Their goal was to identify the most valuable targets and to delete existing backups before deploying the ransomware.
Another case is that of Linux.Encoder, the world’s first ransomware program for Linux, which infected web servers through a vulnerability in the Magento content management system, Arsene said. "Other interesting distribution mechanisms involve the hijacking of FTP credentials for popular open-source projects and then substituting the binaries with tainted copies, like in the case of the Transmission bittorrent client."
"We do expect that with ransomware 'going corporate' we will see more vulnerability based infections within networks," said Barry Shteiman, director of threat research at Exabeam, a security company that uses machine learning to detect ransomware. "In essence, every server that has vulnerabilities that may lead to phishing, defacing or persistent code injection – could lead to ransomware spreading."
Another ransomware distribution method used recently is through stolen remote administration credentials. Earlier this year, one ransomware variant known as Surprise was being installed through hacked Teamviewer credentials and more recently the Crysis ransomware infected systems through RDP (Remote Desktop Protocol) brute-force attacks.
In fact, in ransomware attacks, file encryption is the final step of the infection chain, so there are multiple opportunities to detect and block such attacks before they impact valuable data.
First, there's the original entry point into the network, whether that's an email campaign, a web-based exploit or something else. If the the attack is caught by spam filters or endpoint security products at this point, the threat is averted.
The second stage is typically a malicious program called a malware dropper whose goal is to connect back to the attacker's server and download the ransomware program. Detecting and blocking the malware dropper is yet another opportunity to stop a ransomware attack before it causes damage.
Once the ransomware is deployed it will first scan the local computer and network shares for files that it can encrypt and will attempt to disable the Windows Volume Shadow Copy service and delete existing backups.
Finally, before the encryption process is initiated, most ransomware programs will connect to a command-and-control server to obtain an RSA public key. That key is part of a public-private key pair generated by the server and is used to encrypt the data. The private key, which is needed for decryption, never leaves the attackers' server.
Most of the time, if a firewall blocks the malicious program from accessing the command-and-control server and downloading the public key, the data encryption process won't be initiated. However, some recent ransomware variants have the ability to perform offline data encryption using a hardcoded key.
It's worth noting that it's not just business data that can be rendered unusable by ransomware, but also entire computers. Ransomware variants such as Petya and HDDCryptor rewrite the Master Boot Record (MBR) of computers and encrypt the entire file table leaving them unable to boot into the OS.
When ransomware hits, it's important to isolate the infected computers from the rest of the network so that the infection can't spread. Shutting down the unaffected computers until the compromise can be contained is recommended. At this point companies should also contact law enforcement agencies and ask for assistance.
The next step should be to make copies of the encrypted data and to clean up the registry values and files created by the malicious program so it doesn't run again when the computer is started. Changing the user passwords that could be used to access other network services is also important because attackers might have already stolen them.
And then there's the hard decision: To pay the cybercriminals or not. Security experts and law enforcement agencies don't recommend paying the ransoms, because this encourages the criminals and because there's no guarantee that they'll provide the decryption key.
According to a report from security firm Kaspersky Lab, one in every five companies that pay ransom never get their data back. However, sometimes there's not much else an organization can do if it was unprepared to deal with ransomware.
Shteiman believes this is a cost-based decision. The organization should perform an assessment by asking questions such as: What was encrypted? Are there backups for the encrypted data? How many changes occurred to that data since the last backup? What's the cost of losing those changes? How long would it take to recover them using other means? Is it possible to recover the data using existing tools or known keys?
If the business downtime caused by data unavailability or by the backup restoration process is more expensive than paying the ransom, or if giving up on the encrypted data has a higher cost in lost revenue and intellectual property than remediation, then organizations should pay the ransom, but only if other options have been exhausted, Shteiman said.
If a company decides to hold its ground and not pay the ransom even if it has no other means to recover its data, it should keep copies of the encrypted files. Sometimes law enforcement agencies or security companies manage to take control of command-and-control servers for various ransomware variants and will make the decryption keys available. Other times security researchers might find vulnerabilities in the encryption implementation of some ransomware programs and create free recovery tools.
Corporate networks are not the only ones at risk; the next wave of attacks could see ransomware targeting industrial networks, said Guy Caspi, CEO of cybersecurity firm Deep Instinct. "In April, the Lansing Board of Water & Light (BWL) -- the third-largest electric and water utility in Michigan -- was under a ransomware attack, and so was the first electric utility hit by ransomware."
Caspi believes that the next step in the evolution of ransomware could be programs that wipe hard drives after making a copy of the data instead of encrypting them.
On the other hand, Bitdefender's Arsene believes that since we now have ransomware for Windows, Linux, OS X and Android, the internet-of-things devices could be the next target.
"A scenario where smart devices are held for ransom is not really that farfetched, especially since the number of smart things is expected to exponentially grow in the next couple of years," Arsene said. "If your smart home were to be held for ransom or if you corporate sensor grid were to be taken offline by ransomware, that’s when things will get complicated."