Hidden in Plain Sight: Turning Encryption Against Us through Ransomware

Written June 16th, 2016

Post Tags: crypto-ransomware, cryptoransomware, ransomware

Part 1 of a 2-part series on Crypto-ransomware

By Andrew Paulette

Editor’s Note: This two-part series was published in 2016. Ransomware is still a threat. Learn more about NetCentrics’ current cybersecurity services, including tactics to remedy ransomware.

By now most people who follow IT in any way know that encryption is used to scramble and lock data so that cyber thieves cannot gain access to it. But how many of us thought cyber thieves would use that very security method for their own criminal purposes? Using the same encryption technology we use to protect our communications and sensitive data from prying eyes, hackers have turned this technology against us. Called crypto-ransomware, this form of malware encrypts the user’s data, making it impossible for the owner of the data to access the information or move it to a safer location. While originally one of many different tactics in a category of malware attacks called ransomware, crypto-ransomware has become so prolific and effective that it is now referred to as “ransomware” in news articles and security reports. Ransomware locks owners out of their own data – whether it’s treasured family photos or data essential for running a business, hospital, or federal agency. Cybercriminals then demand a ransom to decrypt the information, often threatening to delete the data if a ransom is not paid or if the owner attempts to unlock the data. While various versions of ransomware exist, such as TeslaCrypt, CryptoLocker, and Locky, they all follow a similar approach to hold the user’s data hostage:

  • The malicious payload is delivered to the user’s computer, often through phishing attacks or malvertising. A phishing attack delivers ransomware through an email attachment such as a Word document. Opening the file and enabling macros executes code that encrypts the user’s data. A malicious payload can also be delivered through malvertising, the process of distributing malicious code through internet ad services. When users click on these ads, the ransomware code is deployed on their hard drives without their knowledge.
  • Once the payload downloads and executes, the malware “phones home” through a secure connection that can’t be easily tracked, contacting a hidden server that serves as the cyber criminal’s Command and Control.
  • The Command and Control server creates two keys. The first key is sent to the infected host and encrypts the target’s data on their local drives and any drives it connects to across the network.  The second key remains on the hidden Command and Control server; only this key can be used to decrypt the data.
  • The Host computer retrieves a ransom note from the Command and Control server. The note will direct the user to pay using an untraceable method, most often the internet currency Bitcoins.
  • Once the ransom is paid, the decryption key will be sent from the Command and Control server, allowing the user to retrieve their data.

Ransomware is difficult to trace due to its untraceable payment and cloaked communications to the command and control server. Complicating matters further, many organizations, in an effort to avoid damaging their reputation, do not to report the crime.  Due to the anonymity with which these criminals can operate, in addition to the importance and sensitivity of our data, ransomware has proven to be a lucrative investment for cyber criminals.  Between October 15th and December 18th 2014, a total of $27 Million was tracked as ransom related to the malware Crypto Locker. Since then, ransomware has only become more popular: Trend Micro reported this type of malware became the method of choice for cybercriminals to extort money from both individuals and businesses over the course of 2015, accounting for 89% of ransomware attacks. Because ransomware can infect any file on an IT network, this malware poses a unique threat to enterprises. This ability to traverse and attack an organization’s IT infrastructure became painfully clear after a series of reported attacks against the US’s healthcare infrastructure, including the Hollywood Presbyterian Medical Center in California, the Methodist Hospital in Kentucky, and the MedStart Health Hospitals in D.C.  In cases where businesses have reported these cyber-attacks, ransoms as much as $17,000 have been paid in order to regain access to the company’s files. If a recent FBI “Flash” advisory is any indicator, the problem of ransomware is going to get worse before it gets better.  While it is impossible to stop every attack, the threat of crypto-ransomware can be reduced. There are preventative steps that organizations can take to decrease the chances of being infected with crypto-ransomware:

  • You don’t have to pay for something that you haven’t lost – Ensure that data backups are created at a regular interval and stored offline to ensure a copy of critical data is kept in the event your data is encrypted by ransomware. This is not only a good practice for malware, but also for general continuity of operations planning in the event of an emergency such as a hurricane or hardware failure.
  • Keep your systems patched – Many variants of ransomware that are delivered via exploit kits look for unpatched vulnerabilities in older versions of programs such as Adobe Flash. Take steps to patch systems as quickly as possible to reduce the attack surface against your network.
  • Train your users to spot threats – ensure your organization provides security awareness training to your employees. Explain the threat of techniques like phishing and social engineering to both your employees and your clients, as well as the simple steps they can take to help prevent it.  In the case of crypto-ransomware, teach your users to be suspicious of unsolicited emails from external sources, and any unexpected documents they did not request.
  • Reduce the attack vectors – organizations can disable or restrict the ability to run macro functions, or packets of code for additional functionality, in Microsoft Office documents (a prime hiding spot for malware); have your Exchange servers tag email from an outside source with an obvious addition to the title such as “EXTERNAL,” and take steps to reduce the threat of Malvertising (e.g., Ad Blockers). Check out the list of recommendations for protecting yourself from this unique method of delivery.
  • Vaccinate your device – Organizations can employ recently created ransomware “vaccines” created by companies such as Bitdefender.
  • Least privilege applies to hard drives too – For organizations, the concept of least privilege is often used to ensure personnel have access to what they need to complete their job, and nothing more. This concept can also be applied to storage devices to limit the spread of crypto-ransomware; ensure that write permissions to files, servers, and other data sources are restricted as much as possible. Unplugging external backups when not in use keeps crypto-ransomware from also encrypting your backups; however, ensure recovery is a possibility should an attack be successful.
  • Keep your antivirus, advanced endpoint protection, ad-block, and other services up to date – having the right signatures to detect malicious code execution on any workstation or computer can often stop the problem before it starts. Make sure your antivirus definitions and other security software are kept up to date and correctly configured.

These steps will minimize the risk of ransomware, but will not eliminate it.  Part II of this series will focus on how to proceed when attacked by ransomware.