ransomware again, really?

Malware logo Crystal 128. (Photo credit: Wikipedia)

Some days ago a friend of mine reported me that his company has been affected by a ransomware cryptoloker style. I keep hearing people infected by this kind of infection and I am starting to wonder if people has really understood what a cryptomalware really is and how it works.

here from Wikipedia:

”

Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.

Some forms of ransomware systematically encrypt files on the system’s hard drive (cryptoviral extortion, a threat originally envisioned by Adam Young and Moti Yung) using a large key that may be technologically infeasible to breach without paying the ransom, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file.”

now let first try to understand what this means in practical words:

“a ransomware is a malware“, this should make clear that this is something bad.

“that restricts access to a computer system” , this clearly means that the aim of this kind of malware is to make you hard to log in to your computer andor data.

those days the most common form of this malware type is the cryptomalware, a malware that specifically deal with your data encrypting them. this basically means that your data are not deleted or moved but, simply, the malware make them unreadable. if you want to get access to your data again it requires of a ransom to be paid , if you are lucky.

now let us try to understand why this kind of malware is so popular, the reason are basically 2:

it is easy to get infected
it allow a quick access to money

let try to understand why it is easy to get infected by a cryptomalware:

To Crypt or not to Crypt.

Unlike we commonly think, encrypting a file is really easy and need really low permissions: you just need the right to edit the file.

you don’t really need to create special algorithm all you need is deeply documented in literature, beside crypto API are present everywhere and it’s an easy job to reach needed libraries.

So the encryption technique is still hard to be understood by IT managers, not for bad people.

if encryption is easy likewise is easy to have enough right to encrypt a file, you just need your ordinary rights on a file. you do not need administrator right, privilege escalation or esoteric techniques, your right to edit (Write) is enough.

Just remember:

If you can save it, then you can change it

Now this kind of rights are common for any user in any O.S. Even in the most security savvy organization if you can’t open a file or edit you can’t work on it.

On the other end the number of applications, programs, apps or whatever that are able to read and write with your same rights are simply almost all the one present in your system.

this means that a ransomware has:

consolidated technology to rely on
greatest attack surface (basically any app, browser)
low rights needed

a heaven.

another interesting aspect of the ransomware is that the activities it does are almost standard inside the OS, does not open weird ports, does not change configuration settings, does not create users…it just write… as an ordinary user or app.

This makes the identification quite difficult for any antimalware system, since the operation is a normal one, and there are thousands of write operation on file every moment.

A good cryptomalware, moreover, does not need to target sensitive system files, that can require specific access permissions. due to its aim (allow the attacker to make money) it just need to target normal documents: .PDF, .DOC, .XLS, .PST …..

and those are the documents you commonly use, edit and save.

I want you to understand a critical point:

if your antivirusantimalware didn’t detected the ransomware on the infected machine, there is no way that other AVAM can detect the operation against normal readwrite operation on files, since a good ransomware just access what the user can access and do what the user usually do.

So what you need to be infected? All you need is your browser or the access to an infected application and you have an open windows to the world of encryption.

But I have antivirus on servers…..

good for you, good security practice to avoid infection spreads across your networks, almost useless against cryptomalware activities coming from an infected machine.

Got infected, and now?

It is easy to get infected, it is a different story to get rid of it.

Basically you need the key and the algorithm used to encrypt the file to decrypt it. This can be done usually in two ways, but neither of the two gives guaranties:

you pay the ransom
you ask support to an antivirus company

let try to understand option 1.

there is no guarantees that once the ransom has been paid you got your key. the reason can be different, and not necessarily related to the “ethic” of your attacker (please feel some irony in the previous statement).

there are a lot of old ransomware in the wild coming from old attack campaigns that are no longer monitored, and may be there is no one ready to accept your payment in bitcoin or any other virtual currency.

this is a more common issue than you think, a ransomware attack is not meant to last for ever, but the infected sources can remain infected for a lot of time even after the attack.

the attacker can been already been arrested or simply consider to risky to accept the payment.

and I didn’t mentions other unlucky condition, like been a collateral damage of a target attack to someone else, just so unlucky to find a test code to prepare an attack ……

so pay is an option but without guaranties…

let consider option 2

If nobody gives you the code you can try to analyze the encrypted files to find out if there are “fingerprints” resembling some known attack, in this case you can try to guess the encryption key somehow once you understand what is the cryptoware that makes the damage. luckily to avoid too much resource consumption usually keys and algorithm are not the most resource intensive, so some reverse engineering is still possible.

antivirus companies have samples and technology to try to save your data… try is the key.

there are no guaranties.

The problem is how much time you need to free your data form this unwanted encryption. it is a matter of time or, if you like more, processor power. even if well equipped even antimalware companies have limitation in terms of resources, so it is not always possible to encrypt your data.

I am sorry but this is the sad truth, in a world with unlimited resources we would not be affected, but we are not in this kind of world.

What should we do?

I wrote about this in the past (same subject actually). the very first step should be:

isolate the infected machine
report the incident to the local authorities
report the incident to your antivirus software company
start a recovery and mitigation activity.

1. isolate the infected machine

a ransomware can encrypt easily so it can spread easily: shared folders on servers are an easy target. before you can realize it your user can have create a lot of more damage. and if your antivirus didn’t catch it and you use the same antivirus on the servers there are no reason to expect a different behavior on your fileservers.

2. report the incident to the local authorities

believe it or not, police enforcement units can be of great support, you can be victim of a running ransomware attack that they are already monitoring or simply they can track down the attacker and get the key. Keep in mind that a ransom, unless is organized by a government in form of taxes, is never legal.

3. report the incident to your antivirus software company

like for the previous point you can be lucky enough and they have a solution, as I wrote before it is not sure but is a possibility. beside reporting an attack that has not be detected makes possible to write protection signatures. don’t even think for a moment that since you got hit ones you are safe for the rest of your life. this is not like “chicken pots” , you can’t be immunized.

4. start a recovery and mitigation activity.

this is the harsh point right?

what means recovery and mitigation?

well let be clear: till you do not have forensic proofs on how the infection strikes you, you can’t say you are safe. the malware that fucked you once can be still there lurking in the dark inside your network.

you should take all the needed precautions rising up the level of monitoring, checking for unusual write activity and alert your users on what are the steps to follow.

the target is to lower the kind of damage the ransomware can do again till you are not sure you are clean, and the incident is solved.

about recovery, well it is clear here that the king of the lab is a good backup policy. This means to have a system that can allow you to recover your data to a previous state, when data were not affected. this will lower the amount of damage you are going to face.

there are thousands of articles on how to manage correctly backup so I will not spend time here. just if you think backup is obsolete you probably didn’t understood what backup means (and what are the current available technologies).

just want to mention a couple of things:

disaster recovery and backup are two different things, so do not think you can use one instead of the other

some vaulting system, versioning , journaling and other technologies can be useful to mitigate and recover from this kind of accidents.

sometimes would be enough to plan correctly what you already have in your OS to survive this kind of problem, versioning and journaling of files are technologies present in windows and Linux, you just have to carry out them knowing what you are doing (possibly).

to the next, cheers.