Ransomware has been making headlines alongside of more major cyber attacks. Often dismissed as a nuisance, and considered opportunistic, more recent instances of this malware could be a much larger cause for concern.

Ransomware has been around for years. Starting off as a fake anti-virus, and evolving into an encryption based attack, the premise of ransomware is to attack the availability aspect of security; holding the user’s computer or files hostage until the ransom is paid.

In February at the Hollywood Presbyterian Medical Center in Los Angeles, administrators paid the asking price of 40 bitcoin, about $17,000 at the time, to regain access to their data.  Companies and individuals in the U.S. paid more than $24 million to cyber attackers for ransomware in 2015, according to the FBI.

For those who haven’t heard of the attack, I’ll sum it up:

  • Hollywood Presbyterian Medical Center was infected with ransomware.
  • Reports are that ransom was upwards of $3.4 million.
  • $17,000 was the eventual negotiated and paid amount.
  • The CEO said “It was clearly not a malicious attack, it was clearly a random attack”.

Not so fast. Many may have accepted the CEO’s comment, and moved on, but I’m a bit more skeptical. It may have been a random occurrence that started with a single compromised machine, but a couple of things seem different about this attack. I’ve never heard of a ransom being $17,000, let alone $3.4 million. This, like most ransoms, was paid via Bitcoin, but costs are usually around a couple hundred dollars, not thousands or millions. Some ransomware campaign owners have been known to bargain, so it could be possible that the $3.4 million was a starting point (though I expect that may be some media exaggeration). Reports also claim multiple infections, what they don’t clarify is whether $17,000 was the total paid on all individual computers, or if the amount was paid for a single decryption key for all computers.

Consider the following scenarios that could hint towards the implications for modern ransomware:

  • The owners of the ransomware noticed similar machines reporting in, and after basic footprinting realized the victim was a hospital. Knowing the hospital would face regulatory fines from losing patient information, the ransom was raised.
  • Hackers targeted the hospital with ransomware. Once they had established a foothold, they spread laterally to multiple systems before beginning encryption.
  • After landing and encrypting, the ransomware evaluates the content encrypted with basic pattern matching, or the quantity of data, and dynamically modifies the ransom.

These scenarios present a large risk for future attacks, and should all be on the radar of security analysts and executives alike. With new delivery mechanism displayed in Lockey variants, and the possibility of targeted or contextually aware ransomware, attackers looking for monetary gain are migrating to the mindset of, “Why exfiltrate the data when I can just encrypt it?” If the goal is not to steal or destroy data, simply encrypting and demanding money for the key presents a much lower risk, and higher level of anonymity to the attacker.

Disrupting the Kill Chain of Ransomware

As with other attacks, the deployment of ransomware leverages a predictable set of events. Disrupting any event in this chain can possibly prevent the compromise and subsequent encryption of data.

  1. Delivery
    • Ransomware is typically delivered via email, but can use any typical delivery method including drive by download.
  2. Installation
    • The malware is run, and begins the encryption process.
  3. Callback
    • The malware calls back to a command and control server. Usually created by a generation algorithm (DGA), these temporary domains are commonly used to facilitate the communication of the encryption key.
  4. Encryption
    • Files are encrypted.
    • The shadow copy admin account used by Windows for file recovery is deleted.
  5. Ransom Demand
    • The user is presented with directions on how to pay the ransom and decrypt files.

Disrupting stages of the attack can leverage both commercial software, as well as properly implemented security policy.

  1. Delivery
    • Use an enterprise grade email filtering system. Block the delivery of harmful file extensions like .exe, .zip, and .rar (any archive file if that’s an option).
    • Leverage user education to create a sense of vigilance among employees, identifying suspicious attributes of malicious email.
    • Implement web filtering to prevent access or redirection to malicious web pages and drive by downloads.
  2. Installation
  • While some common samples of ransomware may be prevented by traditional antivirus, advancements in next-generation endpoint protection products has risen the efficacy rating in detecting even 0-day ransomware.
  • Removal of local administration privileges may prevent the software from being able to fully execute its encryption module.
  1. Callback
    • Some advanced web filtering products may be able to block callbacks to DGA sites, eliminating the communication of the key, and potentially the encryption of files.
  2. Encryption
    • Properly controlled network privileges can prevent the encryption of shared files, network drives, and lateral movement of the infection.