Ransomware has been around for a few years, but it seems in the last two years they seem to have gotten extremely dangerous. Ransomware has been around for about 12 years and started off as simple locking mechanisms that targeted specific file types such as jpg, pdf, and doc. Fast forward to 2017 and we witnessed the world grappling with the WannaCry and Petya families of ransomware. It was the first time the whole world was a crypto-based attack surface for cyber criminals and these were the first global cyber attack campaigns. Such an evolution has out passed security predictions and put the industry on the defensive, always responding to threats afterwards. Warnings always seem futile, as demonstrated in the WannaCry case. Microsoft even sent out a patch weeks before the global outbreak. Is there anything that the cyber security sector can do to help prepare institutions and people for ransomware attacks?
The development of ransomware has actually been quite rapid compared to most other types of malware. As stated above ransomware has been around in some form since 2006. At the time file types were targeted and the ransoms demanded were small. Additionally the social engineering was unsophisticated so it was just code that locked used compression to lock down files. If someone had a backup there could easily just use that and problem solved. Today’s ransomware is much different than back then.
Ransomware today falls into two categories, locking or encryption. The former type of ransomware, locking, operates by locking a user out of their operating system or hard drive. The latter, encryption, encrypts files and even whole hard drives. Additionally the social engineering is much more sophisticated now. Since the technology has developed to a point where cyber attackers have been able to leverage fears of the average person. For example around 2013-2015 ransom letters from attackers impersonated the FBI and local police departments. Such activities were intended to use fear to drive a particular action from a victim, in this case paying a ransom.
What made 2017 such a momentous year was the fact that a ransomware campaign, for the first time, made the whole world an attack surface. The spread of WannaCry and Petya was only possible due to the EternalBlue exploit that was developed by the NSA. EternalBlue was stolen and auctioned off by the Shadow Brokers. The exploit was then used in the largest ransomware campaign in history. WannaCry was an encryption based ransomware, and Petya built on top of that but deleted files as well. There was panic worldwide, but thankfully the situation was brought under control.
Organization of Cyber Criminals
As ransomware continues to evolve how exactly are cyber criminals organizing themselves to achieve these rapid developments and output of new variants of malware? To understand how ransomware is developed, an understanding of open source software development models is required. Open source means any code that is free for anyone to access and modify to their liking, often there is a stable release which has been approved by a core team of developers, but often there are new variants developed based on a core source code. Often the source code is constantly updated, refined, and validated by anonymous users. Now apply this same model to ransomware development and you can see how new strains of ransomware develop quickly by seemingly different actors.
That is commonly the open source mode of development, the other type of development of malware happens behind closed doors. State actors and some professional hackers who are well financed may develop exploits and new kinds of ransomware which may or may not borrow from open source code. There is no sharing with their “community” instead everything is developed for future projects or operations with their client or internal partners. An example of this would be the NSA who developed the EternalBlue exploit, which was stolen and is not a common exploit in new ransomware attacks.
Can Cyber Security Professionals Keep Up?
The short answer to this question is yes. The reason many organizations are being impacted by ransomware is a lack of insider threat practices established. Most ransomware incidents were the result of insider threats in some way shape or form. Whether through poor vendor security practices, as was the case with Petya/NotPetya, or through or through an employee opening a phishing email and following the instructions of the cyber criminal. The worst type of incident are malicious insiders with privileged access. Often times when a security incident happens a company will claim it was not insider caused but forensics usually finds the cause to have been a vulnerability from within.
Security experts can do three things to ensure that they are helping organizations practice preventative measures against ransomware.
The first thing cyber security professionals can do is encourage organizations to be very transparent about security incidents that happen. If the security incident is insider related it is okay to be honest about that. That information allows other companies to take proper measures to protect themselves as an incident is unfolding. In the case of the National Health Service who was impacted by WannaCry, one of the issues was that they did not apply Microsoft’s updates that would have prevented WannaCry from impacting them. This information about Microsoft releasing a patch weeks before the outbreak allowed other organizations to rapidly apply the patch to their systems if they had not done so already. Ransomware attacks are now able to leverage the digital relationships businesses and governments have to one another. If one company gets infected many others can as well. It is for this reason that honestly always helps to mitigate the impact of a ransomware crisis.
Focus on Insider Threats
The next thing cyber security professionals can do is to work with organizations to reinforce themselves against insider threats. While many companies understand the importance of perimeter style security, that being firewalls and such, many are still unclear that security needs have shifted towards securing their internal vulnerabilities. Helping companies with things such as data inventory, data segregation, access and permission management, insider threat programs, incident response plans, and phishing education you will be helping another organization avoid a ransomware incident. CERT has some excellent resources for reducing the risk from insider threats if one needs guidance.
Keep Up to Date on the Threats
Lastly try to keep up to date on the coming and active threats happening. This means finding ways to keep tabs on what is being talked about on the darknet and what potential ransomware variants are spreading. Often times there is some chatter about an attack or new development happening. When the Shadow Brokers were auctioning the stolen exploit EternalBlue, it was with a ton of other cyber weapons. Many people on the darknet were talking about how they could make use of them. We have only seen three of them deployed yet there were more. By keeping tabs on what is being discussed you may be able to alert not just your client but also their partners about what may be coming. It is also good to follow the Department of Homeland Security’s National Cyber Awareness System.
Cyber security professionals should be working towards stronger information sharing and guidance so that the private and public sector is prepared to prevent any ransomware threats that come their way. Click below to learn more about Teramind.