Ransomware has been a threat to businesses across all sectors for more than a decade, but in recent years its popularity has exploded. According to Verizon’s 2017 Data Breach Report, ransomware attacks increased by 43% from 2015 to 2016. Then, in May of 2017, ransomware went global with the WannaCry pandemic.
The recent success of ransomware attacks shows just how good the bad guys are getting at finding and exploiting security gaps and vulnerabilities across devices and networks. And the experts say it’s not going to get better any time soon.
Currently, there are many different variants of ransomware, and more are being introduced with increasing sophistication and a variety of characteristics. Let’s take a look at how the evolution of ransomware has come to light in recent attacks, and steps businesses can take to protect themselves.
WannaCry – Global Consequences with Limited Earnings
The WannaCry ransomware began proliferating across the globe in May of 2017. It took advantage of a vulnerability in the Windows Operating System (OS). The exploit, originally created by the National Security Agency (NSA), then subsequently stolen and made public by the Shadow Brokers, worked much like traditional ransomware. It found and encrypted data, then demanded a ransom, paid in Bitcoin, to get the key to unlock it.
What sets WannaCry apart from other variants is the speed with which it spread. In the first day, it was reported to have infected more than 230,000 computers in over 150 countries. It was deemed a worm because it had the ability to automatically spread itself from one computer to another.
According to The Guardian, “[WannaCry] contained features that are unusual for advanced ransomware, such as a hardcoded payment address, rather than a unique one for each victim, and a universal ‘kill switch’ which, when registered, prevented the software from self-replicating.” Paying the ransom did not allow recovery of data in many instances. The campaign faltered and died as the bad actors stopped responding to ransom payments. Overall earnings were very limited.
Response and Protection Tips
What we can learn from the WannaCry attack is the importance of patching. The vulnerability was not a zero-day flaw. In fact, Microsoft had issued a ‘critical’ security bulletin and patch for the flaw months prior.
So, even though recent attacks seem new and scary, it’s still the traditional fundamental controls that are your best protection. Many organizations are at risk because they don’t have a mature process for patch management – an end to end process, that is auditable, and includes accountability every step of the way.
It’s not enough to update your OS, push out patches, and think that everything is okay. You really have to know that the patches are applied successfully and report to decision makers on the status of your patching program.
Additionally, network segmentation can be implemented to slow down an attack like this.
NotPetya – When Ransomware isn’t Ransomware
In June of 2017, NotPetya ransomware began spreading around the globe at alarming speed. The attack, which began in the Ukraine, was initially tracked to an automated update for a Ukrainian business accounting software (the Ukranian accounting software developer had been hacked). It was reported that 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US were infected. The software demanded a payment of $300 to restore the user’s files and settings.
Unlike typical ransomware, though, the NotPetya attack was not designed to make money. In fact, even if payment was made, research showed that there was no way to actually decrypt the victim’s data. Instead security experts believe that it was “deliberately engineered to damage IT systems rather than extort funds.” This flies in the face of the typical intent of ransomware. The bizarre, yet common, agreement that we as victims can rely on. If we pay the fee, then the bad guys will release / restore our content. If we can no longer rely on that, it makes the stakes even higher.
But, for companies without controls in place, the cost can be even more than a ransom payment. The shipping giant Maersk reported that the NotPetya ransomware attack cost them over $200 million.
Another alarming capability that NotPetya brought to light was the ability for hackers to compromise a software utility. We rely a great deal on automation in our updating process, typically trusting that the system update is sound and trustworthy. This shows how important it is for you to understand, and be comfortable with, the security practices of your software providers.
Response and Protection Tips
The NotPetya attack highlights one of the important defense mechanisms against ransomware – you should ensure that current backups of all your important data are “air-gapped.” This means there is a separation between your network / production environment and your back-up environment. Careful planning is required, and there are many options available.
Additionally, be sure to practice your backup and restoration process, as well as your Business Continuity Plan. Not just testing. Testing is important, but it's equally important to prepare for the test. Practice makes perfect. Having manual procedures in place while systems are being replaced / restored is also a good idea.
Finally, you can vaccinate yourself against NotPetya. While no kill switch was found, according to BleepingComputer.com, a vaccine is available where one can create a file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
HBO and Mr. Smith – Now it’s Personal
According to Malware Bytes, ransomware is becoming more personal. Most ransomware attacks are random, hitting anyone and everyone that they can. However ransomware attacks are likely to become more targeted. “If an attacker can recognize the difference between an enterprise and a consumer target, they will be able to adapt their ransom demands to match their victims. The intentions of attacks are also likely to become more personal.” It won’t be just about encrypting files, instead ransomware attackers may threaten to post data or information on social media or expose it in an equally destructive way.
One example of this is the recent hacking of HBO. A group of hackers that goes by the name Mr. Smith infiltrated HBO's system in July and gained access to an alleged haul of 1.5 terabytes of TV shows and corporate information. The hackers demanded a ransom of $6 million, which HBO has refused to pay. In response, Mr. Smith has been slowly leaking HBO content, including a bunch of unaired episodes from other HBO productions, internal emails, scripts, internal network passwords, and others, according to BleepingComputer.com.
The full effect of the hack is yet to be known at the time of posting.
Response and Protection Tips
The HBO hack illustrates how important your control environment is. In particular what detective controls you have in place. It’s fairly common for organizations, especially in regulated industries, to have mature perimeter preventative controls in place. But once an attacker breaches that perimeter or one of your users clicks on a phishing email, it’s your detective controls that matter.
How quickly you can detect that something is going on in your network – that something new is happening and it’s not authorized – the quicker you’ll be able to contain the damage. You need to understand normative behavior on your network, so you can be searching for anomalies. Check out our blog post, With Log Analysis It's All About The Base... and Context, too, to learn more!
Ransomware Response and Protection Tips Recap
- Patch Management: The best way to defend against this type of attack is to make sure your systems are up-to-date with patches.
- “Air Gap” Backup: Have a backup process that maintains current backups of all your important data. The backups should be “air-gapped” or stored on a locked- down vLAN. Test the restore process frequently.
- Business Continuity Planning: Practice not just backup and restoration, but your entire BCP.
- Network Segmentation: Splitting your network into small network limits communication throughout your network, and limits the attack options available. If an attacker can’t see it, they can’t attack it.
- Monitoring / Alerting: Have a system for early detection and confirmation.
Ransomware Incident Response Checklist: The key to successfully responding to and managing incidents is a comprehensive and rehearsed incident response program. Tyler's Ransomware Incident Response Checklist will provide you with an outline of the key steps needed to help your organization prepare for a Ransomware attack - including preparation, analysis, mitigation, and wrap-up.