Lifecycle and Problems of Ransomware Attacks

INTRODUCTION

The internet is a very powerful and amazing tool for communication that is very important in our everyday lives. The fact that it is used in all spheres of our daily lives have never been in doubt over the years the internet has formed an integral tool for entertainment, information, communication. It is also been used expansively in banking, healthcare, transportation, entertainment, shopping small and big organizations and many more.

But, while the benefits cannot be disputed, the attached risks are more elusive and difficult for the individual user to counter (Halcu, 2018).  Unauthorized access to personal data, misuse of the same and malicious software attacks constantly make headlines in the media (Halcu, 2018)

Much like other malware types, ransomware starts an attack by trying to remain undetected, slowly encrypting files one after another to avoid suspicion. It’s only once all the targeted files or system is encrypted that the ransomware will make itself known, usually in the form of an impassable splash screen. It’s from this splash screen that users are first told that their files are locked and that in order to retrieve their data they are required to pay a cash sum. The exact wording of the demands vary between ransomware strains, but most demand some sort of payment within a specified timeframe. Some messages are aggressive in the hopes of scaring the user into a quick payment, while others attempt to masquerade as legitimate organizations, such as the FBI. (Dale, 2018)

Locker and crypto are the two main types of ransomware in circulation today, this was highlighted in a symantec report authored by kevin Savage, Peter Coogan and Hon Lau (Savage, et al., 2015)

Locker Ransomware (computer locker) is designed to deny access to computing resources. This usually takes the shape of lockup the computers or device’s computer programme then asking the user to pay a fee so as to revive access thereto (Savage, et al., 2015). Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom (Savage, et al., 2015) This means access to the mouse might be disabled and the keyboard functionality might be limited to numeric keys (Savage, et al., 2015) allowing the victim to only type numbers to indicate the payment or device while (Savage, et al., 2015) Crypto ransomware (data locker) is designed to find and encrypt valuable data stored on the computer, making the data useless unless the user obtains the decryption key.

PART 1

CURRENT ESTIMATES OF THE SCALE OF THE RANSOMWARE PROBLEM

Ransomware is one of the most monumental threats facing individuals and organizations today. Ransomware is a kind of malware that is used to lock users out of systems and withhold their data until a fee is paid to the attacker. The attacker usually demands cash payment in cryptocurrency either in bitcoin or monero (Dale, 2018).

The very first ransomware virus, the AIDS Trojan was created by Harvard-trained Joseph L Popp in 1989, 20,000 infected diskettes were distributed to the World Health Organisation’s International AIDS conference attendees. The Trojan’s main weapon was symmetric cryptography. It did not take long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks (Francis, 2016)

Over the years attackers have been able to improve and developed the ransomware business model using dangerous malware, strong encryption, anonymous Bitcoin payments, and vast spam campaigns to create dangerous and wide-ranging malware. (Symantec, 2017)

There have been an increase of attackers, While consumers in particular (69 percent of all infections) are at risk from ransomware, this year saw evidence that ransomware attackers may be branching out and developing even more sophisticated attacks, such as targeted ransomware attacks on businesses that involved initial compromise and network traversal leading to the encryption of multiple machines. Ransomware looks set to continue to be a major source of concern globally in 2017 (Symantec, 2017)

Symantec report of 2017 exposed some key findings that due to its prevalence and destructive nature,  ransomware remained the most dangerous cyber-crime threat facing consumers and businesses in 2016 (Symantec, 2017). Symantec also reported that the average ransom amount has shot upwards, jumping 266 percent from US$294 in 2015 to $1,077 (Symantec, 2017).

Deloitte report of 2016 shows that the number of reported attacks keep rising and there is no signs of the numbers coming down, in the first quarter of 2016 there was an average attack of more than 4000 per day a 300% increase over an average of 1000 attacks observed per day in 2015 see figure 1 (Deloitte, 2016)

Figure 1 (Average number of ransomware attacks per day in Q1 2015 and 2016)

Some software tools have been develop to block ransomware attack before they are installed on the victims computer these tools are blocked to detect malicious behavioural patterns of malwares.

While antivirus detections of ransomware amount to a small percentage of the overall number of attacks, the notable uptick in detections during the year suggests that ransomware activity increased during 2016 (Symantec, 2017)

Average global ransomware detections per day

Ransomware antivirus detections increased by 36 percent compared to 2015, rising from an average of 933 per day in 2015 to 1,271 per day in 2016. (See figure 2) (Symantec, 2017)

 Figure 2 Average global ransomware detections per day

Survey carried out by Symantec showed that an average of 35,000 ransomware is detected by antivirus per month by the beginning of the year which rose to more than 40,000 at the end of the year (Symantec, 2017).

Ransomware attacks for 2017 was dominated by the stories of WannaCry and Petya/ NotPetya attacks (Symantec, 2018).  Although there have been an increase of ransomware infections since 2013 that it reached a record high of 1271 detections per day 2016, ransomware detections per day in 2017 was approximately 1,242 WannaCry and Petya/NotPetya detections numbers was not included (Symantec, 2018)

Symantec survey of 2017 shows that the United States of America continues to maintain the region mostly affected by ransomware. Japan is affected by 9%, Italy 7%, Canada 4%, and India 4%, others are Netherlands 3%, Russia 3%. Germany 3%, United Kingdom 3% AND Australia 3%. From the result of the survey you can see from the result that the attacker’s keeps concentrating on developed and stable economies that have the capacity to pay the ransom (See figure 3) (Symantec, 2017)

According to an IBM Security report of 2016, there have been an increase in the ransomware attachment to spam, it has gone up from 0.6% in 2015 to nearly 40% YTD in 2016. (See figure 2) (Kessem, 2016)

Percentage of Spam with ransomware attachments

Figure 4.     Source: IBM X-Force, 2016

A survey carried out by IBM Security shows data for which business executives are most likely to pay ransom to recover lost data to hackers before it is compromised

About 60 percent of respondents indicate that their organization would be willing to pay some sort of ransom in order to recover stolen data:

• Financial records – 62 percent

• Customer and sales records – 62 percent

• Corporate email system/server – 61 percent

• Intellectual property – 60 percent

• Human resource records – 60 percent

• Corporate cloud system access – 60 percent

• Business plans – 58 percent

• R&D plans – 58 percent

• Source code – 58 percent (Kessem, 2016)

THE TYPICAL LIFECYCLE OF RANSOMWARE, INCLUDING THE KEY STAGES OF THE KILL CHAIN

There are various ways that an attacker can plant Ransomware on a victims machine or systems, the 2 most common methods of ransomware attack is through phishing emails and fraudulent websites. An attack can either be to a specific target or distributed randomly distributed to different users (MANVEER PATYAL, et al., 2017)

Analysis by Exabeam of 86 ransomware specimens and found out that a surprising amount of commonality in their behaviour, below is the 6 stages of the ransomware kill chain (see figure 5) that are shared by all ransomware strains (Exabeam, 2016)

The main stages of the Ransomware Kill Chain are as follows (figure 5) (Exabeam, 2016)

Distribution Campaign: First stage in the kill chain is to distribute and install software to potential victims, during this campaign, users are tricked to downloading a malicious dropper or payload via an email, a watering-hole attack, an exploit kit, or a drive-by-download. This dropper is responsible for kicking off the infection (Exabeam, 2016)

Infection: Once on the victim’s machine, the dropper phones home to download an .exe or other camouflaged executable by connecting to a predefined list of IP addresses that host the C2 server, or by using DGA to connect via pseudo random domains. From this point, the dropper usually copies the malicious executable to a local directory such as Temp folder or %AppData%/local/temp. Finally, the dropper script is terminated, removed, and the malicious payload is executed (Exabeam, 2016)

Staging: The Staging phase is where the ransomware performs various housekeeping items to ensure smooth operation, the ransomware will move itself to a new folder then dissolving, checking the local configuration and registry keys for various rights, such as proxy settings, user privileges, accessibility, and other potentially meaningful information. The ransomware also runs a boot, running is done in recovery mode, disabling recovery mode, and many more, various commands is used to delete shadow copies of the files from the system Ransomware also communicates with C2 at this stage to either get the ransomware’s public key negotiated, or to perform recon on the user/system using online IP analytic tools to determine whether or not they are an applicable target (Exabeam, 2016).

Scanning: As soon as the ransomware has set itself up and is fortified to persist even if there is shutdowns and reboots, it gets itself ready to take files hostage. Interest. The ransomware scans and maps the locations containing those files, both locally and on both mapped and unmapped network-accessible systems. Many ransomware variants also look for cloud file storage repositories such as Box, Dropbox, and others; which may also be included. his particular stage is the first real opportunity that security analysts have to stop the ransomware kill chin (Exabeam, 2016)

Below is an illustration of the ransomware scanning process:

The Ransomware Scanning Process (Figure 6) (Exabeam, 2016)

Encryption: files discovered by the ransomware is encrypted, older versions of the ransomware will encrypt the local files only but recently they have started encrypting the back first, To achieve this, they search for the directories or files specifically named in date format (e.g. data20160323.bak) or containing .bak and encrypt these first before encrypting specific files. Since encryption can be detected by anti-virus software, the ransomware typically encrypts important files (such as system files or files with recent access dates) first so that harm is caused as quickly as possible before detection takes place (MANVEER PATYAL, et al., 2017).

Payday: As soon as encryption is completed, a ransom note is generated, shown to the victim, and the hacker waits to collect on the ransom, the ransomware informs the victims of the extent of damage done and ways to recover files. In the case of Cryptolocker, it provides a new installation link in case anti-virus has uninstalled the malware from the system. It also shows users the steps to disable/uninstall anti-virus programs from the system along with all the steps to pay the ransom amount, it may take 2-3 days for the hackers to very payment which is usually in bitcoins and as soon as payment is verified, the hacker delivers the private key. The decryption of the files starts after the private key is received by the victim’s machine and ultimately the files are recovered.

BRIEF DESCRIPTION OF SOME EXISTING RESEARCH BASED SOLUTIONS AND LIMITATIONS

Ransomware locks a victim’s computer until payment is made by the victim to regain access to data. This kinds of attack have been ongoing for some time now. There have been recent high profile attacks on big organisations, company, government agencies etc. This attacks have been of great concern on by stakeholders on how to defend against any ransomware attack.

Kharraz, et al., reported that in 2016 several public and private sectors, including the healthcare industry, were impacted by ransomware. Very recently, WannaCry, one of the successful ransomware attacks, impacted thousands of users around the world by exploiting the EternalBlue vulnerability, encrypting user data, and demanding a bitcoin payment in exchange for unlocking files (Kharraz, et al., 2018).

Over the years, researchers have been proffering solutions on how to tackle the ransomware problem. A research by Manveer Patyal, et al., in 2017 led to the building of a multi-layered architecture to detect and prevent ransomware attacks. Each of the layers works on different phases of ransomware execution. In many of the tools and strategies that have been developed today, been able to monitor the process is an effective technique employed to detect ransomware (MANVEER PATYAL, et al., 2017)

WHAT BEST PRACTICES SHOULD USERS EMPLOY

Symantec report of 2017 recommended best practices that users of computers should employ to avoid falling victim of the deadly ransomware attack, below is the best practices (Symantec, 2017)

a)      Regularly backup any files that is stored on computers or any other devices

b)      Users should always keep security software’s that run on devices including mobile devices up to date, by doing this, the user is able to protect themselves against any new variant of ransomwares.

c)      Users should constantly update operating systems and other software, this will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.

d)      It was also recommended that users delete any emails received that look suspicious especially if they contain links and attachments

e)      Users should be extremely careful of any Microsoft office email attachment that advices you to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

f)       Do not download apps from sites that is not familiar to you on mobile devices, only download apps from trusted sources, you have to critically look at permissions requested by the apps during installation

g)      Users should constantly use strong and unique passwords and avoid using the same password on different accounts, also enable two-factor authentication if available.

h)      Users who have online bank accounts should sign up for transaction alerts from their bank to enable them get messages if any suspicious are made on the account (Symantec, 2017).

References

• Dale, W., 2018. Internet crime; Software; Malware; Hackers; Digital currencies. Londom(London): Dennis Publishing Ltd..
• Davey, W., 2018. Malware; Exploitation. London(London): Dennis Publishing Ltd..
• Deloitte, 2016. Ransomware Holding Your Data Hostage. Deloitte Threat Intelligence and Analytics, 12 August, pp. 1-23.
• Drolet, M., 2018. Malware; Software upgrading; Threats; Network security; Security management;. CSO (Online); Framingham, 10 July.pp. 1-3.
• Exabeam, 2016. The Anatomy of a Ransomware Attack, San Mateo: EXABEAM, INC.
• Francis, R., 2016. CSO. [Online]
  Available at: https://www.csoonline.com/article/3095956/data-breach/the-history-of-ransomware.html#slide2
  [Accessed 31 October 2018].
• Halcu, B., 2018. Internet Of Things (Good And Bad). Mondaq Business Briefing, 26 January, p. 1.
• Kessem, L., 2016. Ransomware: How consumers and businesses value their data, Somers: Copyright IBM Corporation 2016.
• Kharraz, A., Robertson, W. & Kirda, E., 2018. Protecting against Ransomware: A New Line of Research or Restating Classic Ideas?. IEEE Security & Privacy , 16(3), pp. 103 – 107.
• MANVEER PATYAL, SAMPALLI, S., QIANG, Y. & MUSFIQ, R., 2017. Multi-layered defense architecture against ransomware. International Journal of Business & Cyber Security (IJBCS) , January, 1(2), pp. 52-64.
• Myers, L., 2016. Ransomware: Expert advice on how to keep safe and secure. [Online]
  Available at: https://www.welivesecurity.com/2016/10/10/ransomware-expert-advice-keep-safe-secure/
  [Accessed 20 11 2018].
• Savage, K., Coogan, P. & Lau, H., 2015. Security Response The Evolution of Ransomware, Mountain View: Symantec Corporation..
• Symantec, 2017. Internet Security Threat Report , Mountain View: Symantec.
• Symantec, 2018. Internet Security Threat Report, Mountain View: Symantec Corporation.