Ransomware (short for ransom malware) is "a type of malware that prevents users from accessing their system or personal files and demands payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card." (Malwarebytes).
Ransomware is a severe threat not only for individual users but also for corporate network environments because it allows cybercriminals to gain a lot of money in a short amount of time. While some ransomware strains demonstrate strong coding skills and great sophistication, ransomware distribution platforms allow conducting a ransomware campaign without needing to have a developer background. When browsing the dark web, it is not uncommon to find shady websites promoting ransomware-as-a-service platforms.
A specific example of such services is shown below.
These malicious actors offer, for a fee, the same services a legit cloud provider would, such as development, tech support, customized dashboards, etc., without any need for the attacker to know any programming languages. The cybercriminals running it offer the attackers all they need, including binaries, documentation, detailed instructions and tech support.
Ransomware attacks are often successful because corporate organizations have security gaps with their patch and configuration management policies. Most organizations apply updates and patches only after testing them in a demo environment, which might create a window of opportunity for attackers to successfully exploit a vulnerability that the latest patches would have remediated.
Recent ransomware strains like Ryuk, often delivered through large botnets such as Emotet or TrickBot, have become more sophisticated and lethal. The city of New Orleans was recently forced to declare a state of emergency after a Ryuk ransomware attack took place on December 13, 2019. The infection spread so fast and dramatically that the city was forced to order all employees to power down computers and disconnect from WI-Fi.
Another recent ransomware attack took down a US Coast Guard base for around 30 hours and was reportedly triggered by an employee who opened an infected email.
Many surely remember the WannaCry ransomware outbreak, which successfully compromised a very large number of computers over a short time frame in May 2017. Not everyone knows, though, that Microsoft had released a patch to fix the underlying SMB vulnerability some months before this widespread infection started occurring, but most individual and corporate users had not applied this patch yet.
Had most Windows users applied the patch earlier, the WannaCry outbreak would have likely been much more contained than it actually was.
Should You Pay the Ransom?
This is a very controversial topic.
Government and law enforcement agencies mostly recommend not to pay.
An efficient and secure backup policy can minimize the risks related to a ransomware infection. If backup copies are created regularly and stored securely (including offline), the victim user/organization can have a much better chance to resolve this situation without suffering excessive damages.
However, sometimes the answer to this question cannot be so clear-cut. Much depends on how valuable the information being held for ransom is for the organization and on how much downtime an organization can afford.
Even with an efficient and secure backup policy in place (and tested regularly!), there may be situations when an organization cannot afford to lose data or having its servers and workstations down, even for a limited time.
Backups are normally performed on a fixed schedule. A company having a large website, forming the bulk of its business, cannot afford to lose, for example, the transactions finalized over the day, or even over the last hour because it could mean losing millions of dollars. Additionally, if an organization's business relies on proprietary information and said information is being held for ransom, the organization may seemingly have no other choice but to pay.
However, paying the ransom does not always guarantee that the files held for ransom will actually be decrypted.
Many ransomware attackers will provide the decryption key after receiving the related Bitcoin payment, while others do not. Sometimes a bug or some other technical issue prevents the provided decryption key from working to successfully decrypt all ransomed files. Often the decryption process, even if works, is extremely slow and unreliable.
Whether the attackers and their decryption tools release your files or not, this is definitely a situation your organization does not want to be in.
There are two different approaches an organization can follow to prevent or mitigate this threat: a reactive approach and a proactive approach, which are not mutually exclusive.
1. If one or more clients are compromised, disconnect them immediately from the network.
2. If your company uses cloud storage, disconnect infected clients to prevent them from syncing to the cloud. The same principle applies to file servers/shares.
3. Restore compromised systems and data from known clean backups. A comprehensive backup and disaster recovery strategy needs to be implemented and tested. Ideally, at least one backup copy should be stored in a secure offline/offsite location, as some ransomware variants attack and compromise any backups they can find on a corporate network. The human factor is critical in information security and a careless click can start to damage an organization's network within a fraction of a second. A proactive, formal, and effective backup strategy is absolutely paramount to mitigate the ransomware threat.
4. Be ready to re-image the infected machine(s) with a known clean gold image.
5. Re-connect infected machines to the network only after making sure they are running a clean and trusted configuration. Monitor everything to ensure successful eradication.
Sadly, even the steps described above, though being necessary, are not enough.
By now, both in information security in general and especially for ransomware infections, it is no longer a matter of whether your organization will get hacked, but rather of when.
Regardless of the budget, an organization allocates for information security, not all threats can be successfully thwarted. Not all initial attacks can be successfully prevented, but ultimately all incidents can be identified and contained with the right strategy.
The attack surface for an organization, with the cloud revolution and services and apps increasingly moving online, has dramatically increased, to such an extent that organizations commonly underestimate the potential impact of all this. This issue can lead to security breaches because attackers could find a bug where no one expected for it to happen and they can go undetected.
Moving operations to the cloud isn't a one-size-fits-all solution to ransomware attacks because this leads to a loss of control for organizations. Servers deployed in the cloud are not immune to successful ransomware and malware attacks, because the cloud is not automatically, inherently more or less secure than on-premise solutions.
Additionally, when evaluating its security posture, an organization should not think only of its internal or Internet-facing network, but also of all third parties having access to such networks, such as remote employees, vendors, contractors, etc.
The attack surface has expanded so dramatically that a breach can be around the corner at any time. For example, through threats such as watering hole attacks. The term “watering hole” refers to initiating an attack against targeted businesses and organizations by compromising a website known to be frequented by their users. In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection (source: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/137/watering-hole-10).
A related scenario can likewise lead to an organization being breached not by a direct attack, but by successfully compromising, through a ransomware campaign, third parties somehow connected to that organization.
In this type of scenario, the organization's network may be relatively secure, but an attacker can hack in thanks to vulnerabilities affecting third-party subjects connected to that organization (e.g. a vendor having credentials to access their client corporate organization's network who uses a weak password). So, in today's complex world, a threat can come not only from inside an organization but also from third parties somehow connected to it.
An organization needs to be proactive when defending against this new type of threats.
A very important principle of information security, dating back to ancient Chinese general Sun Tzu, goes:
The problem is most organizations know neither their enemy nor themselves.
Now, if not knowing the enemy can be justified, given the Internet's essential anonymity and the circumstance most attackers can very effectively cover their tracks, knowing themselves should be paramount. While precise adversary attribution may not be possible in certain contexts, organizations can and certainly should know the high-level threat of ransomware attacks
A proactive approach to the ransomware threat is to turn the tables on the attackers and think like one of them, by performing a penetration test or an adversary simulation.
The typical goals of a penetration test are to identify and validate (sometimes through targeted proof-of-concept exploitation) notable vulnerabilities in the target network, systems, and applications.
A penetration test (or pen test) is performed under an external attacker's perspective (black-box approach), as an insider who has additional knowledge of the target network (white-box approach) or by following a hybrid approach (gray box approach). The results from the pen test are then explained to the client by delivering a penetration test report.
In a black-box approach, the penetration tester tests a company's network like an external attacker would, without any knowledge of its topology nor any valid credentials being provided. This type of pen test can be an eye-opener for most organizations, as it shows how far an external attacker could go before an attack gets detected.
In a white-box approach, the penetration tester is supplied with credentials and additional knowledge of the organization's internal network. This type of engagement tries to replicate a scenario where a malicious insider could compromise a network. This approach has pros and cons. One one hand, a white box approach can surely lead to a much more spot-on assessment of the organization's internal vulnerabilities. On the other hand, as normally the IT staff is aware a penetration testing is being conducted, their reactions might not be a very good indicator of the way they would behave in a real-world attack, where they would receive no notice whatsoever.
A gray-box approach is a hybrid approach between the previous ones, where the penetration tester has partial knowledge about the client's network and the client may supply standard user accounts credentials to access it.
Regardless of the penetration testing approach followed in the specific case, only when organizations let go of their bias and think like an attacker, can they really understand the scope of the exploitable vulnerabilities affecting their network. Often times, though, organizations are unable to analyze their security posture in an unbiased way.
Information security in an organization is widely influenced by corporate politics and by the tone at the top. Often times, even when critical issues are detected, an organization may live in denial, for a series of reasons. Organizations are formed by people and they sometimes cannot help feeling emotively involved with the way a network is designed, especially for system administrators. Sometimes, people are reluctant to admit some solutions do not work well anymore for an organization, especially if they designed them, because they have worked for years thus far.
While some ransomware variants are highly targeted, other attackers are indiscriminate as to the targets they choose, meaning they do not care who they hit as long as they are vulnerable. Ultimately, many ransomware attackers look for targets of opportunity based on vulnerability to specific attack vectors.
From a ransomware prevention standpoint, a standard penetration test, while still valuable, is generally performed by running vulnerability scans and throwing a few exploits for a report in such a way that it does not always reflect the actual modus operandi of ransomware attackers. A way more beneficial approach could be running a red team exercise or adversary simulation with proof-of-concept (POC) ransomware.
Focusing on real-world attack tools, techniques, and procedures (TTP), this alternative approach is more targeted than a standard pentest. Red team exercises and adversary simulations focus on exploiting real-world ransomware attack pathways such as phishing and lateral movement and deploying custom PoC ransomware that can demonstrate what real ransomware can achieve in a short amount of time.
The fact an organization has not been hacked in the past does not in any way guarantee it will not be in the future.
Additionally, even when organizations have an internal pen test team, they often lack independence, due to organizational bonds, personal ties, concerns about their job security, and other situations.
Therefore, the best way for an organization to proactively assess its security posture is to hire an independent pen test or red team company. An independent outside team can offer a new perspective under the point of view of an external observer, supplementing the internal team's work.
Contact Polito Team.