Ransomware is a very hot topic right now. In fact, some are saying this will be the year of the ransom (LA Times). That is, ransomware is the single biggest (but not the only) threat to individuals and corporations this year. The FBI has even been meeting with organizations both publicly and privately to help raise awareness (FBI).

Heating up?

Yes. Blackmail has always been in the physical world. But it’s finding new legs on the Internet right now. Malware could do anything. From sabotage to spying. But stealing money is the cybercrime favorite. In the past, stealing bank numbers and credit cards was the path toward evil riches. However, banks have established more anti-fraud measures, making this technique difficult.

Why?

Attackers lock an organization or individual’s files, and agree to unlock them only if they pay a ransom. Getting paid with crypto-currency (bit coins) is the new fastest and safest way for bad guys to monetize a victim. The ransom for mass victims tends to be reasonable: ~$300USD is the average ask (CNET). Other times, the bad guys get directly involved to get a big fish on the hook, and ask for much more.

Variants

Ransomware doubled in 2015. The number of ransomware families has increased 600 percent from ~2 in 2013 to ~12 in 2015 (Bromium 2015 Threat Report). Here’s another way to visualize that data from a recent threat report (Symantec):

ransomeware

As with any success, copycats will always want to jump on the bandwagon. Expect to see many new variants of crypto-ransomware coming in the next year or two. Jigsaw (ComputerWorld) begins deleting files as you delay, almost like killing hostages one-by-one. Targeting backup files is effective against organization data (ABC News). And of course, the “best” ransomware includes good “customer service” helps victims pay (Reuters).

Hard to stop?

Yes. For most anyway. Typical security products are detectors. They require a constantly updated set of rules to try and block/detect infections. The problem: Angler is the crafty exploit kit of choice, and is currently managing to infect computers anyway. Angler is tending to drop ransomware, which is constantly re-encoded to bypass file analysis techniques. Thus, the only reliable way to stop ransomware is via security through isolation (what Bromium does). To read more about exploit kits, see: https://labs.bromium.com/2016/03/08/angler-ek-a-bromium-discussion/

Mitigations

The FBI recommends not clicking on suspicious links and backing up data (FBI). That’s good advice. But there are problems with both. First, people need to be able to click links and open documents to do their job. Imagine an HR employee who is told not to open PDFs? That’s how resumes come! Second, when backups are done, they’re not always stored offline. The real threat to organizations when a ransomware hits, is that their network shares (which might be where backups are stored) are encrypted.

Are you ready?

No. Many individuals and even companies do not have sufficient backups of critical data. Also, they do not have protections that can fully stop malware infections from getting in. That’s because detection is always a step behind. And while detection can help organizations hunt for unknown infections, there’s not as much need to find ransomware. You’ll know when you get hit. When you hear your system administration screaming; that might be the first clue.

Should I pay?

Of course not. Criminals will use the money to conduct R&D for more crime. There is also no certainty they’ll leave the system once (if) you get your files back. However, typically they do return the files, and most sources admit, there are cases where paying makes sense. For example, the hospital that couldn’t treat patients until their network returned paid the $17,000USD because risking any more time was not an option (LA Times).

Demo

This video provides a live walkthrough of a real ransomware sample. That’s what we really wanted to provide in this blog. We want to show how straightforward Ransomware is, and how easy it is for us to block and report.

Conclusion

Ransomware is going to hit your organization at some point. Will you be isolating those events, or dealing with the aftermath? Because ransomware has been so effective, more complicated strands are defiantly coming to a computer near you.