Ransomware is a type of malware that encrypts everything on your system with a cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomware. The first type encrypts all data on the system and renders it nearly impossible to decrypt without the key. The second type simply locks the system and demands to enter the key for data decryption but does not encrypt data itself.
One of the very well-known ransomware systems is Cryptolocker. It uses the RSA cryptosystem to encrypt data. The command and control server of malware stores the private key for the decryption of data. It typically propagates as a Trojan virus and relies mainly on social engineering for propagation.
The operation of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide it into the following steps:
1. Entering the system of the victim and installing it as a covert/silent installation. It places its keys in the system registry.
2. After installation, it contacts its command and control center. The server tells the ransomware what to do. It starts the communication by performing a “handshake” with the server and then exchanges keys.
3. Next, it actually begins to work with the key provided by the server. It then starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.
4. This is where it gets scary. After encrypting the data, a message appears on your screen informing you that it has locked data on your computer and threatens that if you do not pay within a specific time period, you may never see your data again.
How it propagates:
Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also likely the cause of infection. Ransomware also spreads through mediums like USB, portable hard drives and the like.
Its installation is a covert operation. It uses Windows default behavior to hide extensions from the file name, disguising the real .exe extension. Once it reaches its target by using any of the above-mentioned propagation methods and a user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in AppData, User Temp, and Local AppData folders. Later, it adds a Windows registry key, which activates the malware every time Windows restarts. For more details to understand the differences click here.
Primary Method of Operation
The main method is the encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg, etc. and other files whose extensions are in the malware code. It uses an AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with an asymmetric private key using an RSA algorithm and adds this to encrypted files. Now only the owner of the private key can have access to the random key is generated to encrypt the data.
Malware communicates with its command and control center to obtain the public key. It uses a domain generation algorithm (DGA) with common names such as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and that the failure to do so will delete the key.
The compromised system can have such symptoms as a high rate of Peer to Peer (P2P) communication, increased network communication (Communication with Command & Control center server) and high usage of system resources.
Mitigation and Prevention:
So far, there is no way to break the CryptoLocker encryption and provide you the key to decrypting data. Purchasing a key seems to be the only way to get data back – unless you have a backup. However, past incidents have shown that paying did not ensure the return of data. For example, some people paid but did not receive the key; in other cases, the given key did not work. Ultimately, the best way to keep your data safe is to be proactive. So let’s discuss some proactive steps to take to prevent these types of attacks from happening to you.
1. The first and foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users, and stakeholders is the most important thing. Understand that we are in a war against malware. Additionally, users cannot win this fight unless they are aware of the threats. SOC/Security management teams can organize seminars, awareness campaigns, etc., to guide their employees. The periodic briefing is important. Also, explaining the cases with examples to both technical and lay employees can make it easier for them to understand and remember the scenarios they are likely to encounter in everyday life. Here are just a few ways you can keep your staff educated about these types of attacks:
- Avoid surfing untrusted sites (e.g. porn, gambling, freeware downloads and so on.). It is recommended to use Chrome or Firefox browsers, which are less vulnerable to attacks. Be especially cautious when using older versions of Internet Explorer. If you as a company can’t afford expensive solutions, you might consider allowing your users the use of extensions like Web of Trust as an obscurity measure.
- Do not open any email or attachment that originates from an unknown source (EXE file inside a zip archive is an obvious example). Recent events taught us that a Word document with macros can be dangerous (Locky).
- When transferring files from mobile storage units / D.O.K., don’t forget to scan the device. Consider disabling auto run. Doing so will help improve your endpoint security.
2. Along with user awareness, implementation of security policies inside the domain via GPO and email transport rules to block such potential types of emails and .exes to execute silently. One major recommendation: Use Security Group policies in your organization to safeguard against malware. Let us walk through the process of implementing this.
Certain applications and programs apply software restriction policies for their execution. This utilizes Group policy. What we can do is block the executable in the specific user-space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In a small business environment, or within homes or organizations with no domains, apply local security policies.
- Open a Group Policy management console on your primary DC to implement a Software restriction policy.
- Create a New GPO. Name it “Software Restriction Policy”.
- Next, edit the newly made GPO and add userspace folders in which you don’t want the software to auto-execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right-click on ‘Additional Rules’ and click ‘Add new Path rule’. Here you will create a new rule and enforce software restriction.
- You will be adding file paths here. Add a path, select the security level ‘Disallowed’ and add a description.
The paths to be included in the policy are for Windows 7 and above.
- Allow some time to let the GP sync to all the systems or you can go to every system and open cmd as Administrator, and write ‘gpupdate /force’ to force update the group policy to the system.
There can be a disadvantage to applying the software restriction policy, i.e. all the other legitimate .exes will not run in those spaces. However, you can whitelist the legitimate software in Software Restriction policies.
For whitelisting apps in the Software Restriction policy, exceptions have to be set for those apps. You can manually instruct Windows to allow those apps while blocking all the others. To do that, just add the same rule for particular apps as previously explained and set the security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps, and their execution to take place in the userspace.
If you have an onsite email server or exchange, Transport rules become very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so the User is warned by the content of the email.
- Open Exchange Management Console on your exchange server.
- Go to Organization Configuration > Hub Transport.
- Open Transport Rules.
- Add a new rule by right-clicking the main screen. Enter the name of the rule along with its description.
- Select the condition for the rule from the next window. Select the “When any attachment file name matches text patterns” option.
- Select as many extensions as you like. Here we add .exe, .html, .doc, .docx, .jpg, .jpeg, .zip, .rar, etc.
- Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with the string”. Then add “Possible Spam” as the text to be added in the subject line.
- If there are any exceptions, add them on the next screen; otherwise, leave it as is. Complete the process by clicking Next and then Finish. The transport rule is now added and enabled, with priority set to 0.
Now, when the user receives emails with those specific extensions that we added in the rule, they will see Possible Spam as the subject of those emails.
3. User permissions: Review the NTFS permissions carefully every time you are dealing with permissions. For instance, Share folders from the server, etc. If the shared folder has ‘Everyone’ write permissions and the user system gets infected then you are in trouble. Apply the “Least Privilege” principle where you will give a few permissions as possible to lessen the possibility of damage. Also, consider disabling users being local administrators on the endpoints by.
4. Minimize the amount of mapped shared folders on endpoints (ransomware can encrypt every accessible file, even if it is located in a shared folder).
5. At this juncture, many antivirus software programs are able to detect and remove the virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.
6. Keep your systems up-to-date and patched up with the latest security patches that the manufacturer releases.
7. Enable the “System Restore” option, in order to be able to restore the system to the previous state, before the ransomware infection occurred.
8. Consider applying a software whitelisting solution (e.g. Windows AppLocker / commercial solution). Applying a good software whitelisting solution can help prevent executing malicious software components like ransomware.
9. Consider applying a 3rd party anomaly-based detection solutions in order to locate malicious activity and files.
10. Update your operating system and 3rd party software on a regular basis (for example, Internet Explorer 8 which is vulnerable to browser attacks, and also Adobe and Java software components, which are known for multiple new vulnerabilities every year).
11. Do not allow Peer to Peer (P2P) communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep it safe.
12. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.
13. Consider preventing executing files with macros (e.g. Microsoft Word / Excel). This can be done via Group policy.
14. Consider restricting the insertion of mobile devices, USB devices, CDs and even floppy disks to the endpoint (can be done by 3rd party solutions and also by applying group policy restrictions).
USB ports can be blocked on the system from any unauthorized access. Malware, once exposed to a system via USB, can spread through a LAN and affect all other systems.
USB storage access can be disabled on the system with a registry tweak:
- Go to Run and write ‘Regedit’
- Navigate to the key: ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR’
- Select ‘Start’ from the right pane, and change its ‘Value data’ to 3. This will disable the USB storage.
15. Avoid using unknown anti-virus programs on your system, even if they claim to remove malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key. So, if any unknown anti-virus program claims that it can break encryption quickly, be wary. It is very likely another type of malicious virus.
16. BACKUP ALL your data regularly. I have seen clients affected by ransomware and the only thing that saved them was a successful backup. Performing a backup of all your critical data to an external drive or NAS or SAN that is isolated from your system is very useful. If you are a large organization, develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can take for your organization. There are many backup solutions available in the market that can assist you in backing up your data to an external storage or remote location, i.e. cloud storage.
Aside from 3rd party solutions, Windows also provides backup utilities within Windows OS and Windows Server OS. Continuous backup of important files can be stored on external drives and NAS. In addition, System Restore points can be saved frequently. Windows also use Volume Shadow Copy, which can be used to save previous versions of important and critical data. To revert to the previous version, just right-click the file and go to Properties. If System Restore or Shadow Copies is enabled, the Previous Version tab will appear in Properties. This will list all the previous versions of the files. Choose the version you want to restore and click to save it to an existing location. You can also choose another location to save.
17. Apply adequate network segmentation via firewalls, in the event of a malware’s lateral movement (spreading to other endpoints and servers in the corporate network with credentials of a compromised user).
18. Implementation of IPS (intrusion prevention system) between the corporate network segments, if you have not yet done so. Consider applying IPS for outgoing communication. Update the IPS signatures database on a regular basis.
19. Web filtering – consider applying a web filtering solution that will prevent access to untrusted websites and downloaded files (e.g. .exe, .zip, .rar, .jar, .scr, etc.. If possible, use “surfing virtualization” solutions like VDI, Citrix Smart Browsing, Jetro Secure Browsing, etc. This will help to minimize the possible effect on internal endpoints because internet surfing doesn’t really happen on the internal endpoint.
20. Mail Relay solution will help filter the incoming emails. Apply rules that will prevent incoming emails with attachments like .zip, .rar, .exe, .scr, .jar, .js, .bat, .cpl, etc. Allow what’s required for the ongoing work and consider restricting incoming attachments with PDFs and MS Office macros if possible.
21. Consider applying a “Sandbox” solution that will check every incoming file that originates from the email infrastructure or is downloaded from the internet.
22. Disabling Autoplay through Group Policy or the registry. For more details click here.
23. Disabling Windows Script Host – Consider enabling per necessary user groups. For more details click here.
Actions to be taken in case of a ransomware infection:
1. Isolate the station from the corporate network to prevent the spreading of the ransomware encryption process (e.g. pull the network cable out of the plug or isolate the station via Corporate NAC, you also can consider having separate VLAN that will be dedicated to such scenarios which can help your IR team).
2. After isolating the station from the network:
- Do a damage assessment to understand what was encrypted and check if there is any valid backup that you can restore your data from.
- Paying the ransom is not always a good idea as the money is the “fuel” that runs these criminals and you don’t have any guarantee that your files will actually be decrypted even after paying (so basically you will have paid for nothing).
- Not recommended – if you don’t have “nothing to lose” and losing your files is much more expensive than paying the $400, you can do it and cross your fingers that it works.
- It is recommended to fully format the infected station in order to eliminate any residues of malware.
3. Investigate – the investigation phase is basically the aftermath analysis that will help apply countermeasures to minimize the likelihood of your corporate getting infected again (all the suggestions written above).