Ransomware is Coming for Your Organization

Imagine you own an apartment complex. You’re awoken late one night by a barrage of panicked tenants: a criminal snuck in and changed each and every lock. Worse, any attempt to pick or change the locks releases a stink spray into each unit, rendering them permanently uninhabitable. You jump out of bed and rush to the apartment to find a note nailed the front door: “Send Bitcoin and I’ll give you the keys.”

How did this happen? How could this happen? Your building is state of the art: cameras, sensors, even a security guard. The answer, nine times out of ten, is one of your tenants. Mistaking the criminal for a resident, a tenant opened the front door and ushered in trouble. For any organization—apartment, small business or Fortune 500 company—the weakest security link is people. The more people, the more likely one makes a security mistake. Scammers use social engineering, learn apartment numbers and residents’ names, and doors simply open.

Casting a wide net

Every organization is a target, and scammers start by targeting anyone they can reach with automated attacks. Large organizations float on a sea of security risk. Each individual is a lock begging to be tested. Just one loose clasp and attackers have a foothold. Many attacks begin with compromised email credentials, providing access to the corporate directory and address book. Corporate email servers can be compromised in any number of ways:

• Buying user credentials on the dark web / black market
• Logging in via emails/passwords leaked from other services (this is why each and every password should be unique!)
• Tricking employees to divulge credentials on a fake website that looks real
• Any number of other phishing techniques: https://security.berkeley.edu/education-awareness/phishing/phishing-examples-archive

Locking on to a target

These tricks work all-too-reliably. Think of email spoofing as our building’s foyer: though tenant doors are locked, the front door opens often. Once they gain access to a target they deem juicy, the real work begins. Armed with an organizational list, hackers make targeted attacks. Salespeople get emails from “customers.” Accounts payable hears from “vendors.” Some messages include attachments, while others link out to “View this Document.” Our attacker’s goal is to get a target—any target—to open a document. The document runs code which loads a dropper program containing a trojan horse. Emotet, Banking Trojan, Trickbot, and Empire Shell are some of the names of these malicious programs.

Command and Control Center

The trojan program is designed to “phone home” to a remote command center. There, often halfway across the world, our attacker can use the compromised computer at their leisure. Once the trojan is in place and an attacker has remote access to a computer, they’ll unleash a barrage of attacks. This often includes reading your computer’s short-term memory to find administrator passwords. The goal is elevated access to your system and, in turn, your company’s network.

Encrypt & Spread

Once an attacker has system access, they’ll encrypt all of the data on your machine and lock you out. They’ll then “walk” across your network and do the same to every available machine. Have backups? They’ll encrypt those too. Have mirrors? They’ll destroy them. They’ll wipe and lock everything they can touch, leaving only a ransom message and an email address to contact the attacker.

Precautions

Companies get smarter over time. Many keep offline backups, unreachable by any virus. This greatly limits possible damage, leaving little incentive in paying decryption ransoms. Attackers, therefore, take insurance by downloading sensitive files. Ransom becomes blackmail. Don’t pay? They’ll share your internal emails with clients, vendors, or regulators. Imagine the fallout for a healthcare organization that lets loose patient health information and social security numbers into the public domain. Not a good look! 

The Payoff

Once you contact the attacker at their (disposable, untraceable) email address, they’ll set the ransom and send a Bitcoin wallet address. They promise to release your decryption key once they get paid. In most cases, this exchange happens as planned. Ransomers are incentivized to maintain their reputation, lest victims refuse their ransoms. This is, in many ways, similar to real-life kidnapping, hostage & ransom business run throughout the world’s troubled regions.

Rare attackers will up and run away with ransom money, leaving encrypted data. Others amateurishly modify their decryptors, rendering them ineffective, or worse, causing them to inadvertently corrupt all ransomed data. Such victims have no recourse. Cryptocurrency payments are irreversible. Attackers are unknown. Even if a hacker is found, they often reside in countries that refuse to aid prosecutors.

One notable ransomware program is Ryuk. Allegedly developed in North Korea, Ryuk emerged on the dark web and is now regularly used throughout the former Soviet Bloc. Ryuk attacks have crippled hospitals and cities. Notably, though, Ryuk will not infect machines with languages set to Russian, Ukranian and Belorussian.

Preventative Measures

1. Education

Security is all about layers. The best security measures are about educating people. It goes back to the old adage: “Prevention is the best medicine.” A company should:

• Train and test all personnel in cybersecurity basics.
• Add banners to all inbound emails from outside the organization.
• Alter email subject lines to clearly identify external senders. The U.S. Coast Guard adds [Non-DoD Source] to the beginning of subject lines. 

2. Two-Factor Authentication

Multi-Factor Authentication is critical for companies hosting email in the cloud. This means all user logins require, in addition to a password (the first factor), a second proof of identity.

Some services generate unique login codes sent via text message as the second factor. These text verifications are not recommended as they rely on both staff and cell phone carriers to not make mistakes. Attackers can call carriers and have phone numbers redirected to a different device. This provides easy access to your text messages, and therefore your account.

The most effective second factors come via dedicated authenticator apps on a user’s phone. Examples include Google’s Authenticator, Duo, and Okta.

3. Email Security

Even with effective two-factor authentication, and even with the best training, employees can make mistakes. Businesses must, therefore, take extra measures to shield users from possible missteps. Software can sit on top of your organization’s emails to protect users from themselves. Email security products like Mimecast & ProofPoint provide:

• Spam and malicious email filters
• Attachment inspection and filters
• URL link rewrites

The goal of these protections is to prevent an attack from reaching the user by diverting dangerous emails and attachments. URL link rewrites allow the security software to scan the target webpage for danger before a user sees it. The software works across millions of users, so network effects work in your favor by creating a common database of threats.

4. Firewalls

But say an attacker gets past all your countermeasures. Once a computer backdoor opens, attackers aim for remote access via that “phone home.” Obviously, stopping that malicious outgoing call would be great.

This is where a strong firewall comes in. A firewall that performs “layer 7” ¹ inspection can prevent a hacker’s “phone home” call. Firewalls inspect every packet of data sent from your network. In addition to scanning for suspicious external addresses, layer 7 inspections examine each message’s content. If the message content, say a few lines of code, matches known malicious content, the message is stopped. This can be effective even if content is encrypted!

You might wonder, then, what the heck our computer’s antivirus software is doing during this system onslaught? Twiddling its cyber thumbs? Yes and no. Realistically, antivirus software isn’t up to the challenge. It’s fighting outside of its weight class. Think of antivirus software as computer vaccinations: great against the wealth of garden-variety croup and chickenpox, but unprepared against ever-evolving cancers.

5. Next-Gen Antivirus

In addition to a standard antivirus software (which is still useful because the internet is a scary place), companies should employ a “next-gen antivirus” such as Crowdstrike and Carbon Black. These programs integrate artificial intelligence and advanced algorithms into threat detection. Traditional antivirus software recognizes known “bad files.” Next-gen antivirus lives in the cloud, monitoring entire networks for even the slightest anomalies with Machine Learning and other advanced techniques. 

6. Managed Detection and Response

Any anomalies flagged by the next-gen antivirus become entries in a database of potential threats. Typically a company’s IT team doesn’t have enough resources to look into each database entry. Instead, companies hire a Managed Detection and Response (MDR) organization. MDR professionals comb through anomaly lists, separating malicious from benign. Some MDRs split their teams into two groups: spotters and hunters (an homage to military roles). After the spotter identifies a threat, the hunter locks down said threat, hunts its source and destroys it. Examples of MDRs include Arctic Wolf, Red Canary, and Rapid 7.

7. Forensics

After discovering a breach, MDRs work to uncover who/what/when/where/how. Much like in physical crimes, this work is called forensics. MDRs deconstruct the attack’s history and create a step-by-step narrative of how each incursion succeeded and what data was compromised. Companies specializing in digital forensics include Kroll, Fireeye, and a large number of smaller firms.

Forensics are necessary even beyond satisfying curiosity or pointing to future security improvements. In many jurisdictions, and per many contractual agreements, data breaches must be disclosed to regulators and customers. Many US State and Federal regulators require a formal report within 48-72 hours of discovery. This is especially true for organizations with access to private consumer data (financial records, health records, etc.). Specialist law firms and consulting organizations help hold a company’s hand through this post-breach disclosure process.

Aftermath

With corporate cyber risks ever-spreading, it should be no surprise to see the rocket-like growth of cyber insurance products. In addition to paying out for immediate network repairs following an incident, good cyber insurance policies typically shoulder some cost for the vendors and consultants performing forensics, data restoration, breach notification and more. In cases where attackers win, cyber insurance also covers negotiation and payment of ransom. Bad cyber insurance policies will deny claims under the pretense that coverage extends only to the company’s liability, not its lost assets or revenues.

The U.S. government has a stated policy of never paying ransom. Logically, paying ransom encourages future attacks (see: New Orleans, LA). However, payment sometimes seems the rational course. Imagine a case with a $100k ransom versus an estimated network data rebuild cost soaring over $1 million. In this case, paying an attacker to decrypt ransomed data makes financial sense, at least in the short-term.

Cryptocurrencies such as Bitcoin use digital cryptography rather than central banks to secure assets. This makes them nearly untraceable, and therefore, very attractive for cyber attackers. The problem comes in that most companies don’t hold Bitcoin like they do cash, especially not in quantities attackers demand. Buying large quantities of Bitcoin is not always easy; companies can’t just charge their Amex card. A cottage industry of crypto middlemen fills this gap. Companies such as RansomResolve, Coveware, MonsterCoud, and Digital Asset Redemption handle the logistics of obtaining and sending the cryptocurrency ransom.

Doors Open

No matter how many locks, how many cameras or security guards, as digital landlords we must expect the occasional criminal on our premises. What separates changed locks, ransom notes and ruined properties from criminals who leave disappointed with hands in pockets is simple: knowledge. By expecting incursions and their nature, we can breathe easy, knowing our businesses remain secure in the growing digital age.

1. Internet security professionals classify computer-to-computer interactions in terms of seven steps, or “layers.” A more complete discussion of this 7-layer architecture can be found at: https://en.wikipedia.org/wiki/OSI_model