Ransomware

Introduction

Scenario 1

You clicked on a strange email one day and didn’t think anything of it. The next day you realize all of your files are encrypted and now have strange names and file extensions. What is going on? You find a note:

“Wait. What? My whole life is on there. Pictures of our kids and family members that are irreplaceable. So many memories!” You have personal information that is now compromised; there’s no telling what they will do with that! Is your identity compromised? Suddenly you realize that it is as if they are burning down your house…unless you pay them money you don’t have. So you plead to them through the email they left you. You try to get them to see that these pictures are all you have left of some family members. You try desperately to get them to understand, to realize that you are a human being who they are hurting. But they don’t care. Maybe you were able to talk them down a couple of thousand dollars. But you are still screwed.

You begin to brainstorm. The initial shock is over and now you have to think and act quickly. If you pay the gang, will they even give you the key? Where would you even get the money? Would they come back and encrypt everything again and demand more money? Would paying them encourage them to keep hurting people?

Scenario 2

You are the proud leader of a small hospital whom you believe does good for the community. Your company’s mission is to heal and to do its best to help whoever is in need. The hospital runs like a well-oiled machine. For the most part, everything is as it should be. However, the IT team does its best, but they don’t have all the tools they need to truly keep the place secure. The budget just didn’t allow for the staffing to have time for security audits. The team was too busy fixing all the problems that arose. They do the best they can with the money, time, and person power they have…and up until now, it has been fine. Computer security just wasn’t a major priority at the moment.

One night, you get a call. The IT team is panicking, trying to figure out how to get the hospital back online so the medical teams can care for the patients. No one can access patients’ medical records. No care plans. Nothing. All charting is done electronically and paper charting is a thing of the past. There’s no way to know what the patients need anymore because you don’t have any documentation. There is the possibility of compromised patient information and no telling what else. Patients coming in may not be able to get the treatment they desperately need. The possibilities are infinite.

The IT team finds the ransom note which demands $50,000 in Bitcoin to decrypt. If you don’t, in three days, all of the patient records will be plastered on dark web boards for anyone to see and do with as they please. The gang knows that you want to avoid the heavy fines that will be imposed on you by HIPAA for not safeguarding patient data. They are using that knowledge as insurance to receive their ransom.

You are now in the hot seat. Just because there is a huge problem, doesn’t mean that patients have stopped coming in. There is now hundreds…no…thousands of patients whose personal information may be compromised. Identities stolen and financial theft. Lost trust by your patients and their families. The entire hospital’s reputation for the community is on the line. The medical teams may not be able to use certain equipment they need to adequately help the patients coming in since they may be tied to these systems. Fines & settlements of millions of dollars from HIPAA and class-action lawsuits. Not even to mention the lives that couldn’t be saved due to being unable to access necessary equipment resources. Maybe that is being dramatic, but you never know. Furthermore, this could be a gang that the government has placed sanctions on which makes it illegal to pay them the ransom.

So, your files are encrypted by ransomware. Now what? What even is ransomware?

History: What is ransomware?

Cryptography is the practice of modifying or obfuscating information using a cipher key to protect its contents from others who don't have that key. The practice of cryptography has been going on for a long time as it was seen in Julius Caesar's time ((100-44 B.C.) the Caesar Cipher). It was seen in Nazi Germany with the Enigma Code that was broken by Marian Rejewski and Alan Touring around World War II. As a child, you may have even practiced encrypting words with a key to hide the words from friends or family, and/or decrypting with some sort of decoder toy. Today, cryptography is the encryption that safeguards our data from malicious eyes through protection gateways that require multiple forms of authentication to unlock.

Criminals originally resorted to kidnapping people and demanded a ransom payment for a safe return to their loved ones. As computers became more and more a part of businesses and individual person's lives, eventually the information held by computers was worth paying for. Instead of having to risk being captured, imprisoned, or killed by kidnapping a physical person, hackers began holding people's digital lives ransom from a safe distance. A lot of times, but not always, ransomware attacks are performed by criminals in nations which don’t extradite people. This makes the ransomware situation even more difficult to combat.

Ransomware meets at the intersection of cryptography and kidnapping by breaking into a victim's computer system via a mechanism such as a phishing email attachment or obtaining credentials from a previous credential compromise by info-stealer malware, then installing malware and likely a backdoor into the network, encrypting the files, and demanding a ransom payment for the unlock key.

Back in 1989, a scientist named Joseph Popp, created the first ransomware. It was a 5 1/4 inch floppy-disk with a program ("AIDS Information Introductory Diskette") that became known as the “AIDS Trojan”. Popp, a scientist himself, targeted other scientists and researchers who were researching the AIDS disease. It encrypted their computers with a very basic encryption mechanism and demanded payment of $189 sent to a certain address in Panama. Through that payment, you would allegedly receive a key to decrypt your files. Popp was very unsuccessful. But that is not the case of modern ransomware gangs. Many are highly skilled and even government sponsored.

Types of Ransomware Gangs/Strains

Script Kiddies/Hacker Groups

Unskilled attackers may reuse someone else's ransomware and modify it to attempt their mission. According to the Ransomware Hunting Team, many strains of ransomware are like this (see list of resources at the end). Motivations may be money and curiosity, maybe even anarchism. Other hackers and hacker groups may be more cause driven as in the case of hacktivism. The obvious hacktivist example is the group Anonymous who went up against many businesses, but I am also reminded of Phineas Fisher (see "Useful Resources"). Phineas Fisher is the hacker name of an individual or hacker group who went up against Gamma Group & Hacker Team for selling their spyware tools to countries who violate human rights. This is just a theory I have and as far as I know have not been a part of ransomware, but we may see these types of “Robinhood” vigilantes targeting companies who have been up to no good.

Malas Locker

Malas Locker is a new type of ransomware-style of malware that I recently learned about in a Hacked podcast (see "Useful Resources") after writing most of this blog post. I think it is worth adding, specifically right here after discussing Phineas Fisher. Maliceware works similar to typical ransomware. It encrypts files and leaves a note about how to decrypt them. However, decryption is not by paying a ransom to the hackers, but through donating a specified amount of money to charity organizations. These forced donations are even tax-deductible so it is a unique variation on ransomware.

RaaS

Ransomware can even be rented in the form of ransomware for hire; or in the way I think of it, Ransomware as a Service (RaaS). Thinking that I was clever and created this term, I soon learned that others had the same idea. RaaS is malware created by skilled programmers and rented out for use by attackers of any skill level and enables anyone without a heart and some bitcoin to commit ransomware attacks. The owners of the ransomware get paid to rent it out and receive a cut of the “earnings”. Motivations for them can be numerous but are likely financial. As we’ll see later, RaaS is becoming very common.

Organized Crime

The mafias and cartels are motivated by money, as with every other criminal venture they are a part of.

Nation State (APT's (Advanced Persistent Threats))

State sponsored or state-enabled hacker gangs have unlimited resources and time because they are working for their governments. We see this often with China and North Korea ransomware hacking gangs such as Lazerus Group (North Korea) and ChamelGang (China). Other examples of APTs, although less likely to perform ransomware attacks but equally as capable are the NSA TAO (Tailored Access Operations) and Unit 8200 in Israel. Others have the go-ahead to commit ransomware attacks so long as the governments get a cut of the "earnings" like that in Russia. While typically these state sponsored cases may be more political or espionage related, North Korea actually performs regular ransomware attacks for the money as many countries have sanctions against them.

Points of Entry

In the United Healthcare Group (UHG) ransomware attack, yes the one with the CEO who was recently assassinated, it is reported that ALPHV BlackCat attackers utilized stolen credentials to access UHG computer systems. Being someone on the outside with little information, I would assume that the credentials came from a previous hack and subsequent data breach, likely from an info-stealer malware through a phishing email; or the credentials were stolen by the user clicking the phishing email attachment that was directly sent by the hacker gang.

Other entry points to look out for are MSPs (managed service providers), ISPs (internet service providers), cloud providers, and other contractors. While your systems may be locked down, you have no control over the cybersecurity operations (or lack thereof) of companies that provide your company services and have some form of network access. An example comes to mind from a previous blog post I did which talked about how Target was hacked through their HVAC contractor’s computer which had basic, free antivirus software and was able to breach Target’s network from the contractor’s Target network access. MSPs can perform many different services including (but not limited to) IT, marketing, supply chain, and Human Resources support. ISPs are the very companies that give you access to the internet. Cloud providers often maintain data storage solutions and may even provide some sort of "____ as a service" solution (IaaS, PaaS, SaaS, etc.) and could be another access point. We can even take this a step further since mobile devices are a big part of companies today: cellular carriers. Your information security program is locked down. Great! But I don’t need to hack your company; I just need to find a flaw in another company that you work with.

We could even take it to the level of supply chain attacks on computer equipment, but you get the point.

Who are you working to protect?

The people you are protecting are just like you. In the case of the hospital scenario, those people came to the hospital looking for help for whatever bad day they were having. When they came for help, they expected to be seen and treated in a timely manner. When the computer systems are all encrypted, they may not be able to get that treatment in a timely manner. And then there are the possible stolen identities. They came for help, not to have their identities stolen. In other companies, customers want to do business with companies that they can trust. Giving their information to criminals eliminates that trust. I know, I know, you didn't hand your customers' data to them. But you didn't secure their data well enough to stop them either.

Meet the Ransomware Gangs

Originally, I planned to give a profile of each of the many different ransomware gangs. Instead I learned that I wasn’t actually looking at the names of specific gangs, but specific strains of the ransomware malware. As I documented key traits of each such as location of origin, signature moves, attack vectors, and targets, I noticed that they all seemed to perform the same tactics. Also, since ransomware gangs often rebrand with a different name, pinpointing who is who can be difficult.

Most ransomware gangs got into target systems through phishing emails or previously stolen credentials. Perhaps even capturing credentials through typosquatting or some form of adversary in the middle attack. These initial footholds are all simple and need little skill as they only depend on a click by the user or inserting their credentials in what looks real but is actually malicious. Many are offered as RaaS models for whoever to rent, making it difficult to pin an attack with a certain ransomware strain on any one group. One gang can go dark and another springs up in there place. The targets vary and often seems like it’s simply through opportunity, the “low hanging fruit” on the internet. What they exploit when they are in the target network to escalate privileges is pretty similar such as RDP (remote desktop protocol), VPN (virtual private network services), VMWare VSXi (virtual environment software), or other insecure services they find. Threats begin with the permanent loss and/or posting of information, but also commonly threaten companies with denial of service attacks and multiple extortions post-payment of the initial ransom. If they know you will pay once, you may pay two or three times if threatened. There seem to be many ransomware gangs, but they all have this very similar profile.

Responding to attacks

Response Time: Containment

      Limiting the blast radius of the damage caused and preventing further spread is of utmost importance. Part of this response would be learning of a possible compromise when an employee believes they clicked on a suspect email attachment on accident. The other part of containment would be taking infected networks offline to quarantine the installed malware to prevent further spread. Even still, being proactive in a response to apply protective measures to networks and accounts that could be infected would help guard against spread. You may not be aware of everything the attackers have access to.

To pay or not to pay

It is a tricky situation when your data is encrypted. You may not be able to do business anymore. You may not be able to access patient information to provide them the care they need. If you don’t pay, you lose your information and must rebuild from the ground up if you don't have backups available. In not paying, you don’t encourage ransomware gangs to continue this path. If you do pay, hopefully you get a functioning decryptor key (hopefully it even works). If you pay, you get your information back; but you encourage the gang to continue this path. Hopefully they don’t withhold and demand more money. Hopefully you found and removed all backdoors installed on your network that would enable the attackers future access. Over time though, new tactics were used to ensure payment. There was no longer saying “oh well, let’s start over.” You may start over, but they will provide you with some very good reasons of why you should pay.

Extortion

The ransomware gang may be threatening to blackmail you by publicly posting certain pictures of you or your clients that they stole from your network. Or in the case of a plastic surgery company who was hit with ransomware, the before and after pictures of patients’ breast augmentation photos were threatened to be plastered on the internet for the world to see.

Regulatory Compliance

       Data breaches lead to broken information protection laws (think of HIPAA, PCI DSS, GDPR, etc.) which leads to major fines for organizations. Companies that don’t want to pay may be blackmailed to pay the ransom or else risk being handed over to the regulatory organizations.

Ransomware Hunters

If you are lucky, your ransomware’s encryption has been broken by someone and you can avoid having to pay to get your files back. If it has been broken, it is likely due to the Ransomware Hunting Team. This team of vigilantes work tirelessly for free to combat ransomware gangs to give people back their files while hoping to stop the gangs. Michael Gilespie’s ransomware ID website is a useful tool for such times. There, you can test to see if your ransomware is able to be broken. Some cannot be broken, unfortunately. If the ransomware is made correctly, you will not be able to break the encryption without the key.

Beware of Paid Ransomware "Breakers"

Companies who claim they can break your ransomware, just like the ransomware gangs, are out to make a buck on other people’s bad days. The Truman Police Department in Arkansas fell victim to a ransomware attack. They were not willing to pay criminals to help them, but they still needed help. They happened to find Monster Cloud who, for a fee, would use their proprietary method to break the encryption of the police department’s encrypted files. The Trumann Police Department wanted to pay someone who wouldn’t pay the attackers to get their data back. That company actually paid the ransomware gang to get the decryptor key and then lied to the police department about how they fixed it. They likely negotiated the gang down some to make some money on the deal. I am sure this has happened many times. Beware of paid services for this problem. Go to the Ransomware Hunting Team instead or at least someone who is transparent about what they are going to do to help you.

Cleaning Up

Backdoors

You can’t be sure that you or your company will not be extorted again by the same criminals. It is likely that all of your files have been copied to their servers. Count on that. But you can prevent further access to your networks by patching holes. There must not be any backdoors left that enable future access.

Protecting against

Tabletop Exercises

Nobody wants to be part of a ransomware attack. But the time your files are held hostage by a ransomware attack shouldn’t be the first time you are practicing the scenario. Similar to any other emergency, preparing for the worst and hoping for the best is key. Tabletop exercises are simulations of events. In this case, you may research the timeline of a real ransomware attack that occurred in your industry and run through a similar situation to create a response plan. This will help the team have a better understanding of what each person needs to do in a similar event. How do we contain the malware and prevent further damage? Who do we need to notify? Who does what and who goes where? What needs to be done as far as laws and regulatory agencies as far as notifications go? Figure out these questions now, not later.

Security Assessments

Part of protecting your IT infrastructure is simply testing to see if the controls that are in place are actually able to prevent attackers from breaking through. A key thing with this is that one audit or one penetration test is not sufficient to ensure a secure infrastructure. The threat landscape is constantly evolving. What was considered secure one day will not be secure the next. As attackers' methods become more advanced...or rather, as their methods find new holes in code, good penetration testers will also learn these these methods and can mimic malicious actors. Security assessments help company's better understand their attack surface and the vectors that malicious people will attempt to exploit. We design our IT infrastructures with security in mind, but it is the penetration testers' jobs to find attack vectors that you didn't think of.

Air-gapping Critical Systems

I have my own thoughts on this security measure. Yes, I agree that critical systems should not be accessible by the Internet. Yes I believe that networks should be segregated in such a way that a compromise of a computer of an employee on the business side cannot be used to access something like an industrial control system such as: power grids, subway systems, water dams, etc. As Stuxnet showed us, an insider with a flash drive loaded with malware transcends air-gaps.

Effective air-gapping involves contemplating alternative attack vectors and planning accordingly. Stuxnet allegedly involved an insider with a USB flash drive. Perhaps turning off USB ports on computer systems and using endpoint management systems like EDR (endpoint detection & response) to quarantine, scan, and block malware from being loaded onto company computers are possible preventative controls. Effective user training is useful to in order to help honest employees understand the dangers of inserting unknown flash drives into a computer. Foster the zero trust mindset.

Passwords

At this point, there is a high likelihood that the majority of people who have some sort of online account have been a part of a data breach, whether they know it or not. People should not be using passwords that have been compromised in a data breach. Passwords that have been compromised and are still being used are vulnerabilities that need to be patched. The length and complexity requirements are another factor to inhibit access by ransomware gangs. Password managers are a great way to create and store really complex passwords, but the case can be made against the password manager and how secure they are.

I am going to make a bold statement: A company is only as secure as the weakest account that an employee maintains. Odds are high that due to the inconveniences of maintaining complex passwords for countless accounts, employees are reusing passwords. True, multifactor authentication is a big help. But there a many ways to bypass MFA.

MFA

Multifactor authentication adds something you have, something you know, or something you are to the items that an attacker should not have access to. Adding a second factor on top of a username and password makes compromise more difficult. However, it’s not impossible. Standard SMS texting as a second factor is unencrypted and vulnerable to interception by an attacker, whereas Authenticator apps generate codes locally on your device. This makes Authenticator apps less vulnerable to code interception. Session theft methods using reverse proxy tools like Evilginx insert the adversary in between the user and the service they are authenticated to in order to intercept authenticated user sessions (think cookies) using clever phishing techniques. This is known as an Adversary in the Middle Attack (AitM). So beware...yes, MFA is better than nothing, but it is not impenetrable.

FIDO (Physical Authentication Mechanisms)

Improving on the multifactor authentication is something you physically have. Fido2 keys such as Yubiko, Token2, Thales SafeNet eToken, etc. provide a physical form of authentication that can’t be compromised outside of physical theft. An attacker could steal your session token (potentially), once you’ve authenticated, due to some vulnerability in the system, but they are not going to have your physical Authenticator token. However, this token could be physically stolen so it too is vulnerable given the right scenario.

Cyber Insurance

Some companies find it more worthwhile to place the risk on someone else due to the likelihood of a ransomware attack. One of the problems is that ransomware gangs learned this and would then search for the insurance policies on the victims' networks to figure out what the insurance companies would pay. The ransomware gang REvil was known to do this when they hacked into target networks. As long as insurance companies are making more money than they are losing, they do not care about the ethics of paying criminals and can be argued that these insurance companies greatly contribute to the continued success of ransomware gangs. Your data is compromised, regardless of whether you get it back. Peoples’ information has been compromised, regardless of whether it is has been encrypted. Have backups ready instead.

Offline Backups

Offline backups are a great way to secure against the loss of data, or at least most of it. While it doesn’t prevent the attack, it ensures operations can continue through rebuilding with data that's ready to be restored. Backups cannot prevent stolen and leaked data, but it is still a necessary emergency-preparedness step to ensure business can continue. In the case of an individual who has suffered a ransomware attack, they too can still restore their backed-up files and pictures, but can't prevent stolen and leaked data. These backups must not be accessible through online access points because one compromised password could enable lateral movement through multiple networks and accounts.

User Training: Mindful Security

User training is a great way to ensure...no...to help the users who may not be so security-focused to be more aware and vigilant of phishing emails and scam callers. The key is education. Understanding the reasoning for the inconveniences that come with phishing email testing, multi-factor authentication, or locking your computer when you leave your desk helps users understand the importance of security policies and procedures. Personally, I am a visual person. Impact comes to me visually. Others may find impact through feeling the possible pain of others (the hardships incurred due to stolen identities and money), while some may hear and better understand impact. Learning turns to wisdom when we can put things into practice. Putting into practice mindful security is easier to achieve by knowing the impact of security compromise.

Patching: Not Just Software

At the most basic layer, patching can tremendously help protect against compromise by ransomware gangs. Patching typically includes updating software as vulnerabilities are discovered and patches become available. This is extremely important and should be completed quickly after awareness of vulnerability patch availability. Having the appropriate notification feeds is also paramount as ignorance in information security is not an excuse that will hold up in court. There are countless exploits out in the wild that are ready to use in an attack by someone with little skill. The reason many of these exploits still work today is because a lot of people do not patch their computers as they should.

Patching also includes being aware of common procedures and considering if the way things are done can be patched to better protect against possible exploits. Are procedures being done in such a way that minimize the possibility of compromise?

Summary

Ram Dass once said when asked about the state of the world at any given moment, with its simultaneous joy, sadness, hatred, violence, compassion, life, death, etc: "Ram Dass, is it hopeful? Yes, it is hopeful...Ram Dass, is it hopeless? Yep, it’s hopeless..." I find it hopeless in the sense that there will always be criminals looking for ways to steal money and leak information. But I am hopeful in that we can better protect ourselves from these ransomware problems and whatever attack vector comes next. We can grow stronger to defend against it by applying basic information security mindfulness to how we run our businesses and secure our personal accounts at home. Perhaps even considering how our businesses make profit can lessen the likelihood of being a ransomware target (ex: Malas Locker). The threat landscape is constantly evolving and we must evolve our security infrastructure and mindset. We must maintain that hacker mindset we talked about in a previous post, in order to contemplate possible attack vectors by ransomware gangs. Ignorance is dangerous, not just for us as security professionals, but also for people who aren't experts in these fields. Security starts with education. The methods I discussed are only a few of the many ways we can become more secure. That is why we employ a defense-in-depth strategy built with many layers that attackers must break through in order to be successful.

Thank you for reading!

Useful Resources:

Many resources were used to dive head first into the rabbit-hole of ransomware to bring you a fairly concise blog post. Knowledge came from books, articles, podcasts, and cybersecurity knowledge I have learned over time.

• Bleeping Computer discussing Malas Locker: https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targets-zimbra-servers-demands-charity-donation/

• CISA.gov Ransomware Guide: https://www.cisa.gov/sites/default/files/2023-01/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

• Hacked podcast episode discussing Malas Locker: "AI Lawyers Are Hallucinating + Hacktivists are Ransomwaring + the Apple is Augmenting Reality"

• Have I been Pwned: Password Checker: haveibeenpwned.com/passwords

• Modem Mischief podcast episode: "Phineas Fisher"

• Monster Cloud: Trumann PD ransomware removal success review: https://youtu.be/Us4Rjp8r9hY?si=xo-P4rttHygh6U_k

• Plastic surgery firms targeted by ransomware groups: https://www.hipaajournal.com/fbi-plastic-surgery-offices-targeted-by-extortion-groups/

• Ransomware solution trade secret: https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/

• TechCrunch: United Healthcare Breach: https://techcrunch.com/2024/10/24/unitedhealth-change-healthcare-hacked-millions-health-records-ransomware/

• "The Ransomware Hacking Team" by Renee Dudley and Daniel Golden

  
  

• "This Is How They Tell Me the World Ends: The Cyber Arms Race" by Nicole Perlroth

  
  

• To check to see if your ransomware is breakable or not, visit the following site. This is Michael Gilespie's ransomware identification resource. The Ransomware Hunting Team doesn't charge for their services and do this strictly for their passion of breaking ransomware. https://id-ransomware.malwarehunterteam.com/