RansomeWare has been on an upward trend, notably so in Quarter 3 and 4 of 2016. The main targets shifted from phishing links with a drop of 50% (Source: Proofpoint) to RDP. According to Webroot, two thirds (66%) of Ransomeware Infections in Q1 2017 where delivered by RDP.
For those who are unfamiliar with the term, Ransomeware can be summarised as:
Source: RansomeWare – Wikipedia
However, RansomeWare is categorised as a form of cryptoviral extortion; it is an act of Cryptovirology. Moti Young published his findings of cryptoviral extortion (Cited entries can be read here) where the process was further discussed in 3 key phases:
- [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
- [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
- [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext to the attacker (the asymmetric ciphertext).
Looking at the latest WannaCry breakout, the process can be defined as the following 5 steps:
The process adopted here follows the ruleset of Moti’s assumption, whilst also leveraging SMB faults to spread through networks.
Further investigation on this fault will be documented at a later stage.
On a side note, WannaKey? This tool may help recover WannaCry files.
The Effects on Business
EaseUs conducted a report on the leading causes of RansomeWare infections on both home and work users, and there are a number of figures I’d like to point out:
- 1% was “Lack Of Security” – I would like to read into this and get a better understanding of their view of this;
- 46% Spam/Phishing Emails – a large proportion (call it “an attack vector”) of infections came from the same mode of communication and;
- 36% was caused from Lack of Employee Training
All findings will differ from report to report (as their user-pool will vary), however another report from reputable sources indicate that the IT Department/IT “Pros” (as they are labelled) indicate they believe their own users account for 30% of all risks to a business; that’s only 5% less than the current RansomeWare figures:
What’s the bottom line in all this, Michael?
Well, we could tell you that the price per crypto attack rose substantially in 2016 (366% in some cases) due to the vulnerabilities, as cited in Symantec‘s report:
The average cost of Ransomware rose from $373 in 2014, $294 in 2015 to $1,077 in 2016.
For home users and companies who risked paying to recover their files, there was a high percentage chance their data would not be returned to them, according to Kaspersky:
20% (1 in 5) business that paid the ransom never recovered their files.
Lastly, for users and companies who where hit by crypto, Infomedia concluded the average wait time to retrieve backups were more than 1 business day:
72% of infected businesses lost data for greater than 2 days.
What are we meant to do!?
I am no security expert, but I can suggest a few methods to help mitigate (not eliminate) the treats of Cryptovirology Attacks.
Ensure you are running a current Anti-Virus (Preferred solutions include additional components such as FireWall and Real-Time Scanning)
Shop around for anti-virus solutions. There is no out-of-the-box foolproof solution to protect you from all threats, however AVG, Avast! and Kasperky scored the highest for the Real-World Tests performed below:
Ensure you have an effective (and frequent) backup solution for all your personal data
I cannot stress this enough. Effective backups are important. There are a number of freeware options out there that do the trick; Cobian, dSyncronize and RoboCopy will all work; although the websites seem real bad…
We will touch more on backups on another post.
Restrict your user account to be a standard user and not an administrator
Perform all your administrative functions on another account, that does not need to use USB drives or peruse the internet. Have the installers downloaded (and scanned for malware) and ready to run as an admin (Heck, use the Runas command on the other account if you want).
Restricting the account that you surf the net with and download things with will limit what malware can do, if it runs under your account.
Ensure Windows Updates are current
Woulda’ saved WannaCry. Okay, I joke; but security patches from Windows are a necessity…due to them shipping an Operating System riddled with back doors. Pretty self explanatory.
Be vigilant when clicking on advertisements, or applications downloaded from websites
Avoid chat websites and torrent websites at all costs. Those things are riddled with malware and other nasty critters.
Convert to a Linux Environment and live happily ever after
Not so much a joke now; Linux is mainstream! Well, sort of. If you’re a basic PC users, that is YouTube and Browser orientated, there is no reason why a secure Linux distribution would not work for you. Think about this the next time your PC gets infected with a nasty bug.
As always, please contact the Author if you find any incorrect information, or if you have topics you’d like covered: