What Ransomware Delivers
One early morning in May 2017, a nurse walked into her ward. She switched on her computer, ready to log in for the busy day ahead. She checked her emails and noticed an urgent message from IT, stating, “Shut down your computer as soon as you see this message. The hospital has been infected with malicious software.” A sense of panic set in. Hospital IT officials went around to each section and ward in the hospital to ensure all of the computers were shut down. The hospital itself, effectively, was shut down, having to turn patients away.
The hospital in question was one of many organizations, small and large, across the world that had been infected with the ransomware variant, WannaCry. In 2019, over 500 schools in the U.S. were attacked by ransomware. Among the many hospitals hit by ransomware, three had to close their doors to all but critical patients. New ransomware families continue to enter our networks, encrypting our files and documents and causing untold and ongoing damage. This seemingly intractable position is why we invented CryptoStopper.
This is our story of fighting against a tidal wave and seeing it turn. Ransomware is a sinister force, but with the right approach and tools to augment our anti-ransomware stance, we can take on the global wave of cybercrime with extortion at its core.
How We Got to This Point - A Brief History of Ransomware
In the relatively short history of computers, we have witnessed many ways that our IT systems can be exploited. More than any other type of cyber-attack, ransomware stands out as being the most sinister and insidious. In 2019, the average ransom requested during an attack on an SMB was $5,900, a 37 percent year over year increase. Add to this the fact that the downtime costs alone are 23 times that of the average ransom, and you have a disaster waiting to happen.
In June 2019, the City of Lake City, Florida was a victim of a major ransomware attack. The city ended up paying $460,000 to the cybercriminals behind the attack. The ransomware strain was a well-known strain called Ryuk; the cybercriminals behind the Ryuk attacks have pocketed at least $3.7M since its first appearance in August 2018. Once the ransomware infection took hold in the Lake City offices, the city offices were effectively shut down. Even backups were affected. With incidents of this nature, there is also a great personal cost from the cyber-attack. Brian Hawkins, the Head of IT, lost his job because of the event.
How did we get to this point? Where has, what is arguably one of the most damaging types of malware come from? Here we take a brief look at the past, present, and glimpse into the future of ransomware.
Ransomware - The Early Days
We often think of ransomware as being a very modern type of malware, but it is quite old in computing terms. One of the key goals of ransomware is to find a way to extort money without the cybercriminal being tracked. In 1989, an early version of ransomware known as the “AIDS Trojan” was released. This emerging form of ransomware hid directories and encrypted the name of files. The malware then informed the victims to send $189 to a PO Box to ‘renew their license.’ The PO Box method was meant to hide the identity of the cybercriminals. It didn’t, and they were subsequently arrested. The AIDS Trojan attack vector was via floppy disk. However, extortion and protection of the cybercriminal is the modus operandi of modern-day ransomware.
Things went quiet on the ransomware front for a few years after the AIDS Trojan events. In 2006, we saw the development of malware variants, PGPEncoder, and GPcode. The new ransomware on the scene came with a number of the hallmarks of modern ransomware; gone were the days of floppy disk delivery of malware.
The 2006 versions were delivered via email. The malware also used RSA encryption to encrypt documents before the demand for ransom was made. In 2009, bitcoin was invented. This changed the ransomware landscape, upping the ante and making it even easier for ransomware to carry out its sinister job.
Bitcoin is a cryptocurrency based on a decentralized platform. The currency was developed out of a paper “Bitcoin – A Peer to Peer Electronic Cash System” by Satoshi Nakamoto (a pseudonym). This design from Nakamoto was revolutionary and a turning point in the history of ransomware, offering a much-needed mechanism to hide the cybercriminal’s tracks. The underlying cryptographic mechanisms that make up the decentralized platform that bitcoin is based on make it very difficult to trace anyone who trades in bitcoins. This fact took ransomware to new heights and gave the cybercriminals behind ransomware a way to mask their bad deeds, allowing the malware to propagate, unfettered.
‘CryptoLocker’ demanded a ransom payment in bitcoin and changed the face of ransomware forever. Now, bitcoin and other types of cryptocurrency are used to extort money from victims because of the inability to track the currency. The only downside is the volatility of the currency. Since the advent of bitcoin, we now have entire families of crypto-ransomware; this includes CryptDefense, TorrentLocker, CryptoWall, AlphaCrypt, Ryuk, WannaCry, BadRabbit, etc.
Ransomware in the Near Future
Ransomware is very successful, but things can always be enhanced. New variants of ransomware that are even more stealthy and more difficult to detect have recently entered the landscape. Fileless ransomware, which leaves no trace on a computer, is a major threat across the U.S.
In 2017, Trend Micro first detected the fileless ransomware Sorebrect. Ransomware like Sorebrect is multi-faceted. It covers its tracks by a number of means. Using a self-destruct mechanism and deletion of event logs allows the ransomware to evade detection by traditional tools like anti-virus. In a report into the problem of fileless attacks, Ponemon Institute stated: “Fileless malware attacks are estimated to account for 35% of all attacks in 2018, and they’re almost 10 times more likely to succeed than file-based attacks.” Smart ransomware, which cleverly disguises itself, will continue to morph to execute its main job - encrypt your files to extort your money.
Another option that encourages the propagation and mass use of ransomware is to make it more accessible to the criminal agents using it. Just as business has turned to Software-as-a-Service (SaaS) to have access to enterprise-level software, so too, the cybercriminal element has created Ransomware-as-a-Service (RaaS).
RaaS works like an affiliate or rental service. The cybercriminal using RaaS does not need to have any special programming skills - they just rent the ransomware. This change in tactics means that ransomware can be used by a much wider audience. The RaaS, available for purchase on a darknet marketplace, comes as a package with instructions on use. The package will include all of the pieces of the ransomware puzzle, which may include phishing emails, spoof sites, and malware.
Common Ransomware in the U.S.
The following top ten list was taken from the Emsisoft, “State of Ransomware in the U.S.” Report Q1 to Q3 2019. The percentage shown reflects the number of infections for each strain, across industry, during that period. Among the affected sectors, 500 U.S. schools were impacted, with one U.S. governor declaring a state of emergency because of an outbreak of ransomware attacks.11 2019 also brought a flood of attacks against U.S. cities.
In the latest FBI US-CERT Alert on ransomware threats, they warned: “Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”
Cost of Ransomware
Ransomware costs tripled in 2019. The cost of an attack (including the ransom, downtime, and other costs) averaged $36,295; the amount of downtime from an attack averaged 9.6 days. A study carried out by Google in 2017 estimated the revenue raised by cybercriminals from ransomware was $25,253,505.
How Ransomware Works
Ransomware Attack Vectors
Knowing how ransomware can get into your systems goes a long way to aid in the development of preventative strategies.
The saying “prevention is better than the cure” describes how best to deal with the current ransomware situation. Fortunately, there are some basic areas of security hygiene, awareness, and technical measures that can be taken to mitigate the likelihood of ransomware infection.
Following is CryptoStoppers Ransomware Prevention Checklist. Using this checklist should be part of your organization’s standard security strategy.