Ransomware 101 - Part 2 : Understanding Fundamentals
After we understand how ransomware code work, let’s dig into some fundamental knowledge of ransomware.
- What is Ransomware-as-a-Service (RaaS) ?
- How RaaS work ?
- How Ransomware attack does happen ?
- What security controls should be present in order to prevent ransomware attack ?
- How to respond to ransomware attack ?
- How NOT to respond to ransomware attack ?
If you still haven’t, I strongly recommend you to first read part 1 of this series. Link is below
What is Ransomware-as-a-Service (RaaS) ?
As we all know by now that ransomware is a beautifully crafted nasty little code, but there is an entire industry revolve around it called Ransomware-as-a-Service. Ransomware as a service (RaaS) business model is similar to software as a service (SaaS) business model that involves selling or renting ransomware to buyers, called affiliates who pay to launch ransomware attacks developed by the operators. Attacker with minimum technical ability can also do large scale attacks with this technology which makes it more dangerous than ever.
How RaaS work ?
- The developer creates custom exploit code (payload). Payload is then licensed to affiliate for a fee or share of profit in proceeds from the attack.
- The affiliate updates the hosting site (RaaS operation site) with the new payload. RaaS operator sells all kinds of services that may require to launch the attack.
- The affiliate identifies attack vector and delivers the exploit code to the victim (e.g., via malicious email or link).
- The victim clicks the link or goes to the website.
- The ransomware is downloaded and executed on the victim’s computer.
- The ransomware encrypts the victim’s files, move to the network laterally, establish persistence, destroys data backups, and covers its tracks.
- The victim receives a ransom note and instructions to pay ransom in cryptocurrency that will go to the money launderer as a proxy.
- A money launderer will move the money through multiple channels to obscure the identities of the affiliate and developer.
- The affiliate will then send a decryptor to the victim once a ransom payment has been received.
How ransomware attack does happen ?
There are many attack vectors that can be carry out by the ransomware attacker. Some are as follows
- Phishing — Social engineering technique to trick user to click on malicious link/file often sent in email, text messages or social media which will infect the system.
- Drive-by download — Unintentional download of malicious file from redirected site into system that leads to ransomware attack.
- Malvertising — Injecting malicious code into legitimate advertisement.
- Exposed services — Misconfigurations in the system. Exploiting common vulnerabilities to gain access into the network.
- Unsafe physical connections — Connecting malicious device (pendrive etc.) to the official system.
- Supply chain attacks — Targeting service provider to force the malicious service update to spread the ransomware to all the customers.
- Ransomware as a Service (RaaS)
For simplicity let’s group attack vectors in 3 main stages –
stage 1: Find a way-in to your network (Gain Access)
stage 2: Take control of your systems and connected devices, then deploys the malware payload
stage 3: Infect systems and connected devices with ransomware (Impact)
Often use in combination of attack vectors, ransomware attacks are much more sophisticated. Below is the MITRE Attack mapping of REvil ransomware.
https://raw.githubusercontent.com/projsandy/Ransomware-POC/main/Revil_Ransomware.svg
What are the security controls should be present in order to prevent ransomware attack ?
Ransomware is one of the most common and one of most damaging cyber-attacks. Single mitigation measures are not enough to stop ransomware. Organization should adopt a defence-in-depth (multi-layer) strategy to protect from not only ransomware, but other type of cyber-attacks.
In case of ransomware attack, BACKUP is a key player. There are 3 types of backup
- Full backup — Making identical copy of entire data periodically (weekly/ monthly).
- Incremental backup — Only backup the information that has changed since the last time you performed a backup of any kind.
- Differential backup — Backup the information that has changed since the last time you performed a full backup.
You can store backup in online, offline mode or on cloud. Securing the backup is as important as taking it. It is recommended to have multiple backups stored in multiple physical locations for better security.
Besides backup, best way to mitigate ransomware attack is implement multilayer protection. Following are some general security control that can be implemented at every stage of ransomware attack -
- Password Manager
- Update and Patching
- Logging and Alerting
- Application whitelisting
- Cyber Security Training
- Multifactor Authentication
- Backups
- Disable macros
- Email domain protection
- Principle of least privilege
- Secure system exposed to internet
- Network segmentation
- Security tool (anti-malware, firewall, DLP, etc.)
- Protective domain name service
- Reduce shadow IT
How to respond to a ransomware attack ?
Incident response strategy of any cyber-attack is often subjective to every organizations. But following is the general SOP to consider in ransomware attack -
1 ) Isolate systems
Isolation should be your first task in any kind of malware attack. The majority of ransomware will scan the target network, encrypt files stored on network shares and try to propagate laterally to other systems. Everyone in the organization should be trained enough and should have presence of mind to pull the network cable of the workstation they are working on, after they first aware of the files being get encrypted.
2 ) Disable maintenance tasks
Organizations should immediately disable automated system maintenance tasks such as temporary file removal and log rotation on affected systems, as these tasks can interfere with files that may be useful for investigators and forensics teams.
3 ) Take memory dump
You should take memory dump for the infected system because important artefacts may still present in the memory and can be helpful to decrypt the files without paying any ransom.
4 ) Create forensic image of the systems
Some ransomware decryptors contain bugs that can damage data during the process. To ensure data integrity, you should always create image of your infected system. If anything goes wrong during decryption process, you can easily rollback and do it again.
If infected data is not immediately required to you, then you can store your images securely as a backup. Because ransomware decryptor keys may will get public eventually, in that case you have a chance to get your data back.
5 ) Identify the ransomware
You can identify ransomware strain you got infected and try to find any open source decryptor available online. You can use CryptoSheriff online tool for the strain identification.
After you identify the strain you can search for decrptor for the infected ransomware. The No More Ransom Project is a very good resource for the same.
6 ) Decide whether to PAY the ransom or NOT
You should hire a malware analyst/Data recovery specialist to reverse engineer the malware to decide if you should pay the ransom or not.
While paying ransom can be cheaper compare to overall cost and may reduce the disruption but there are some concerns-
- There is no guarantee that you will receive a decryptor from attacker.
- The decryptor you get from attacker may not work properly.
- If you pay ransom now, you will may get targeted again and again by criminals.
How NOT to respond to a ransomware attack ?
- Do NOT restart infected devices
- Do NOT connect external storage devices to the infected system without firmware level writeblocker
- Do NOT communicate over the infected network
- Do NOT try to delete files because you may damage the important malware artifacts.
- Do NOT pay the ransom immediately
- Do NOT trust ransomware attacker at all
