Ransomware -Threat Landscape, Mitigation and Recovery
The goal of ransomware is to encrypt a victim’s information and hold it for ransom. A user or organization’s critical information is encrypted so that it cannot be accessed. A ransom is then demanded the information to be released.
What are the steps in ransomware?
Asymmetric encryption is used with ransomware. It creates a pair of keys that are used to encrypt and decrypt a file, with the public key used to encrypt the file on the attacker’s server and the private key used to dissolve the file on the victim’s computer.
Successful system exploitation causes ransomware to drop and execute a malicious binary. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, etc. Ransomware may also exploit the system and network vulnerabilities.
After files are encrypted, ransomware prompts the user to pay a ransom for the files within 24 to 48 hours to decrypt them, or they will be lost forever. If a data backup is unavailable, or if those backups are similarly encrypted, the victim must pay the ransom.
Attacker
•Emergence of determined adversaries who are well resourced
•Think “organizations stealing data with full-time employees (FTEs),” not casual hackers or “viruses”
•Attack tooling and speed of updates improving drastically
•Specific targeting of organizations, people, and data
- Maintaining profiles of your people plus your organization
Defender
•Technical debt / legacy systems
•Fragmented security tooling
•Excessively permissive administration practice, environments not designed for credential theft class of attacks
•Lack of budget and staff
•IT security resources trying to defend every system equally
•Reputation impact concerns hamper defender collaboration
Attack service are cheap
Human Operated Ransomware
As the business model for addressing longstanding security hygiene and maintenance issues is driven by human operated ransomware (painfully), its size is likely to grow. Ransomware existed in small pockets before, but the business model took off in 2013 with the introduction of cryptolocker.
Ransomware evolution can be traced back to WannaCry and (Not)Petya, which merged large scale compromise techniques with an encryption payload that demanded ransom payments in exchange for the decryption key.
This fusion of targeted attack techniques and extortion business model led to this new generation of human operated ransomware that started popping up around June 2019.
