The Proliferation of Ransomware (Part 1 in a Series on Ransomware)
Ransomware has frequently appeared in the news lately due to high-profile incidents at hospitals and businesses and the sheer volume of ransomware campaigns in the wild. Multiple hospitals have reportedly been victimized by disruptive ransomware attacks and some have ultimately paid a ransom to unlock their business-critical files. For example, after experiencing more than a week of disruption in hospital operations due to inaccessible health-system related files and offline computers, a hospital in Los Angeles reportedly paid the Bitcoin equivalent of about $17,000 in ransom.[i] The FBI and US-CERT[iii] have disseminated advisories about the growing risk of ransomware variants, often accompanied with technical indicators to aid network defenders.
Crypto-ransomware (often referred to as simply ransomware, including here) is a type of malware that maliciously encrypts victim files (focusing on common user file types based on extension) so that they are inaccessible, securely deletes the original user files so that they cannot be recovered, and then displays a ransom note demanding that the victim send payment (typically via the popular crypto-currency Bitcoin) by a deadline in order to decrypt and recover their own files. Some variants of this malware imitate law enforcement claiming that the victim’s computer has been storing illegal content or used for illicit activity, which initially made the malware known as “scareware”. While the vast majority of ransomware samples in the wild target Windows systems, some variants target other operating systems such as OS X and Linux,[iv] as well as the mobile Android OS[v]. In the absence of effective security controls and backups, a ransomware attack can be potentially devastating to individuals and enterprises alike. As in the case of the beleaguered hospitals, some victims ultimately choose to pay the ransom as a last resort to get their important files back.
Figure 1: CryptoWall 4.0 ransom note sample. Credit: https://www.cryptowalltracker.org/cryptowall-4.html#ransomnote
Several factors have contributed to the recent proliferation of ransomware. Ransomware is generally well-known as a very profitable business model for cyber criminals. For example, at its height, Locky ransomware has been estimated to generate as much as $1 million per day (based on the high end of 1 BTC per ransom demand) in ransom payouts by its numerous victims.[vi] Past research into 4 destination Bitcoin addresses used by the prominent, but now-defunct CryptoLocker ransomware showed 41,928 BTC valued at $27.78 million being moved over about a two-month period in late 2013,[vii] although that high of an estimate may be inaccurate.[viii] For a more conservative, generic estimate of ransomware revenue, suppose that a cybercrime gang sends out tens of thousands of phishing emails daily with their custom ransomware payload, but only manages to successfully infect an average of 1,000 computers per day, and only 2% (20 victims per day) pay the ransom set at 0.5 BTC, which is worth approximately $330 at the time of writing. Given these figures, the illicit revenue would amount to approximately $6,600/day, $46,200/week, $200,000/month, and $2.4 million/year. That is still a great ROI (Return on Investment) for the average cyber criminal. Depending on the delivery and maintenance infrastructure, ransomware also fits into the broader cyber crime underground economy with affiliate partners (e.g., exploit kit providers) receiving a portion of the profits.
It is also worth noting that the flat fee paid in ransoms by a subset of victims does not include losses incurred by victims in the form of remediation costs, lost productivity, damage to reputation, and other economic costs. Circling back to CryptoLocker, according to court documents related to the coordinated takedown of its associated Gameover Zeus botnet, interviewed victim businesses sustained $30,000-$80,000 in costs to remediate and recover from CryptoLocker attacks.[ix]
Another factor behind ransomware’s rise is its relatively low barriers to entry. The same common vulnerabilities that lead to other types of commodity crimeware infections such as banking trojans will also easily accommodate ransomware. Similarly, the same delivery systems that reliably work for propagating mass infections also readily accommodate ransomware delivery. Delivery mechanisms such as phishing, exploit kits, and malvertising reliably and repeatedly work for rapidly spreading a variety of malware including ransomware[x], and such techniques often rely on exploiting common vulnerabilities such as the seemingly endless supply of Adobe Flash vulnerabilities or simply social engineering the victim. Ransomware variants are known to closely mimic preexisting ransomware families, and some variants may even “borrow” code from existing ransomware samples or publicly available encryption algorithm code. Unfortunately, the emergence of Bitcoin and other decentralized, semi-anonymous crypto-currencies have also facilitated the ease of running a ransomware business, allowing cyber criminals to get readily paid in a not easily traced, yet user-friendly process. The ransom note instructions are often accompanied by instructions to conduct the transaction using the anonymizing Tor network.
Figure 2: Part of CryptXXX decryption instructions; note the .onion Tor URL and detailed Bitcoin payment instructions. Source: http://malware-traffic-analysis.net/2016/05/26/index.html
On the other hand, implementing encryption correctly, even for malicious purposes such as crypto-ransomware, is not necessarily an easy task. Poorly designed ransomware variants are known to store and/or send their decryption key in cleartext on victim systems[xi], allowing the victim (or their IT security staff) to readily find it and use it to decrypt their locked files without resorting to a ransom payment. As a microcosm of the malware offense vs. defense scene, ransomware developers are continually improving (or borrowing) their strong encryption techniques[xii] to defeat network defenders and intended victims.
Given the close similarities in code, back-end infrastructure, and front-end ransom messages between many ransomware families and variants, it can be challenging for analysts to readily identify a specific sample. Antivirus solutions often (mis)identify the same sample using a multitude of signature naming conventions, if they detect the sample at all. The following table provides summaries of some of the most commonly observed ransomware families of recent years; it is by no means intended to be an exhaustive list of ransomware families or their behavior.
In summary, the ransomware business continues to grow at the expense of beleaguered enterprise networks and individual victims. While there are many basic similarities between ransomware families, new families and variants are constantly appearing in the wild, often improving upon earlier generations of ransomware or just copying them. Often in direct response to a security researcher’s release of a decryption tool, new versions of ransomware tend to focus on strengthening the encryption implementation and fixing vulnerabilities to ensure that it is impossible to decrypt the maliciously encrypted files without paying the ransom. As is the case for malware in general, it is an ongoing cat and mouse game between ransomware developers and security analysts. Fortunately, by design, ransomware is relatively “noisy” and its kill chain presents multiple opportunities for network defenders to successfully detect and mitigate this type of pervasive threat. Subsequent blog posts will provide concrete examples of highly effective defensive techniques that often require a relatively low LOE (Level of Effort). Such defensive techniques and best practices are effective not only against ransomware, but malware attacks in general.
This is Part 1 in a multi-part series on the ransomware threat. Part 2 will examine the tools, techniques, and procedures (TTPs) commonly leveraged by ransomware, the typical ransomware exploit kill chain, and proactive measures to defend against each stage of the kill chain. Part 3 will analyze a specific ransomware sample in light of the ransomware kill chain and the impact of proactive defenses to detect and disrupt it.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.