Ransomware wars

It begins much like any other day at the office: you are working away on your computer when you receive an email informing you that an invoice has arrived. It directs you to download the invoice using the link provided. Without giving it much thought, you download and open the file. Sometime later, you discover you can no longer access your files and that several copies of a file named “DECRYPT_YOUR_DATA.txt” have been created.

It is a chilling moment. Sensitive files on your computer, and probably on the network you are connected to, have been encrypted. They have effectively been taken hostage in one of the fastest-growing forms of cybercrime: ransomware attacks.

What is ransomware?

Ransomware, as the name suggests, is a malware designed to make a target’s data unusable or to prevent access to systems until a ransom – typically in hard-to-trace digital currency – is paid. Ransomware differs from other types of cyberattacks in that the objective is to make the victim pay money to the perpetrator directly, while other types of malware attacks often take more effort to monetize.

Another key difference of ransomware is that the goal is not to steal data, but to deny access to it until money has changed hands. That makes it about availability, whereas other cyberattacks seek to breach confidentiality (stealing personal data, credit card information, etc.) and compromise integrity (as privacy breaches must be disclosed to the authorities based on the data protection laws).

The lucrative and fast pay-off, combined with its stealth and relative anonymity of the transactions, has made this type of cyberattack increasingly attractive to criminals.

A global war

Indeed, ransomware attacks have reached epidemic levels across the globe. Only last week, Deloitte cyberthreat intelligence teams reported on two new variants of the SamSam ransomware, new TeslaWare ransomware and re-emergence of Locky ransomware.

SamSam ransomware was reportedly discovered by researchers at MalwareHunterTeam. Bitcoin transactions to SamSam’s operator(s)’ address totalled US$33,000 in one week, indicating that attacks spreading the new SamSam variants have been successful and lucrative for the ransomware’s operator(s).

Showing how easy it is to perform an attack, new ransomware “TeslaWare” is being advertised on black-hat criminal websites for purchase at prices ranging from 35 to 70 euros. Although this ransomware is not the most sophisticated piece of software, it virtually plays Russian roulette with the victim’s files attempting to delete 10 random files from the victim’s desktop or subfolders.

A case of Locky ransomware re-emergence provides an example of the evolving spam email campaigns delivering the ransomware to the victims’ computers. A first wave of distribution used the emails with invoice-themed subjects “Copy of Invoice – random numbers” and included malicious zip archived attachments. The unzipped attachments contained malicious executable files for Locky ransomware. In the second wave, Locky ransomware was delivered via spam emails having subjects “Emailing-PDF random numbers” with a malicious pdf-file attached. When opened, the pdf-attachments included malicious macro-based Word documents. Once a user enabled the macro, a request to a remote server was completed and the macro downloads an encoded payload of Locky ransomware. The encoded payload finally dropped Locky ransomware onto the infected machine.

While those two waves primarily targeted older versions of Windows, the third wave is expected to target all versions of Windows operating systems, including Windows 7.

The cases described above are typical ransomware incidents, traps any computer user can potentially fall into. A newer and more sinister development is targeted ransomware, in which individual organizations are pursued and, once infected, might take a couple of months to paralyze a system before demanding a ransom. Ransomware is becoming highly sophisticated: some recent variants can gain access without connecting to the internet at all, making its source virtually untraceable.

Of course, Cayman is not immune and is being equally threatened by global campaigns, both opportunistic and targeted. The number and the severity of the attacks have significantly increased in the past year, with more sophisticated campaigns being launched against targets with deeper pockets and more motivation to pay quickly.

Lessons from the trenches

It is not unlike families being willing to pay kidnappers whatever is required to release their loved one from captivity. Given the parallels in criminal strategy, it may not be surprising that the methods used by teams dealing with human kidnapping incidents can be successfully adapted to a cyber-environment. Deloitte teams found these strategies effective when negotiating with ransomware criminals to gain time, reduce the ransom amount, and resolve the issue quickly.

As with any malware threat, prevention is the best defense. It is especially important since, unlike other types of malware, ransomware is increasingly more difficult to detect: only a single call – if any – to the internet is required to launch it.

Thus, the organizations need to start by ensuring they have the right cybersecurity system and strategy. That would include developing a backup strategy for critical systems and data, practicing good cybersecurity hygiene, such as keeping up to-date with all patches, monitoring network activity and proactively managing permission levels. It also requires training employees to be wary of emails, as social engineering is the top way this type of malware gets into the networks of target organizations.

While prevention is a vital first step in protecting the organization, it cannot eliminate the risk altogether. It is also necessary to prepare for a successful breach by establishing a ransomware incident response strategy with a well-defined protocol. This establishes clear negotiation guidelines that help to gain more time or follow the right steps to recover the data or prevent another attack.

A clear protocol may assist the organizations in assessing whether their data would be released upon payment or if they would run into a higher chance of being on the target list after the payment.

Once this strategy is in place, it is important to follow the steps of the methodology.

As soon as you realize ransomware may have entered the system, the responders should refer to the protocol and follow the steps in sequence.

First of all, the organization needs to determine the extent of the damage, i.e., to find out how many files have been encrypted and how the particular strain of ransomware is affecting your operations. The organization should also assess the potential impact to reputation should the breach be made public.

Following this assessment, the affected systems should be isolated as most ransomware is designed to spread through your network as quickly and quietly as possible. Identify which systems have been affected and segregate them quickly to prevent further infection.

While performing these processes, it is important to resist an urge to unplug from the network, as this would result in a loss of the tactical advantage. If the system is still connected, the organization can watch the ransomware work and see how deeply it unravels. If the system is unplugged, you cannot see if the malware has replicated itself, deleted recovery points, or opened a backdoor that will allow access to future infiltrations and it would be hard to assess if the organization would be faced with further extortion sometime down the line.

As part of the recovery stage, it is important to check the backups for infection before they are deployed. Using backups could be the best option to restore operations swiftly, but only if the malware has not affected them too.

A critical question that the organization would face based on the above assessment is “should you pay?” If the network is compromised and the organization exhausted all options, such as deploying backups or stalling for time, they should consult before deciding to pay the ransom.

Experienced cybersecurity professionals can negotiate with the adversary to resolve the situation efficiently and quietly. In the meantime, the organization should not categorically refuse to pay since they do not know what the consequences may be; the attacker could destroy the unique decryption key so that you can never regain your data, for example.

As a strategy, the organization could tell them that they would pay, but need to sort out payment details. This buys the essential time to follow the steps of their ransomware incident response protocol.

After the incident, it is also critical to improve the future prevention strategy. The organization should use the threat intelligence gathered from the attack, establish clear security policies, and educate all your teams.

Alexandra Simonova is a Risk Advisory Senior Manager at Deloitte in the Cayman Islands. The information in this article is based on Deloitte material and other publicly available sources.