In-Depth
If You Don't Pay the Cyberattackers, They'll Kill Your Data
Encrypting ransomware is an annoying persistent threat that many IT admins unfortunately write off as an ID10T error they can't do much about. End-user training and targeted backup strategies can serve as effective enterprise countermeasures.
- By Scott Bekker
- 03/30/2015
In this era of advanced firewalls, multifactor authentication and automated-scripted-everything, there's one thing that often remains the weak link in the security chain of many organizations. That's the contents of the gray matter that connects your end users' eyes to their fingers.
Human gullibility is the prime vulnerability exploited by a rash of encrypting ransomware over the last 18 months. Though new ransomware attacks seem less profitable for the criminals who deploy them than they were at their crazy peak more than a year ago, it remains a threat. While it has sophisticated elements, it's not an advanced persistent threat, like the efforts of state-supported system penetration efforts. Let's call it an annoying persistent threat.
Encrypting ransomware typically works its way into a company when an employee reads a phishing e-mail and opens a file that purports to be something else; a FedEx tracking document or a Delta airline ticket are a few common examples. The file installs an executable that begins encrypting files on the PC, and depending on the malware variant, might encrypt files on a server share to which the PC is connected. The shock comes when the user is prompted that his files are locked and the only way to recover the data is to pay a few-hundred-dollars worth of ransom in a cryptocurrency such as Bitcoin. The payment demands typically come with deadlines. Miss a deadline and watch the ransom for the data escalate. The concept of encrypting ransomware has become so mainstream that it served as the plot of an October 2014 episode of the CBS legal drama "The Good Wife."
As a security threat, encrypting ransomware has flown beneath the radar of many IT departments. It emerged as a consumer problem and at smaller companies and agencies. Many IT admins, unfortunately, write off the potential for ransomware incidents as unavoidable end-user errors that merit a slap on the wrist, but can't be helped. But all evidence suggests the problem isn't going away. The good news for IT is that a few relatively simple strategies for dealing with ransomware can also help protect organizations against a number of other security threats involving social engineering.
Origins of Ransomeware
The concept of ransomware isn't new. Primarily a consumer problem, it's been around since about 2009, according to a 2012 Symantec Corp. report written about the then-emerging threat. Early-generation attacks often locked a user out of his or her computer with fake FBI or other law enforcement warnings (sometimes triggered by visits to porn sites). The ransom would often be presented as a legal "fine."
Research into the potential for encrypting malware has been around for decades, but it appears the emergence of Bitcoin as a well-known and somewhat understood cryptocurrency paved the way for a more scalable and transactional method for extorting payments from end users.
The perfect storm for encrypting ransomware came with CryptoLocker in late 2013. The malware combined sophisticated phishing techniques, effective piggybacking of a massive botnet, cryptocurrency payments, strong encryption of data and the sheer novelty of the approach to produce a wave of infections. An estimate cited by the U.S. Federal Bureau of Investigation was that CryptoLocker produced $27 million in ransom payments in just two months in late 2013.
Three Types of Teamwork
Jim Flynne, vice president of operations and chief security officer at Carbonite Inc., recalls seeing a steep jump in storage usage in the backup company's datacenter. "It became very clear to us that something was afoot that was not very good," Flynne says. "This was going to be a deluge, we could see it coming."
"It's impossible to shut down a three-card monte game. You shut it down on one corner, but as long as it's successful, as long as they're making money off of it, it's going to pop up somewhere else."
Jim Flynne, VP of Operations, Carbonite Inc.
For Carbonite customers, CryptoLocker was going through and writing new encrypted copies of every file with the hash for locking the file. Because of the way Carbonite automatically backs up files that have changed, along with keeping archived versions for a specified time, CryptoLocker was pushing storage activity through the roof. "In some cases it flat out doubled the size of a customer's backup, other times 40 percent to 50 percent."
In September, Carbonite saw maybe 20 cases, Flynne says. "It escalated very quickly in the following months. September, October, November, December was just a rocket ship ride."
Carbonite quickly got a handle on the situation by building a cross-functional team of security resources, the engineering group, sales and others -- releasing best practices and creating scripts for helping customers restore their data, once they'd worked with a partner or security company to clear the malware off their computer.
As Carbonite and countless other vendors dealt with a worldwide problem that infected an estimated 234,000 machines through April 2014, another cross-national team was at work. The effort brought together law enforcement agencies from more than a dozen countries, a few universities and several companies including the Dell Inc. SecureWorks unit, CrowdStrike and Microsoft, among a dozen others.
Working together, law enforcement led by a multiagency effort in the United States, disrupted the GameOver Zeus Botnet and CryptoLocker concurrently in raids and other blocking actions announced in June 2014.
An FBI official at the time of the takedown described GameOver Zeus, the botnet used to distribute CryptoLocker, as "the most sophisticated botnet the FBI and our allies have ever attempted to disrupt." The effort by the FBI led to the immediate end of CryptoLocker as an out-of-control threat.
However, those vendor and law enforcement teams aren't the only cooperating players in this drama. The prime movers are the botnet and malware creators. Charged in absentia by U.S. authorities in the June takedown was Evgeniy Mikhailovich Bogachev of Anapa, a beach resort on the Black Sea near Crimea in the Russian Federation. Bogachev is still at large as of early March, and the FBI issued a new $3 million reward for information leading to his arrest in late February. While Ukrainian authorities were part of the multinational botnet takedown effort, Russian officials were not listed as participating. The London newspaper The Daily Telegraph, sent a reporter to Anapa shortly after the charges were filed and found numerous local supporters for Bogachev, including an anonymously quoted officer at the local police station.
The FBI identifies Bogachev "as the leader of a tightly knit gang of cyber criminals based in Russia and Ukraine that is responsible for the development and operation of both the GameOverZeus and CryptoLocker schemes."
Stu Sjouwerman, CEO of security training company KnowBe4 LLC, is following events around encrypting ransomware closely and says the "tightly knit gang" extends far beyond hacking-related technical skills. An entire web of actors are emerging in Eastern European countries as legal entities in their home countries, Sjouwerman says.
"The user ultimately is the weak link in IT security. All employees have to step through training because that is your firewall from the C-level down to the mailroom."
Stu Sjouwerman, CEO, KnowBe4 LLC
"There are escrow services for criminals by criminals that allow criminals to do business with one another. There's a whole supply chain of people that are specializing in the different parts of a phishing attack," he says. "There's people specialized in hacking accounts and stealing data to sell it. There's people who are specialized in merge/purge and creating databases of e-mail addresses to send these attacks to. Then there's another group that's specializing in putting a quality phishing attack together that's real enough to get people to click on it. Then there are people that specialize in pulling together botnets. There are project managers putting together campaigns. Then there are the people that finance it."
It's easy to imagine a marketing meeting, complete with whiteboards and conference tables in an office building in a town like Anapa which reads "Agenda item: What's the most you can ask a U.S. company to pay for an encrypted hard drive before the price encourages them to scrap the system and move on?"
The Playbook
While the FBI-led effort of June 2014 set the encrypting ransomware model back, it did not end it, by any means. The GameOver Zeus Botnet-supported CryptoLocker malware may be gone, but the approach created a template that others are following. Recent variants include CryptoWall, CryptoWall 2.0, Critroni and Crowti, among others.
"It's impossible to shut down a three-card Monte game," Flynne says. "You shut it down on one corner, but as long as it's successful, as long as they're making money off of it, it's going to pop up somewhere else."
Encrypting ransomware is still hitting a lot of organizations hard. In late February, the Chicago Tribune reported a case involving the Midlothian Police Department, a suburb of Chicago. Police officials there made a Bitcoin payment of more than $500 to unlock a department computer, the newspaper reported. The department joined a number of other law enforcement and government agencies that have either paid or chosen to lose their data, yet have a harder time keeping their incidents private due to their status as public institutions.
Pay Ransom, Restore Backup or Lose Files
In a recent conversation, Sjouwerman said one copycat, the nasty CryptoWall 2.0 that uses the Tor network to hide its command-and-control servers, was keeping him busy. While he prefers to help customers avoid infection first, and points them to ways to mitigate ransomware, he had also helped a few customers in hopeless situations make their ransom payments. First-time Bitcoin transactions can be intimidating for someone already smarting from having all their data hijacked. Ironically, Sjouwerman says, payment tends to be a smooth and reliable process. "The bad guys are businesspeople, too. They have a reputation to protect, and they actually provide tech support," he says.
With decent backup practices, no Bitcoin payments are necessary. Chad Mockensturm, a lead systems administrator at Tiffin, Ohio-based managed services provider Diverse Technology Solutions, also dealt with a CryptoWall infection at a customer site in October. A computer at a nursing station in the health care facility customer site got hit by CryptoWall. "It kept repeatedly blocking a file on one of the nursing station computers. We immediately removed the computer and scanned the network. We determined that it encrypted 200 to 300 files," Mockensturm says. After cleaning the infection off the computer, Mockensturm was able to restore the files from a Carbonite remote backup and have the customer back online in about 90 minutes.
Back Up and Train
Many of the systems that are hit and cause serious headaches tend to be workstations, which can be a black hole in backup policies for many organizations. Users are encouraged to store their data to file shares, but when they don't, they're often not backed up. Encrypting ransomware presents another reason to remind users to keep their stores on backed up file servers, and more motivation to include PCs and especially laptops in backup and recovery plans.
Mockensturm took the opportunity to push the layers of defense back one level -- adding a user training session at the health-care facility. "We did an in-service and instructed anybody that has access to outside e-mail to be wary. It can even be e-mail from users that they might know," he says.
Sjouwerman, whose business is built around end-user training against security threats, sees that step as the most vital and cost-effective method of protecting against the phishing and spearphishing attacks that most commonly introduce encrypting ransomware into an organization.
"The user ultimately is the weak link in IT security," says Sjouwerman, but he estimates that more than half of organizations don't provide security awareness to their employees. "All employees have to step through training because that is your firewall from the C-level down to the mailroom."
In a report earlier this year, "Hacking the Human Operating System: The Role of Social Engineering Within Cybersecurity," Intel Security/McAfee recommended ongoing training for security awareness, along with regular testing of employees' skills in detecting and rejecting phishing, spearphishing and other types of bait, including over the phone or on the Web (see "Social Engineering Countermeasures").
Sjouwerman says that when KnowBe4 sends out phishing tests to customers, an average of 16 percent fail. After training, the number usually drops to about 1 percent. "It's never zero, it never will be zero, but we get statistically significant, measurable results," he says.
Another benefit to employee training is that it doesn't only protect organizations against encrypting ransomware. Bad actors have been using social engineering techniques since the all-telephone-and-no-computer era of business to get employees to reveal things they shouldn't. Meanwhile, spearphishing attacks aren't just used for ransomware; they're used for all manner of malware delivery, including some of the biggest data breaches of the last year.
Even after encrypting ransomware recedes from the headlines, giving users self-defense techniques against social-engineering attempts will still be paying dividends.