More than a decade after it first emerged, is the world any closer to stopping ransomware?
Judging from the growing toll of large organisations caught out by what has become the weapon of choice for so many criminals, it’s tempting to conclude not.
The problem for defenders, as documented in SophosLabs’ new report How Ransomware Attacks, is that although almost all ransomware uses the same trick – encrypting files or entire disks and extorting a ransom for their safe return – how it evades defences to reach data keeps evolving.
This means that a static analysis technique that stopped a strain of ransomware today may not stop an evolved counterpart in just a few weeks time. This creates a major challenge for organisations and security companies alike.
As the growing number of high-profile ransomware attacks reminds us, sugar coating the issue would be deluded – ransomware has grown as an industry because it works for the people who use it, which means it beats the defences of victims often enough to deliver a significant revenue stream.
The report covers the operation of the most prominent ransomware examples in recent times in detail, including Ryuk, BitPaymer, MegaCortex, Dharma, SamSam, GandCrab, Matrix, WannaCry, LockerGoga, RobbinHood, and Sodinokibi.
Knowledge is defence
Defenders can, however, arm themselves with knowledge. In its report, SophosLabs teases apart and demystifies the common techniques used by ransomware, starting with its distribution mechanisms.
The first type are cryptoworms which set out to replicate to as many machines as possible, as fast as possible, using known and sometimes unknown vulnerabilities to boost their effectiveness.
Although relatively rare – wormlike replication draws a lot of attention to itself. When cryptoworms work they are inclined to be spectacular, for example the global WannaCry attack that happened in 2017.
A more targeted technique is ‘automated active adversary’, a manual technique in which cybercriminals actively search for vulnerable organisations by scanning for network configuration weaknesses such as poorly secured Remote Desktop Protocol (RDP) or software vulnerabilities. Once behind firewalls, the ransomware is planted on as many servers as possible, locking defenders out of their own systems.
Most common of all is ransomware-as-a-service (RaaS), which essentially allows novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. A good example of this is Sodinokibi (aka Sodin or REvil), a GandCrab derivative blamed for numerous attacks during 2019.
Once they have a foothold, attackers use a similar palette of tools to bypass what defences remain, including deploying stolen legitimate digital certificates to make their malware appear trustworthy.
Naturally, lateral movement is used to reach important servers and shares – as is privilege escalation to gain the power to elevate an attack to the admin status necessary to do more damage.
Careful timing is also a common theme of successful attacks, says SophosLabs’ director of threat mitigation Mark Loman, who authored the report:
In some cases, the main body of the attack takes place at night when the IT team is at home asleep.
It sounds blindingly obvious, but it happens again and again. Attacking at night is one of the simplest ways to buy more time for ransomware (which takes time to perform all of its encryption) for no extra effort.
Loman’s advice is a version of careful vigilance, starting with ensuring machines are patched against the major vulnerabilities such as EternalBlue, which is still making a nuisance of itself two and half years after it powered WannaCry.
It sounds simple enough – just apply the patches. But this must be done on all vulnerable systems because ransomware only needs one weak machine to gain a foothold.
That demands that defenders audit the software state of all systems too, something that not all admins bother with to the degree necessary to spot weak points in advance of attacks.
Second, enable multi-factor authentication in every place possible. This is a reliable extra layer of security attackers should find hard to jump if it has been properly configured.
At a bare minimum, not only keep backups but think about how they will be reinstated. Often, victims have backups but not the human resources, time or money to spend days or weeks to putting things back as they were.
There are also some integrated controls in operating systems such as Windows 10, for example, the Controlled Folder Access (CFA) introduced in 2017 to limit which applications can access certain data folders. Researchers have poked holes in it since then so it’s not infallible but still worth deploying on endpoints.