“Ransomware” (2017 Edition)

This is one of those subjects that has struck everyone from the techno security guru to the average person who might simply be trying to do their job. Ransomware brands such as Goldeneye, Petya (and its counterpart NotPetya) , Cryptolocker, CryptoWall, Locky, WannaCry and very recently, Bad Rabbit (to name only a few) have been making headlines across the globe.

I’ll start by taking a quick step back and just define Ransomware before I discuss how it tricks us into letting it in the door, the stages of it’s existence and finally what we can do to be better in the face of quickly advancing and mutating Ransomware attacks.

You Gotta Have a Logo!Ransomware IS Malware.  I’m guessing your mind may not be completely blown now.  Malware is just a super-set classification.  Malware is just a short-form for malicious software.  Ransomware is a type of malicious cryptovirology software that threatens to either publish the victim’s data or perpetually block access to it unless a ransom is paid (credit wikipedia for that one). I’m not going get too deep into what cryptovirology means but you can probably put the pieces of the puzzle together combining the mechanisms of typical virus software with modern cryptography with nasty and often criminal intent. If you don’t know what cryptography is… that’s just an algorithm for encrypting (aka garbling) good data into nonsense data so people can’t read it until it is decrypted.  A common form of this is symmetric key encryption where a message is encrypted using a complex algorithm that cannot feasibly be reverse engineered using current computing power (go see the movie Enigma with Benedict Cumberbatch for a great retro example of this).  A “key” is what makes the encrypted data uniquely unreadable. Knowing the algorithm doesn’t help without knowing the key. If you have the key you can decrypt and read the data. Hence the symmetry aspect.

I Wanna Cry!Ransomware has thrust itself into relevance for everyone from the cyber-enthusiast to complete non-technophiles simply because for the former (geeks like myself), it’s a fascinating study and for the latter, well I’m afraid these people are essentially the target audience.

It’s been making the news fairly regularly and doesn’t look like it’s going away any time soon.  Of the more prominent ones I mentioned earlier, WannaCry probably made the biggest headline in the UK because it affected and essentially crippled the National Health Service in the UK.

I do like the clever branding that Malware and many major security related issues get. The name WannaCry is a bit of a double entendre.  Once all your files are encrypted away until you pay some Bitcoin you probably don’t have, you might wanna cry a little. The truth is the name comes from the Encryptor/Decryptor program called Wana-Decrypt0r and is even the title of the scary red page that demands the ransom. “Wana” with one ‘n’ but hey a bit of artistic license when naming these is great for the media.

I want to now generically discuss how a Ransomware functions because interestingly it often starts with incredibly simple mechanisms.  These are far from what film and television would have you believe hackers enjoy utilizing to infect your PC or your network. The stages of ransomware have been defined as installation/deployment, command and control and finally the extortion and/or destruction phase. Those are defined in well known books on ransomware that you are likely avoiding reading if you’re listening to this podcast or reading this blog article. I’ll condense those down quickly now.

Installation and deployment are really the embarrassing part of this story for many of us. This happens often via mechanisms as simple as spam email or phishing.  It’s safe to assume these days that ransomware creators have a relatively high level of social engineering expertise. They are becoming very clever in how they can craft an email to look like something we want to open with links or files we want to engage with. Common examples would be links saying click here to track your parcel or to see your invoice. Alternatively an excel file called Invoice.xls can be attached to an email looking very legitimate. An invoice often gets people wondering why they have been invoiced so naturally they click on it. Alternatively emails might spoof a UPS notification stating that a package needs routing attention! Well it’s Christmas isn’t it! The idea of somebody sending you something is exciting!

A final mechanism that I’ve personally run into recently which tends to fall more into the phishing boat (see what I did there) is a homograph typesquatting attack.  This is where a would be attacker creates a whole or part duplicate of a website but registers a look-a-like URL using an IDN domain.  Essentially they use a character from another international alphabet (like Cyrillic for example) which looks like the English version but isn’t in terms of the ASCII code for it.  The recent example I saw was for asda.com which was spent as asđa.  Check that ‘d’.  It’s not the same and goes to a malicious site.  Clever!

Locky Ransomware EmailSome of the older styles of emails featured more tell tale signs like

– The email comes from a company instead of a person
– They address you as Mr. John or Mrs. Rebecca instead of your surname
– There are spelling mistakes
– It’s from a King or Prince in Nigeria (surely we’re not still falling for that one)
– The highlighted link that says HSBC but links to www.hsbc-superlegit-banking.co.awesome

These are still out there to catch the parents and grandparents.

Some of the more modern ones are exact replicas of bank or IT emails that are requesting you to click to verify something or view a document.

If you’re interested and have a gmail account (other free email vendors are available) just have a quick surf through your spam folder. DON’T CLICK ANYTHING…for goodness sake. I take it back, don’t even go looking without a life-jacket or at least a millennial within shouting distance. What’s great for us normal people is that Gmail and Yahoo and the other major email systems do a fantastic job of finding and filtering out spam as they have or are partnered with a powerful global security network identifying and mitigating risks behind the scenes, more often than not before they hit your inbox.

The real problem is with corporate email networks.  Many use poor, outdated or non-existent malware detection software. Good examples of malware/ransomware detection would be Sophos, Cylance,  or Proofpoint. There are dozen of others of course which are very good.

I’ve mentioned some of the more traditional mechanisms for deploying ransomware but another I’d like to mention is called a watering hole attack. In this instance the malicious actors in this scene will, again employing a bit of clever social engineering, work out commonly visited websites by target organisations which may be a bit less secure than the target organisation themselves. They will then “hack” this website to install a malware download into a page that is “whitelisted”, which essentially means your network security is considers it a happy path on the internet.  In fact in August 2017 this exact thing happened in the US infecting the US National Wildfire Coordinating Group. Their website is whitelisted as a .gov site which means downloads would be inherently trusted.  Another very recent version is the Bad Rabbit ransomware I mentioned at the start which is suspected to have employed this method.

I’d mentioned WannaCry earlier and I feel it’s worth pointing out that this particular ransomware exploited a vulnerability WASN’T from clicking on spam emails but in fact was deployed via a leaked NSA exploit in certain operating systems like Windows XP and 7.   For once we saw a proper example of real hacking used to deploy that one.  I’ll include an article from wired magazine below if you’re curious enough to dig deeper into how that worked.  I’m not saying that human error was afoot in this instance but only that it was a different kind of human error.  I’ll expand on that later.

Oops..A quite advanced and even more recent incident is the CCleaner malware (not ransomware this time).  In this example the CCleaner product packaging mechanism itself was compromised such that malware was delivered in a software package designed ironically to clean junk files from your computer. Thankfully hacking a malware specialist company like Avast who own the software CCleaner didn’t last and it was found almost immediately and disabled.  Not before being deployed to over 2 million users though (yikes!).

Click it! WE MUST KNOW!The final mechanism I’ll mention is click bait. Playing into our own curiosity (again), you’ve probably seen headline after advert after newsfeed spinning a tale like “You’ll Gasp When You See This!” or, “Here’s One Weird Trick to Eliminate Cellulite Forever!” (https://en.wikipedia.org/wiki/Cellulite). I hope you didn’t click on that link.

The problem is, real (using that term loosely) sites like Buzzfeed and Huffpost can also trend towards clickbaity headlines. I’ve even seen the BBC do it. That waters down the malicious ones and potentially makes them seem more legitimate. That means just one innocent click and curiosity can kill the cat, except the cat is your laptop and all your data. You’ll know bad things are afoot if you click something and it asks you to install a codec or video driver or anything that might be not already on your computer to view/read/experience the amazing information they have for you. Again, a good malware detection system can often thwart these efforts as well.

Essentially it’s our own curiosity combined with some convincingly crafty email or web content that gets us in this mess. So what happens when you click on that link, to go to the nasty webpage, or open that downloaded excel spreadsheet?

It’ll run some code, in the case of Excel it’ll be a macro, in the case of a malicious Chrome extension it’ll install some code, in the case of a webpage you might not even notice anything happening.   Now, you might be thinking… I don’t enable macros so I’m good when it comes to Excel spreadsheet or Word documents.  Well, maybe this time you might. Even the excel sheet is designed to look legitimate and hide critical content until you enable the macros to see the data. Like I said these malware folks have us figured out.  Check out an example of what a malware excel sheet might look like.  You want to see that content don’t you?  Well just “Enable Content”.  What could go wrong?

An Example Phishing Spreadsheet!

Silence is essential during the installation phase so if you’re expecting a pop-up asking you for installation options you’ll be left wanting. The installation will be silent and may, even install multiple malicious programs. Many times the programs will have familiar titles like explorer.exe.  Even this phase is getting increasingly clever in that the programs will be hidden by using anything from simple substitution ciphers, to encryption, to base64 encoding for non-binary encoded executable code like programs written in interpreted languages like python. All this to avoid detection. Sometimes… they’ll even combine methods.  The truth is, in many malicious hacking incidences, the techniques employed by those on the attack can often, with effort, planning and occasionally Nation State funding, out-strip those on the defense.

Let’s assume now that you’ve been infiltrated but a malicious piece of ransomware code!   What are these programs are looking for and why?  Additionally, what good is messing with your files and personal information if there isn’t a way to send all of that to some bad guys lurking in the cyber shadows?  This is the command and control phase.

This is the command and control phase.

In the case of many Ransomware attacks, the attackers are mostly  hoping for the best.  They know that it’s possible with modern cloud technologies from both Apple and Microsoft and with other tools like Dropbox and Google Drive that your precious data is likely duplicated and remotely safeguarded… right?  Well… in the case of the aforementioned corporate computers, most of the time, sensitive data, logs, patient records, etc are sitting on the computers or servers in question and locking all of that down and in exchange for a ransom is a pretty good blanket move.

I mentioned previously that quite often multiple malicious programs are installed.   After the often embarrassing infiltration phase is complete, the software will do a few things.  First, it will start to determine which files are best for encryption.  This is pretty obvious on PCs by the extensions and is also part of what makes the different flavours of ransomware unique.  Some will simply lock up the obvious file extensions associated with MS Office, some ransomware doesn’t care and just locks the entire system down including your master boot record.  Others are clever enough to even identify modern elements like bitcoin wallets and Windows snapshot files to prevent you restoring over the ransomware.  The Bitcoin wallet lock-down does seem counter productive if they are going to ask for Bitcoin as a ransom.

The ransomware will also establish a back door conversation with a central hub. It’s probably obvious that a command and control connection to somewhere sounds risky as it needs to ensure the baddies can run the show without being caught. It can do this in a variety of ways but an example of a recent mechanism was to simply use a publicly available service called Used by bad guys... and us.Telegram.  It is a secure messaging system (https://telegram.org/) to anonymize the parties taking place in the conversation and keep the entire thing encrypted and private.

The reasons for a connection to an HQ are many. The first being to report it’s successful intrusion into the computer and any ongoing metrics relating to progress. The second being to potentially receive instructions from the remote controller.  Many of the ransomware strains will send out as much information as it can gather while encrypting your files. It may also install additional software like a keylogger which could capture sensitive information as you type.  What is clever about the keylogger is that it, and the route to command center may stay active regardless of any actions you take in response to the ransomware.

Interestingly the WannyCry ransomware had a remote “kill switch” as well as a remote command center. A malware guru Marcus Hutchins a.k.a MalwareTech found it. Ironically he is now being held in the USA accused of actually authoring a malware called Kronos. A proper hero to zero story although it seems as unlikely he is involved as it appears likely. See link below for excessive detail on that. The WannyCry ransomware’s kill-switch was via reaching out to a nonsense URL and when it was registered the malware deactivated itself. It probably sounds like a ridiculous feature for the software to do but it wasn’t that silly. The theory being, when researchers study malware they often place it in a safe zone or sand box with a “pretend” internet around it providing fake positive responses to outboard requests. In this case the nonsense URL would have probably given a reply making the ransomware inert. Kind of clever actually. I’ll get to the best way to personally handle ransomware shortly.

Once the command and control phase is complete, the details of your systems, the encrypted files and a whole load of other personal data have been shipped off to goodness knows where the final stages kick in. Extortion and/or destruction! This is the stuff that the media loves. Typically you’ll get a pop up of some kind indicating that your computer is locked up and your files are encrypted ( because they are ) and you’ll be required to send some money to free it all up. It’s worth assuming that even if you are the victim of some ransomware that encrypts your computer and demands something to release the data (typically bitcoin and that’s generally untraceable), it’s worth knowing that the malware may (much like in a typical hostage situation) kill the files held hostage anyway! Just for kicks.  Of course the most likely scenario is that they will have excellent customer service enabling you to pay that ransom better than more commercial software!  Reason being if word gets out that WannaCry don’t pay, nobody will pay the ransom.  If it’s easy, well people like easy don’t they.  If it’s easy more people will pay it just to end the pain.

They might have still installed a keylogger that is grabbing all your logins and passwords as you go about your day. Or perhaps they are querying your personal directory for more victims or, it might even be looking to mess with your nuclear reactor. I don’t have a nuclear reactor myself but, there are people who do and a very famous malware initiated attack was the Stuxnet malware which ruined around a fifth of Iran’s nuclear centrifuges (link in the show notes). That was a fascinating malware worthy of it’s own podcast. There are some really thorough malware programs like “killDisk”… not much left to the imagination there. IT pretty much wipes the whole drive and then displays an F-Society logo (also very cleverly) to taunt you. If you haven’t seen the show Mr Robot to know what I’m talking about… see it.

What do you do if you’re infected with Ransomware?  Keep cool is a good start.  Don’t keep working on anything or trying to solve the problem yourself.  Chill and let your IT department know. I’m saying IT department because as I indicated at the beginning of this, your probably on a poorly defended corporate network if you’ve got ransomware. What’s also good is if the ransomware isn’t as clever is it should be, many modern anti-ransomware vendors can detect, remove and decrypt your files.

Of course, the best defense is a good offense. Really your remedy from malware of any kind is by both keeping your operating system up to date with patches and releases.  That goes for phones as well.  Backups are the next port of call for smart tech users.   Create backups of your system regularly. This is a good strategy and isn’t exactly a new one either. That doesn’t mean people will do it as you can lead a horse to water but. With advancements in internet connectivity what is a modern advantage is that there are loads of online backup tools and vendors available like iDrive and Carbonite (if you’re on a PC) that can perform constant backups of your key data files to a secure location over a secure connection. You might just use a cloud utility like Google Drive or Dropbox as well.
There are plenty of ways to ensure you don’t have all your eggs in one basket in the unlikely event that you click on that ever so tempting email, clickbait, promise of excitement that you would never normally do.

Hopefully this has clarified what’s going on with Ransomware and perhaps you’re a little more aware of the situation and know that, to stay safely clear of it, just don’t so stupid things, but if we do… make sure you can just wipe your computer and reload from a reliable backup so you can flip the bird to the wannabe Cybervillians.

https://www.sophos.com/en-us.aspx
https://en.wikipedia.org/wiki/Base64
https://en.wikipedia.org/wiki/Stuxnet
https://www.pcmag.com/article2/0,2817,2288745,00.asp
http://www.wired.co.uk/article/how-wannacry-spread-around-the-world
https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins

Total 1 Votes
0

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

About The Author

I'm been in technology since the Atari 600 computer crossed my path and I patiently (for 3 hours) typed in a BASIC helicopter video game from "Games" magazine until a power cut wiped it out in a blink. I was hooked! Technology needed improving and I was determined to help.