Tuesday, 21 June 2016

The Extortion of Things #Ransomware #Cyber


Article by Stuart Peck, Cyber Security Strategist at ZeroDayLab Ltd. 


Extortion is a tried and tested model for extracting money by unscrupulous individuals over the centuries. The most popular being blackmail which originates from the 16th century term "black-maill". This was nothing to do with letters looking to coerce its recipient, but from a payment or "tax" paid by landowners to protect assets from looters, the irony being that the payment was made to the looters themselves, which could be likened to an early protection racket. 

There have been many examples over history of the use of blackmail and extortion by politically and financially motivated groups and individuals, targeting the upper echelons of society, prominent figures, heads of military and business leaders, not to mention the vast array of celebrities- it was a specialised skill requiring patience and perseverance.   

However, today extortion has gone mainstream through the use of technology, in the form of Ransomware, and the extortionists are cashing in, spreading their net far and wide.

The Rise of Ransomware

Ransomware is not a particularly new concept, with it's own origins in the form of the AIDS Trojan of 1989, which was spread by floppy disk- that displayed a message to the infected user proclaiming their software had expired- and that $189 was to be paid to "PC Cyborg Corporation".

The first use of encryption based Ransomware such as Gpcode and Krotten was first detected mid 2006, however the main rise of the Ransomware business model can be attributed to Cryptolocker in late 2013. Cyptolocker was the first to employ Bitcoin to collect ransom payments, making it difficult to trace the money, and attractive to seasoned cyber criminals and extortionists netting an estimated $27 million in a few months.

More impressive was the highly publicised CryptoWall which netted  the group behind the Ransomware in excess of $300 million.


Figure 1: Cryptolocker ransom message

Today there are many variants of Ransomware, with an estimated 120 families and growing, (CryptXXX, Locky, Petya, Ransom32, Jigsaw, Mischa, Keyranger etc), which are distributed through either Exploit kits such as Angler (well until it was taken offline possibly due to the Lurk arrest), Neutrino EK, and Phishing (and Spear Phishing) campaigns.

Although there may have been some minor innovations in the delivery or mechanisms in the Ransomware families, the premise still remains the same, encryption or removal of access to files, which will only be returned upon payment of a ransom.


Figure 2: Jigsaw Ransomware which deletes an increasing number of files every hour,  if the ransom is not paid.

The ease and profitability have made Ransomware the weapon of choice for seasoned cyber criminals but has also reduced the barrier to entry for less technical extortionists, through RaaS (Ransomware as a Service) on Darknet market places. 

A good example is the Petya and Mischa business opportunity provided by JanusSec, which promises high infection rates and an innovative approach, if the Petya Ransomware fails (Petya encrypts the master boot record), the Mischa will kick in employing the standard file encryption technique- which proves even cyber criminals have a business continuity plan!


Figure 3: JanusSec RaaS business model- which offers attractive returns for inexperienced cyber criminals.

The future of Ransomware: IOT?

As our workplaces and homes become more interconnected, and the lines blurred, it won't be long before the extortionists start to target IoT  (Internet of Things) devices. There have been examples already of Ransomware and Malware targeting Smart TV's and Smart Watches, Smart Fridges etc.

How long will it be before the we get DoS style Ransom messages threatening to disrupt our devices in our homes? And with the lack of security controls in these devices, will be an easy target for cyber criminals, the question is, will there be enough of a payoff to make it worthwhile?


Figure 4: Example of TV Ransomware through malicious app on Smart TV 

Ransomware; the greatest threat facing organisations today- or purely an avoidable nuisance?

Ransomware is a threat, one which most, if not all organisations will of had some first or second hand exposure to, and depending on the business infrastructure set up, and the entry point to the business, Ransomware can cause serious disruption.

However with the correct controls, policies, and user education Ransomware can be reduced to an easily avoidable nuisance, by employing the following:

  • Conduct regular back ups devices, systems and servers (everyone should be doing this).
  • Block macros in documents by default through Group Policy, and only allow for users that absolutely need them- this should reduce exposure to common weaponised documents sent via phishing emails.
  • Ensure that users have adblockers extensions for browsers and that operating system and third party applications such as Flash (especially Flash), are updated regularly to reduce exposure to drive by attacks and exploit kits.
  • Conduct regular security awareness training to ensure users don't expose the business to unnecessary risk.
  • Conduct regular incident scenarios, so key IT and Security team members know how to react in the event of a serious Ransomware attack.
  • Don't pay the ransom, there is no guarantee that you'll actually get access back to the data, and you may end up on a distribution list for victims that pay!

In Summary....

In summary extortion is not something new, but the level and mainstream nature of Ransomware has elevated this to new heights.

This is a threat that is not going to disappear anytime soon (as long as there is money to be made), and with warning signals of the near emergence of self replicating Ransomware, we could see this ratchet up a gear. 

But with good IT security controls, regular user education and planning for this type of incident, the exposure can be exponentially reduced.

No comments:

Post a comment