Ransomware was officially a billion dollar crime in 2016, with more than 4,000 attacks since Jan. 1 and at least 25 variants of ransomware discovered. Researchers have predicted they would discover more than 100 variants before year’s end. And as of August, Malwarebytes research uncovered 40 percent of businesses in four countries experiencing an attack in the past year. One third of those businesses attacked lost revenue as a result.
Who are the victims?
Healthcare and financial services are the most popular enterprise targets, although no one is immune. These industries critically depend on up-to-date records to conduct business, hence, they have been more frequently targeted. Hospitals have been hit especially hard with 88 percent of attacks, according to Solutionary’s Security Engineering Research Team Quarterly Threat Report for Q2 2016. In February, Hollywood Presbyterian Hospital paid a $17,000 ransom to get its EHR back, and the Kansas Heart Hospital also admitted to paying a ransom in May, except it gets worse: The hackers demanded a second ransom to unlock the data. And in April, the Lansing Board of Water and Light paid $25,000 to retrieve its data after discovering ransomware on its computers–the first U.S. utility company known to have paid a ransom.
Banks have not been immune to attacks either, although you won’t always hear about them. While it’s not been a public threat, the Federal Financial Institutions Examination Council did issue a warning about the severity of ransomware last year.
Different ransomware families to watch out for:
There are more than 25 families of ransomware, and researchers say they are on pace to discover more than 100 variants within the families. The top variants in the US are: CryptoWall, CTB-Locker, TeslaCrypt, Locky, Cerber and MSIL/Samas.A.
CryptoWall: First appeared in early 2014, and famous for AES encryption, unique CHM (a type of file) infection mechanism, and robust command and control (C2) activity using Tor networking. It also uses various exploit kits, spam campaigns and malvertising to gain access to computers. CryptoWall uses Invisible Internet Project (I2P) network proxies to communicate with the live command and control servers, making it anonymous. It also uses Tor for Bitcoin payments, making this strain extremely difficult for AV software to trace the malware author. It’s been very popular in attacks against hospitals—in the Solutionary Security report, of all the hospitals claimed to have been hit with ransomware, 94 percent were victims of CryptoWall.
CTB-Locker: CTB-Locker (Curve-Tor-Bitcoin) is a family of ransomware that has branches modified to include lockouts of websites. It’s known for its use of Curve Elliptography encryption, Tor browser service for victims to make payments, and Bitcoin for the currency of those payments. It’s most commonly distributed through spam campaigns, but it has also been seen in several exploit kits, including Rig and Nuclear. Bleeping Computer has a handy FAQ guide to CTB-locker for more information.
TeslaCrypt: Once a dangerous strain, the good news is that TeslaCrypt shut down in May and is now defunct. If your files were encrypted with a .xxx, .ttt, or .micro extension, go to this site for the master key and step-by-step guidance to unlock your files for free. Even if your files are encrypted with other extensions, it doesn’t hurt to try.
Cerber: One of the more widely used strains of ransomware this year, Cerber uses a wide variety of tactics to gain access, including DDoS attacks, Windows Scripting and attacks on cloud platforms. The ransomware attacks individual machines but has also been found to encrypt entire enterprise databases, making it especially dangerous. It encrypts many file types, including .doc, .mdb, .pdf, .txt and .backup, and adds a .cerber extension to each file. During encryption, the malware creates three different files that tell the victim his/her files have been encrypted, including a .vbs file that plays a message through the computer speakers. While several decryption tools have been released, the ransomware has been updated and unfortunately, there are no free tools to decrypt files available at this time.
MSIL/Samas.A: This strain of ransomware and its variants target an entire network of machines rather than individual computers. This makes it especially dangerous for enterprise operations, including healthcare and financial sectors. The FBI issued an alert about this strain last year, adding that like Locky, it also looks for network backups to delete and cautioning businesses to be on alert.
Lessons learned from Code Spaces
Anyone remember Code Spaces? It was an up-and-coming SaaS provider offering developers source code management tools available through AWS. In June 2014, an attacker gained control of the company’s AWS control panel and orchestrated a DDoS attack. When the company contacted the attacker, they were told to pay a ransom to stop the attack. Instead of paying the ransom, Code Spaces tried to regain control of its panel. In response, the attacker started deleting data and didn’t stop until they had removed all EBS snapshots, S3 buckets, all AMIs and several EBS and machine instances. The move effectively destroyed the company.
It sounds like the lesson here is, “Pay up when you’re told to pay.” But Code Spaces was right not to pay the ransom. There was no guarantee the attacker would have stopped the flood of traffic, nor given Code Spaces its panel back without deleting anything. Instead, the lesson that can be learned is, “Don’t put your production and backup eggs in one basket.” Code Spaces had a backup and recovery plan and also replicated servers, but it had them hosted in the same AWS control panel as its regular machine and server instances. Once that panel was illegally accessed, it pretty much spelled the end of the company. The moral? When you back up your copy, follow the 3-2-1 rule: Three copies of data, on two different media, with one offsite.
While Code Spaces isn’t a literal case of ransomware, it’s certainly appropriate here. The same recommendation to back up your data offsite holds true to protect oneself against ransomware as it does any other attack. Several strains of ransomware have been known to infect backups stored on the network, rendering them useless. It’s important to have a data set that’s disconnected from the network to avoid infection or corruption.
To pay or not to pay, that is the question
Even if you’ve done all you can to prevent attackers from infecting your network, cyber criminals are a pesky, determined bunch. It’s best to expect them to break in at some point, as bleak as that statement is. When you find yourself facing the morning you’ve been dreading—waking up to a ransom screen demanding money in return for access to your data—what will you do? Do you pay, or try to get your systems back?
It’s easy to advise one way or the other, but when you’re in the middle of an attack, it can be a completely different scenario. The FBI and major security researchers, however, all recommend not paying the ransom if possible. As mentioned before, paying the ransom doesn’t guarantee anything, and it also reinforces the success of the attack. Most criminals have developed a reputation termed “dishonest reliability” where they do indeed give you the decryption key to get your data back once you pay up. But they don’t all operate that way, and it’s a dangerous gamble to assume they will. The Kansas Heart Hospital case is a great example of this—the hospital paid the first ransom, and the attackers demanded a second before giving up the encryption keys. In this case, the hospital chose not to pay the second ransom, citing it wasn’t a “wise maneuver or strategy.” Unfortunately, Kansas Heart is a clear demonstration of how paying a ransom doesn’t always get you what you expect.
If you’ve been the victim of a ransomware attack, it’s important to contact the FBI. Visit the FBI website to see a list of field offices throughout the US.
Your best recourse is to restore from a safe backup. This is where having a strong, thorough disaster recovery and backup strategy is so important. For more information on developing that strategy and what considerations you should make, check out the following resources:
- Offsite backup and recovery buying guide
- Offsite backup options
- Prevent, don’t react: Beating ransomware
- Look for a DRaaS and BaaS provider who will help you transfer your data and walk through each consideration so you save your organization a lot of stress and headaches.
In addition, training your entire company to recognize phishing attempts and establishing a culture where it’s ok to question to source of an email are key measures to take in defending your organization against ransomware threats.
Ransomware is no joke. It threatens both individuals and enterprises alike. It’s become such a profitable industry that an entire Ransomware-as-a-Service branch has sprung up from it. Until we take preventative action to secure our data, these attacks will unfortunately continue to grow because they are so profitable. Creating offsite backups that are kept up regularly is one way to mitigate the threat. Training yourself and/or your employees to recognize and avoid spam and phishing attempts as well as disable macros can stop the malware from being loaded onto the computer in the first place. In a future post, we’ll go into more detail about the anatomy of a ransomware attack and how to protect yourself.