Ransomware is one of the fastest growing classes of malicious software. In recent years, ransomware has evolved from a simple lock screen with the ransom damage into far more dangerous variants, such as crypto-ransomware.
Unlike traditional malware, crypto-ransomware doesn't steal information. Instead, it encrypts a victim's documents, spreadsheets, pictures, videos and other files, and then demands a ransom to unlock the encrypted files — a form of digital blackmail. The ransom amount varies, from $150–$500 for an individual to thousands of dollars for an organization. The payment goes through systems that are hard to trace, such as wire transfers, premium-rate text messages, pre-paid voucher services like Paysafecard, or the digital currency Bitcoin.
While ransomware attacks have been around for years, security experts say they've become far more dangerous recently because of advances in encryption and other technologies. A crypto-ransomware attack can take hostage not only data stored on a company's individual computers, but also the files on its servers 1 and cloud-based file-sharing systems — leading to financial losses, stopping business in its tracks and potentially damaging the organization's reputation. According to a report prepared by the Cyber Threat Alliance (CTA), CryptoWall version 3.0 alone has already cost victims $325 million.
Criminals use many different methods to propagate crypto-ransomware, including the following:
In most cases, malware arrives in an e-mail attachment. The email often purports to be from a known entity, such as a bank or colleague, and has an attention-grabbing Subject line, such as "Dear Valued Customer", "Undelivered Mail Returned to Sender" or "Invitation to connect on LinkedIn."
Figure 1. Methods of ransomware delivery via e-mail
The names of the attachments are chosen to disguise their true nature. In particular, the name often includes a common extension such as ".doc" or ".xls", so if display of file extensions is disabled in the system settings, the user will think the file is a Word or Excel document. For example, the full file name might be "Paper.doc.exe" but the user will see only "Paper.doc" and be misled into thinking the file is harmless.
Or the attachment might actually be a .doc file, but include malicious macros. If a user opens such document and macros are enabled in Microsoft Office (which they are by default), malware installation begins automatically. If macros have been disabled, the user will see blocks of garbled text and a note such as, "Enable macro if the data encoding is incorrect." If the user enables macros, the malware will then infect the system.
Files containing malware or malicious macros can also be provided to potential victims on disks or other malvertising. Once the user opens the file, the ransomware spreads.
Users can also inadvertently become victims simply by visiting a compromised web page — for example, by downloading malicious code via banner ads in Flash after multiple malicious redirects, as illustrated in Figure 2. These "drive-by downloads" usually exploit a security flaw or other vulnerability in a browser, app or operating system, often because the software has not been kept up to date with patches.
For example, CryptoWall uses the Angler, Neutrino and Nuclear exploit kits to load. It can exploit vulnerabilities in web browsers, Java and PDFs, but the most common vulnerabilities are in Flash.
Figure 2. How criminals use web redirects and exploit software vulnerabilities to deliver malware
Crypto-ransomware infection typically consists of the following steps:
A user unintentionally opens a malicious file propagated via a compromised website or infected email attachment, thereby releasing a ransomware client.
The malware copies itself into various locations in the system, such as:
Then it edits the registry so it will start automatically after every system reboot.
Encryption key generation
The ransomware client builds an SSL connection with a command and control server, and generates a public-private key pair to encrypt its victim's files. The client might use the Tor network to anonymize the traffic and make tracing the crime more difficult. Some crypto-ransomware can generate a key pair locally on the infected machine; in that case, the user's machine does not need to be connected to internet for the malware to encrypt the files.
Crypto-ransomware uses strong encryption modes such as RSA-2048, which virtually eliminates the possibility of the user discovering the key to decrypt the files.
Using the victim's access rights, the crypto-ransomware scans all available physical and cloud-based drives for files to encrypt, and encrypts the files.
The malware displays a ransom note with instructions for how the victim can pay a ransom to unlock the encrypted data.
Analysis of reported crypto-ransomware attacks reveals several reasons why the attacks were successful:
Decoding files encrypted by ransomware can take months or even years, if it is possible at all. Therefore, it is critical to take steps to prevent infection and be prepared to restore from backup if prevention fails.
Specific measures include the following:
Building multiple layers of security against crypto-ransomware is the most effective way to avoid business downtime, financial losses and damage to your reputation. The Netwrix Auditor platform enables you to mitigate the risk of malware spreading across your network, detect activity indicative of a malware attack in progress, and granularly restore lost files.
Review the Account Permissions report regularly to ensure that the permissions assigned to each user account accord with the employee's role, and that no permissions are assigned to "Everyone." You can also use this report after an attack to determine which files the infected account had access to, in order to outline the potential area of infection.
Check who has access to critical files and folders, and verify that this list is limited to users with a legitimate business need for this data.
Identify users with permissions for files and folders that they do not use. Remove those excess permissions to limit the infection area in case of an attack.
Constantly review changes to permissions, including changes to security group membership, to detect and remediate improperly delegated access rights in a timely manner.
Monitor changes to Group Policy, including Software Restriction Policy settings, to ensure your application whitelists are not modified improperly.
Review all changes to the Windows registry startup keys, paying particular attention to the Run key settings. If ransomware has already changed these settings, Netwrix Auditor will show you the path to its execution file, facilitating the removal and remediation process.
Detect abnormal spikes in user activity on your file servers and quickly drill down into details to gain more insight.
Subscribe to threshold-based reports on user activity to be notified whenever a user exhibits behavior that matches a known crypto-ransomware pattern, such as modifying a large number of files in a short time.
Enable additional early warnings about activity that fits ransomware patterns with Netwrix Auditor threshold-based alerts.
Get a complete list of files and folders that were deleted by the infected user account and restore them granularly from backup instead of having to restore all file servers.
Netwrix Corporation was first to introduce visibility platform for user behavior analysis and risk mitigation in on-premises, hybrid and cloud IT environments. Founded in 2006, Netwrix has earned more than 100 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control over changes, configurations and access in hybrid IT environments to protect data regardless of its location. The platform provides security analytics to detect anomalies in user behavior and investigate threat patterns before a data breach occurs.
Netwrix Auditor includes applications for Active Directory, Azure AD, Exchange, Office 365, Windows file servers, EMC storage devices, NetApp filer appliances, SharePoint, Oracle Database, SQL Server, VMware and Windows Server. Empowered with the RESTful API and user activity video recording, the platform delivers visibility and control across all of your on-premises or cloud-based IT systems in a unified way.
More than 160,000 IT departments worldwide rely on Netwrix Auditor to detect insider threats on premises and in the cloud, pass compliance audits with less expense, and increase the productivity of IT security and operations teams.