Ransomware definition and defense – ShieldX


Dave Karp

March 27, 2020

Ransomware: Definition and Defense

What is ransomware? It’s likely you’re already at least somewhat familiar with this
form of cyber extortion, since there have been some high-profile attacks on companies and local governments. The basic ransomware definition is that it’s the subset of malware that attacks a system either by blocking normal access to programs on the system or by encrypting the data on the system with a key unknown to the victim. The victim is notified that a ransom must be paid, often by way of a cryptocurrency such as Bitcoin. Sometimes paying a ransomware demand will result in the system or the data being made available again, but there’s no real guarantee of that and plenty of victims have lost both their data and their money. A typical ransomware attack can impact both individuals and businesses, but perhaps the more insidious scenario is when an infection moves through a business, perhaps pivoting from an initial infection of an endpoint, and moves to encrypt and block the use of an organization’s primary databases. Because businesses can afford to pay more and stand to lose more from downtime, attacks have shifted toward a focus on businesses. It’s difficult to say how likely it is that a business will suffer a successful ransomware attack, but an interesting article examining several vendor studies suggests that about one third of the cybercrime incidents that are handled by professional incident response teams are ransomware.

Ransomware Statistics

Ransomware in the Data Center
Not only are businesses increasingly the focus of ransomware attackers, but
ransomware is especially harmful when it moves through a business’s infrastructure and specifically targets servers in the data center. These servers are traditionally protected by a “tiered” or “zone” architecture that separates the data center from the rest of the corporate network by routing network traffic through internal checkpoints such as firewalls. The move toward cloud- and container- based deployments, though, has meant that many organizations have gravitated toward “flat” architectures. This essentially means that ransomware on an endpoint system is one pivot away from access to key data stores.

How Does a Ransomware Attack Work?
There are two basic categories of ransomware: “locky” type and encryptor type. Roughly speaking, “locky” malware throws up a roadblock between you and your work, while encryptor malware actually makes your data at least temporarily unreadable and unusable. In either case, a victim typically is shown a “lock screen” that has a message asserting that the system has been encrypted (whether it really has or not) and demanding payment of a set sum of money for the system to be released. As a practical matter, payment of the ransom has yielded mixed results, depending both on the criminals and the kind of malware involved. Sometimes the malware is flawed and can be defeated without payment. In some cases, free ransomware decryption tools  have been developed to decrypt the ransomed data. That said, there are still plenty of malware variants that use strong encryption and are effectively unbeatable. In these scenarios, the victim can either pay up and hope the criminals provide a key that restores the data, or they can wipe their systems clean and start over from backups.

Ransomware Families of Note
While there are large numbers of different “species” of ransomware, most strains are variants of a few basic families of malware. Further, some groups of ransomware variants have had considerably more impact than others. Here are some of the more significant types of attacks that fall under the ransomware

AIDS / PC Cyborg
The impact of this malware, which dates all the way back to 1989, is that it was the first ransomware attack. An Harvard-degreed AIDS researcher gave away twenty thousand diskettes that contained not only a questionnaire to determine risk of AIDS infection, but also a piece of software that would load itself to PCs where it was run. The malware would then wait for the next 89 boot-ups of the system before encrypting the filenames on the hard drive of the computer (which was enough to render the system unusable). Payment was demanded by bank check mailed to a fake company called PC Cyborg with a post-office box in Panama. Computer security professionals quickly created a program that would decrypt the filenames and return the PCs to functionality. The story has some interesting twists and turns—including a butterfly conservatory–that make it well worth reading
about in more detail. After AIDS, there was a long period that was effectively free from ransomware attacks, a period that came to a definitive end in the early 2010s.

Young and Yung
One interesting development prior to the wider emergence of ransomware was a 1996 presentation of a proof-of-concept cryptovirus by Adam L. Young and Moti Yung. The two researchers recognized that a critical “flaw” in the AIDS virus was its use of symmetric cryptography, which perforce meant that the encryption key could be used for decryption and had to be embedded in the virus itself. The key could therefore be extracted (as it was) and it would be a straightforward matter to recover “kidnapped” files. The Young and Yung cryptovirus used RSA asymmetric key cryptography. The virus therefore contained only the encryption key. The private decryption key of the pair was held separately by the attacker. It was, in effect, the arrival of the current-day ransomware definition.

This attack appeared in late 2013 and was active until May of the following year. It infected Windows machines by way of malicious email attachments and by way of a pre-existing botnet called Gameover ZeuS. One significant “upgrade” in the effectiveness of the CryptoLocker attack was that it used RSA public-key cryptography, as Young and Yung had demonstrated, storing the private key of the keypair used to encrypt the victim’s files on the botnet’s command and control servers. CryptoLocker attacks came to a halt when a collective action carried out by law enforcement agencies from multiple countries took control of the Gameover ZeuS botnet. In the process, access was gained to the database of private keys and an online tool that would unlock the files of victims was created.

On the heels of CryptoLocker’s takedown, this family of ransomware became
widespread and effective, using AES encryption, CHM infection mechanism, and a command-and-control channel that ran over the Tor network.

In May 2017 this cryptoworm was estimated to have successfully infected more than 200,000 computers in over 150 countries. What was unusual about it was that

its attack vector was an exploit called EternalBlue, developed by none other than the United States National Security Agency (NSA). The exploit was stolen and released into the wild by a group called The Shadow Brokers some months before WannaCry appeared. Microsoft had issued patches for the vulnerability, but there were sufficient numbers of unpatched systems that the malware spread readily. Luckily, a “kill switch” was discovered within a few days of WannaCry’s emergence. This prevented infected computers from further spreading the malware.

There are numerous variants of GandCrab ransomware, all of which target
Windows systems. Perhaps the most interesting thing about this malware is that the syndicate behind it offered it for use by an affiliate program, essentially creating ransomware-as-a-service, beginning in early 2018 and continuing more than a year before, quite unexpectedly, the “service” shut down, announcing enough money had been earned and that it was time to retire the ransomware.

Ryuk Ransomware
What makes Ryuk stand out, aside from its being named after a Japanese manga character, is that it is designed to attack enterprise targets. Ryuk is a further- developed variant of ransomware called Hermes, but Ryuk itself is used only by one Russian crime syndicate. According to Crowdstrike, it has extorted payments in excess of 700 Bitcoin in the first half year after it emerged in late summer 2018.

While Clop was originally a no-frills variant on existing ransomware, it was further developed in 2019 and leading into 2020, becoming notable in part for the number of Windows services it shuts down in addition to the file encryption it performs. It was used with devastating effectiveness against Maastricht University, forcing the institution to pay €200,000 to restore its services.

Mac OS Ransomware
For most of ransomware’s history, the threat of ransomware in the Apple
Macintosh ecosystem was only theoretical, but in 2016 the KeRanger ransomware made its appearance, carried by an app called Transmission that, when launched, waited three days and then encrypted files. Apple quickly updated their XProtect antimalware application and essentially neutralized the threat. To date,

The Future of Ransomware? The Data Center
At present, local governments and municipalities, along with hospitals, are the targets of choice, presumably because they aren’t well defended and because the ordinary citizens they serve are highly impacted when these public-serving systems are offline. Increasingly, attackers are taking time to explore and understand the networks they are attacking and can pinpoint the most critical data stores and even
backup mechanisms. A primary obstacle in stopping this reconnaissance period and subsequent movement to key servers is that so many of today’s networks use a flat network architecture. With flat networks, you don’t have natural points where you can build checkpoints to detect malicious activity. Along the same lines, flat networks don’t have good mechanisms for monitoring east-west traffic. This means you won’t see ransomware as it propagates within the data center. You won’t have necessary tools like inline intrusion detection and, in the cloud, your access control may wind up being nothing more than IP-address- based Access Control Lists (ACLs).

ShieldX and Ransomware
What should most frighten enterprise security professionals about ransomware is the thought that data center operations could come to a standstill for the duration of a successful attack. Therefore, it stands to reason that the highest priority when it comes to ransomware is to stop the pivot of attacking malware from a desktop, end-user victim to the core of the network.

ShieldX offers unique features that prevent just this sort of pivot and attack propagation—microsegmentation coupled with full layer 7 DPI based lateral movement prevention. A software-based method for isolating endpoints on smaller, logical network segments, microsegmentation is especially relevant to the challenges of shifting security into cloud scenarios. The small scale of segments and the use of container-based security services means you can easily—and at scale—perform checks such as deep-packet inspection as packets traverse the boundaries of each microsegment. ShieldX automatically identifies related workloads, groups them into individually protected micro-segments, and maintains these groups dynamically as demand grows and wanes and new instances are spun up or wound down.

ShieldX offers a virtual patching capability that deals with the vital problem of reaction time. When a new ransomware variant emerges, it may be days or weeks before affected servers can be directly patched. Virtual patching allows you stop packets involved in that specific attack before they reach the server. Only microsegments with affected server workloads will be providing the specific needed patch, so chances for false positives on unaffected segments are eliminated. It’s clear that some major organizations are not protecting their infrastructures effectively when it comes to ransomware. We can expect continually worse data disasters until the safeguards are as sophisticated and adaptable as the attacks.

Final Thought:
Microsegmentation is not enough to prevent propagation of ransomware attacks in
the multi-cloud. Full layer-7, DPI-based threat detection and prevention are
mandatory controls to mitigate the risk of flat networks and vulnerable systems
that allow for ransomware attacks to propagate.