You can’t read the news these days without being blasted with yet another Ransomware story. Almost daily, there seems to be a new variant, a new name, and inevitably, new victims. The rise of Ransomware attacks shouldn’t come as a surprise, since its execution is quite simple and the demands on the victims are not onerous.Ransomware is not like an APT (Advanced Persistent Threat) - there is no need for long-term stealth operation, no need to explore the victim’s networks and resources, no need to steal credentials and no need to quietly and patiently exfiltrate sensitive data. With Ransomware, an exploit kit opens the door, and BANG, there it is, your PC is displaying a ransom note with detailed instructions on how to pay.
The business model is simple and works well for the bad guys, which is probably the main reason the trend has spread so quickly. The price is right - inexpensive enough for the victim to prefer paying to other options (like attempting recovery) and lucrative enough for the ransomware attacks. Exploit kits, like the most commonly used Angler, are available for a decent price and even a support channel is provided for those who need help installing a preferred communication tool (the onion router TOR) to ease the pain of payment.
Most Ransomware in operation today, such as Locky, TeslaCrypt, CryptoWall3/CryptoWall4, CryptoLocker etc. exhibit similar behaviors, which could be narrowed down to a few:
- Establish persistence: Ransomware wants to assure it maintains residence on your system, surviving reboots and user log-outs. To this end, the preferred way is to use the so-called “Run” keys (Software\Microsoft\Windows\CurrentVersion\Run).
Here is how Sentinel detects Ransomware persistence mechanisms:
- We also noticed that some Ransomware variants have a sense of humor – the created Key value was named “iamnotavirustrustme”:
- Prevent Recovery: Ransomware wants to assure that you cannot simply restore the system to its previously known good state. The two most common mechanisms are to delete volume shadow copies and disable recovery through the boot process.
- Encryption key management: Ransomware advanced threat wants to communicate with the command and control server (C&C) to acquire the encryption key, unique for your system. That way Ransomware can encrypt your files such that only the very specific key, generated for your system, can de-encrypt your files, and thus allow system recovery.
- Make it easy to pay the ransom: Ransomware wants to provide clear instructions on how to pay. Known as the ransom note, these instructions come in a variety of forms, including htm, txt, png. Thus, Ransomware may launch a browser or a notepad to help display the ransom note.
As always, there are exceptions. Take for example Petya Ransomware. Petya authors have decided to take a different yet shorter path - Petya encrypts the MFT (Master File Table) and overwrites the MBR (Master Boot Record). Your host reboots, and you get presented with a ransom note. No need to encrypt individual files. The whole process is very fast.
OK, so it’s obvious that Ransomware is a nasty type of attack. For individuals, it invades our privacy, hides our own pictures, documents and memories from us. It’s all very personal. For the enterprise, Ransomware advanced threat affects productivity (and therefore the “bottom line”), but also the trust customers have in that business. Ransomware can practically stale basic business operation. And when it attacks soft targets, like hospitals, then Ransomware badness goes to the next level: it impedes the a hospital’s very basic operation – which is to preserve and save lives.
A long time ago, back in 1966, Italian director Sergio Leone made the famous cult movie “The Good, The Bad and The Ugly”. So, on a lighter note, if there could be one, could we map those attributes to Ransomware? Clearly, all Ransomware is “Bad”. The “Ugly” refers to the variants of Jigsaw, namely for the use of the (ugly/scary) character from the “Saw” movie series, but also for the decision to start deleting files in case the victim takes too long to decide what to do.
Finally, the “Mean” attribute goes to Petya family, due to its ability to not focus on files but on your MBR and MFT. Mean, indeed.