By Dr. Rob van der Staaij CISSP CISA CISM CRISC CEH CPT
Innopay Cybersecurity Lead
A new plague is afflicting humanity, called cryptoware or ransomware. Organisations around the world are hit hard by this type of malware that compromises information security by encrypting data, making it inaccessible to the legitimate users. To release the data, payments have to be made to the cybercriminals. Preferably using the Bitcoin as the payment method, since this cryptocurrency allows for anonymous payments. It is striking that the solutions that are usually suggested to reduce the risk of cryptoware are seldom adequate and sufficient enough.
A bit of history
The AIDS Trojan can be considered as the first real case of cryptoware. It is named after the World Health Organization’s AIDS conference in 1989, during which the trojan encrypted the files on the diskettes of the attendees. It took until 2006 before another cryptoware trojan was released, called Archievus. Archievus utilized a more advanced encryption method to encrypt everything in the My Documents folder of the Windows computers of the victims. Since 2013, cryptoware has been evolving and spreading at an ever increasing pace. Today, this type of malware outnumbers any other type of data breach. Cryptoware has become mainstream.
What is it and how does it spread
Cryptoware is a type of malicious software that blocks access to the victim's data by encrypting it, usually by a method called hybrid encryption. This is a combination of symmetric and asymmetric encryption. Some variants of cryptoware lock the master boot record, preventing the computer from booting. In theory, the following phases are involved with the classic cryptoware cycle:
- The cybercriminal generates an asymmetric key pair consisting of a public key and a private key (a). The public key is inserted into the cryptoware (b);
- When the victim activates the cryptoware (a) a random symmetric key is generated (b). This key first encrypts the data of the victim (c) and is then itself encrypted with the public key of the cybercriminal (d);
- A message is shown saying that the victim should pay a ransom to reveal the data.
- The victim sends the ransom along with the encrypted symmetric key to the cybercriminal;
- If the cybercriminal is nice, he or she decrypts the symmetric key with the private key that corresponds to the public key (with which the symmetric key was encrypted) (a). The symmetric key is sent to the victim (b), who will then be able to decrypt the data with it (c).
The cryptoware cycle
Infection commonly occurs because the victim opens an attachment in an email. Another way the cryptoware can enter the computer is through a vulnerability in a network service.
The code, in which the cryptoware is written, can be either clumsy or very sophisticated. It is fairly easy to create your own cryptoware based on open source software. Also, cryptoware creators are increasingly offering their products as cryptoware-as-a-service. Sometimes, the hand of its maker can be recognized in it. For example, the code of the Wannacry virus is likely to be linked to a state, possibly North Korea or China, making it clear that we have to endure these kinds of attacks not only from ‘ordinary’ cybercriminals but also from state actors.
What can you do about it
What organisations should not do at any time is pay the ransom. Only rarely is data released by the cybercriminal after the payment is made. Also, the business case of those deploying the cryptoware will be kept intact when paying, thus fuelling the malware economy.
Sometimes the key can be revealed from the cryptoware or can be reconstructed from pieces of the key that are left behind because of poor coding of the cryptoware. In some cases the private key has been obtained by investigation services and can thus be used to release the data.
In most cases the best way to deal with cryptoware is by implementing a consistent set of preventative and corrective measures. Here is how:
- The operating system of all devices of the IT infrastructure, including non-Windows computers and handheld devices, must be provided with the latest patches and updates;
- Risky and unnecessary services, such as SMB (Server Message Block) and RDP (Remote Desktop Protocol), should be disabled on Windows servers;
- Anti-malware software must constantly contain the latest signatures;
- Very important are the so-called indicators of compromise (IoCs), which are – as the name already implies – indicators that something might be wrong or malicious. Examples are strange network patterns, unexplained registry changes and suspicious account behaviour. Implementing a coherent environment of IoCs is not easy and involves many components of the IT infrastructure, such as intrusion detection systems/intrusion detection systems (IDS/IPS), anti-malware software, firewalls, proxies, email gateways, spam filters, and security information and event management (SIEM). IoCs work well for at least the known variants of cryptoware;
- Backup procedures should not only be adequate, i.e. based on a well thought out disaster recovery plan, but also be thoroughly tested;
- The integrity of filesystems and databases should be checked at regular intervals;
- The network infrastructure should be segmented, so that when any cryptoware is activated it will not easily spread to other network segments;
- Incident response procedures need to be efficient and effective. Part of this is to report the cryptoware to law enforcement, since we are dealing with a criminal offence;
- The lowest level of user privileges should be used to complete tasks on systems, avoiding admin privileges as much as possible;
- One of the most important controls is user awareness, since the cryptoware is almost always activated by an ignorant user. Users should be made less susceptible to social engineering attacks so that they are less tempted to open an attachment in an email message from an unknown sender. Moreover, risk aware users will report suspicious events sooner;
- A fancier control is luring the cryptoware into a bait folder that is stuffed with useless data. Meanwhile, an alert is sent to the administrator who subsequently will be able to disconnect the computer from the network and eliminate the malware before any real damage is done.
Cryptoware is on the rise and is here to stay. It will eventually strike your organisation as well. Are you ready to combat it?〈 Back to overview