Photo via Hillary/Flickr (CC-BY-SA)
Every type of malware has its heyday, a period where it enjoys booming success and makes headlines in all the major publications.
Ransomware is currently undergoing that stage at a very fast pace, and there’s no sign of it slowing down any time soon. It is inflicting major losses and damage to companies, organizations and individuals, and raking in millions of dollars for cyber-criminals, and there seems to be no ebb to the flow. This warrants the need for new approaches to fighting ransomware in particular, and malware in general.
What is ransomware?
Ransomware is a virus that locks a target device and denies access to the owner until a specific amount to the attacker behind its distribution. It comes in many flavors, the most prevalent being the crypto-ransomware, a breed of the malware that encrypts files and ransoms the victim for the decryption key. Its main method of distribution is through infected email attachments and hacked websites, but there are cases where other, more intricate and targeted methods are used.
Ransomware has been around for a while, but many elements lend to its recent success, the most important being the availability of strong encryption technology, the advent of untraceable crypto-currencies such as Bitcoin, and the development of anonymous networks such as TOR.
Ransomware comes in many flavors.
Ransomware is much more efficient and easier than other money-making hack schemes such as stealing credit card and banking credentials and hacking into financial accounts. There’s even a “ransomware as a service” option that allows inexperienced cyber criminals to run their own ransomware campaigns without having in-depth knowledge.
Thwarting ransomware is also very hard, which enables hackers to earn quick cash without being traced. Testament to the fact are instances where the FBI has suggested payment as the only recourse.
The growing threat
Ransomware has been traditionally targeted at individuals. But recent months have seen a spate of ransomware attacks against organizations, especially in the health sector. One of the reasons behind this shift in targets is that the victims are more likely to pay out the ransom in order to restore their operations. In one case, attackers swindled $17,000 from a Los Angeles medical center before handing over the keys to unlock the files. As victims have attested, in many cases, the damage resulting from not having access to critical files is much more intense than the ransom itself. Targeted hospitals were forced to revert to old pen-and-paper systems until the keys were acquired and the files were recovered.
One of the main reasons users fall victim to ransomware is the lack of cyber hygiene, which means not patching and updating operating systems and antivirus software, carelessly opening attachments and clicking on links contained in emails coming from unknown sources, recklessly browsing websites and clicking on ads, and not having offline backups of pertinent files.
A moving target
But also of concern are the sophisticated methods ransomware developers use to evade traditional security tools. Customary anti-malware solutions use a signature-based approach, which means they keep an updated database of virus definitions that they constantly compare against new files to detect and block malware.
Ransomware is much more efficient and easier than other money-making hack schemes such as stealing credit card and banking credentials and hacking into financial accounts.
This method is no longer able to deal with the constantly-shifting landscape of ransomware threats, experts say. “Signatures used by antivirus software today are matched to the exact ID and contents of the malware,” says Udi Shamir, Chief Security Officer at cybersecurity tech firm SentinelOne. “With the rapidly growing number of variants today, there’s simply no way signature based defenses can keep up.”
Signature-based detection can be circumvented by making modifications to the ransomware, such as changing or encrypting its binary code. “For example, with minor modifications a cybercriminal can take a well-known form of ransomware like CryptoLocker, and make it completely unknown to antivirus software,” Shamir explained. “Even the most minor tweaks, including a simple change to the file name of the malware, require a completely new set of signatures.”
A more successful approach is to detect ransomware based on behavior analysis instead of signature comparison. “While there are tens of thousands of new forms of malware detected each day, these variants maintain a common set of tactics and behaviors,” Shamir says. “If you can detect use of these common tactics you can cover a much larger volume of malware variants. This same principle exists with ransomware.”
A new generation of endpoint protection solutions is being developed based on this idea, which is to scan and vet running processes based on their behavior instead of binary signatures. “Once detected, any malicious processes are killed instantly, malicious files are quarantined, and endpoints are removed from the network to prevent any further spread,” Shamir says.
But behavioral analysis doesn’t plug all the holes. “Behavioral detection tools are more effective against new variants,” suggests Ronen Yehoshua, CEO of cybersecurity startup Morphisec. “But they still can be evaded by various techniques and come with their own set of problems, including false positives and resource intensive updating and monitoring.”
Moreover, Yehoshua suggests, some ransomware variants don’t use executables and take advantage of legitimate operating system services “to do their dirty job.” Without an executable, it’s very hard to detect a malware.
In many ways, ransomware has already marked itself as the landmark malware of 2016 and is poised to deal much more damage.
“Ransomware is the last part in an attack kill chain,” Yehoshua says. This is called the “payload.” The right way to prevent ransomware “is thwarting the attackers’ efforts to deliver the ransomware to a user’s machine,” he says.
Ransomware and other malware are delivered through “exploit kits,” hacking tools that search for known vulnerabilities in applications such as unpatched browsers or outdated plugins, and take advantage of them to install the payload on the victim’s workstation. Yehoshua suggests the moving target defense strategy adopted by his company, which uses evasion techniques to prevent the exploit kit from finding vulnerabilities and “stop the attack early in the kill chain, before the ransomware is even downloaded,” he explains.
As the name suggests, Morphisec’s solution morphs the structure of the application that exploit kits are looking for in a way that potential attackers will simply never find the application they are trying to exploit.
‘A new way of thinking’
Beyond tools and technology, organizations and firms “need a fundamentally new way of thinking about cyberattacks,” says Jens Monrad, consulting system engineer at security firm FireEye.
Monrad emphasizes that organizations and firms should focus on reducing the time it takes to detect and resolve a ransomware threat. “It still takes months for organizations to realize they have been compromised,” he says, “and the damages and potential risk of losing sensitive data or having your data encrypted with ransomware is very high.” A recent study by security firm Mandiant shows the average time for data breach discovery is 146 days.
Monrand suggests the adaptive defense model, which revolves around three core domains of technology, intelligence and expertise “to detect, prevent, analyze, and resolve ever-evolving tactics used by advanced attackers.”
This includes a combination of endpoint and network protection tools, threat intelligence sharing and storage platforms, and getting help from security firms that have the knowledge and experience to resolve and react to threats.
In many ways, ransomware has already marked itself as the landmark malware of 2016 and is poised to deal much more damage. For the moment, the end is nowhere in sight, so we need to learn more about the enemy and get our defenses up.
Cyber threats are getting smarter. It’s time for us to get smart as well.