Ransomware

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


OVERVIEW

WannaCry and NotPetya ransomware were two malware that headlined the news around the world in 2017. They had a relatively new feature of being both a ransomware and a “worm”. That meant that it could spread on its own - unlike other ransomware which are usually activated when a person clicks on a link or attachment - and encrypt the infected systems that have the vulnerability such as an unpatched software.

Adversaries will continue to evolve their tools to get higher infection rates, and returns. Since late 2018, targeted ransomware attacks on state and local governments are on the rise. They include SamSam, Ryuk, RobbinHood and LockerGoga. These new strains are stealthier and more sophisticated, and are unlike previous strains that primarily rely on e-mails or exploits to spread during the 2017 WannaCry and NotPetya attacks. Notably, the ransom paid in each of these incidents was far greater than the US$143,000 allegedly reaped from the WannaCry attacks, and certainly emboldened attackers into launching brazen campaigns targeting state and local governments in the United States. Although governments do not pay ransom as often as other targets, they generate immense media coverage due to the disruption these attacks have on the functioning of essential services, sowing chaos and lowering public trust on the governments.

In the Cyber Security Agency of Singapore’s (CSA) annual publication, “ Singapore Cyber Landscape 2018”, it noted that there were 21 cases of ransomware reported here last year. There could be more of such cases since many tend to be unreported. A survey conducted by Osterman Research on 175 small and medium-sized enterprises (SMEs) in Singapore in 2017 reported that one in three experienced a ransomware attack last year, with one in five of those affected even having to shut down their company.

Governments and international initiatives are helping organisations deal with ransomware attacks. In the United States of America, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) developed a recovery guide called “Data Integrity: Recovering from Ransomware and other Destructive Events”. Locally, CSA and the Singapore Police Force are supporting partners to the international “No More Ransom” project, which is a non-commercial initiative to assist victims of ransomware. For more information on how to prevent or recover from ransomware attacks, users can read related advisories by SingCERT and GoSafeOnline.

REPORTS

RANSOMWARE TACTICS AND TECHNIQUES

SPREADING RANSOMWARE VIA SOCIAL MEDIA PLATFORMS LIKE FACEBOOK

Traditionally, ransomware spreads via e-mails, after the person clicks on the attachment received. Now, adversaries are taking advantage of the popularity of social media platforms such as Facebook to spread their malicious software or “malware”. A Facebook spam campaign was found targeting these users earlier this year. Malicious messages containing Locky ransomware were spread via Facebook messenger. Once clicked, the ransomware would be downloaded and installed, and will activate a program that will spam the victim’s Facebook friends with the same malicious messages without the victim’s knowledge.

NEW PAYMENT OPTIONS

In most cases of ransomware, adversaries would demand bitcoins or other cryptocurrencies as payment to decrypt the victims’ affected data. Some ransomware now ask for nude photos before decrypting the data. Adversaries are also known to offer “Helpdesks” where victims can negotiate their ransom payment.

1) Sending Nudes

Researchers at “MalwareHunterTeam”, an online collective made up of independent cybersecurity researchers who focus mainly on ransomware, identified a relatively new strain of ransomware, known as nRansomware. Victims of nRansomware were asked to send 10 nude pictures of themselves in order to unlock their computers. However, nRansomware does not affect the files. It locks the victim’s computer, preventing him from accessing it if they do not enter the correct PIN.

2) "Share" ransomware with friends

Attacks will exploit what we may take for granted as relatively safe spaces, such as our personal Facebook pages. A new strain of ransomware, called Popcorn Time, tries to get the victim to infect others. If two of his infected victims pay up, he will receive the decryption key. This is a means used by attackers to multiply the spread and impact of their ransomware.

However, when hit by ransomware, it is generally better not to pay up, with bitcoins or any other means, as there is no guarantee that the hacker will decrypt the files as promised after they receive the payment.  Backing up one’s data regularly is always a good practice, and a way to minimise the impact of a ransomware attack.

PREVENTING AND RECOVERING FROM RANSOMWARE ATTACKS

With the growing number of ransomware attacks, the National Institute of Standards and Technology (NIST) in the United States, together with vendors and businesses within the cybersecurity community, developed a recovery guide for organisations affected by ransomware. The guide offers ways to deal with ransomware attacks, identify and restore data, and better protect data within the organisation. NIST also encourages organisations to share their experiences and any advice on dealing with ransomware with them, so that the learnings can be shared in turn too with a larger community.

LOOKING TO THE FUTURE OF RANSOMWARE

Ransomware was originally intended to target individuals, but now attackers are targeting larger corporations or critical infrastructure to demand larger ransom sums for a higher return, in what is known as “Big Game Hunting”. Victims are selected based on existing vulnerabilities within the organisations, to improve chances of success. These criminal actors have little to no interest in the consumer or individual, and they are focused on causing disruption to large organisations for high-value payouts. Ransomware operations continue to get more creative in monetising their efforts by offering ransomware-as-a-service schemes, which has led to the rise in prominence of well-known ransomware like CryptoLocker and CryptoWall.

The rate at which the IoT is growing, combined with the widely-reported insecurity of IoT devices, provides a whole new frontier for ransomware operators. After more destructive attacks globally against critical infrastructure, the stakes are growing for the public and private sector regarding ransomware. As organisations become increasingly reliant on IoT devices to run operations, a spike in ransomware attacks on connected devices may occur. Organisations should devote more attention and resources to manage cyber risks – develop incident response and crisis communications plans; deploy and test robust backup systems regularly; and have the relevant expertise to operate these systems and plans in times of crisis.

QUICK BYTES

WHY RANSOMWARE STILL WORKS?

Never pay for the ransom! This is the general advice whenever ransomware strikes. However, the opposite still happens. A research into the psychology of ransomware conducted by De Montfort University in the United Kingdom identified three key principles that adversaries use that account for their successful exploits.

• Scarcity: Associated with the limited time given by the adversaries, i.e. "Pay within 24 hours or data will be deleted."

• Authority: Message appears well-written and credible, giving the victim the impression and confidence that the data will be decrypted/returned after the payment is given.

• Liking: Use of popular cultural icons or texts that try to be engaging, to prompt the payment.

The research hopes to create awareness of such general tactics, to enable more mitigation techniques against ransomware attacks.

SOURCES INCLUDE: Osterman Research, Bleeping Computer, Taiwan News, Motherboard Vice, Wired, NIST, and Digital Guardian