If you hadn’t heard of ransomware before WanaCry, you’ve heard of it now. Ransomware is a specially designed piece of malware that blocks a user's access to their files or even to the system itself. It is able to bypass many security controls because its behavior isn’t inherently malicious- it denies access to and encrypts data as a normal security application would. The issue is that the wrong person is in control.
Regaining access involves paying the ransom within an allotted period of time through bitcoin, a crypto-currency that eludes tracking by cybersecurity researchers or law enforcement agencies. Those who fall victim are typically encouraged by security vendors not to pay the ransom. There are two main reasons for this- victims can’t be sure that payment will actually allow them to access their data, and success for hackers encourages further crime.
Ransomware can take many forms:
- Lockscreen – Locks your screen and prevents users from accessing the system. In this case the files are not encrypted.
- Encryption – Encrypts and changes your files so that the owners can’t access their files. This is also known as cryptoransomware, and is the most widespread. It is also probably today’s most worrisome cyberthreat due to its commonality and destructive nature
- Mobile device ransomware – Infects cell-phones (typically Android) through “drive-by downloads” or fake apps.
- Master Boot Record (MBR) – Interrupts a computer’s normal boot up process displaying a ransomware message.
The most recent wave of ransomware, “Wana Decrypt0r 2.0” (a.k.a Wanacry) appeared on Friday, May 12th, and quickly spread across the globe. It appears to be the first case of worm functionality integrated into a piece of ransomware itself. It has been determined that the ransomware spreads on its own by scanning for systems vulnerable to MS17-010 (a vulnerability within Microsoft’s SMB protocol) and then using that exploit to deliver the ransomware to that system (for a full breakdown of Wanacry’s origin, methodology, and current status, check out Anomali’s page, Wanacry).
Unfortunately, incidents like Wanacry are only going to become more prolific and complex. Advanced tactics such as mutating hashes make it nearly impossible for traditional signature-based detection to effectively warn of malware, bringing into question the effectiveness of the usual first line of defense, antivirus software. This isn’t to say that people shouldn’t invest or trust in antivirus software, but rather that one line of defense is no longer adequate.
Another reason we’ll see increased incidents of ransomware is that it’s no longer limited to those who have the technical ability to develop it. Packages are advertised on the Dark Web with assurances of untraceable technology and even recommended ransom prices. So-called “script kiddies” can purchase and deploy malicious software at will.
The scope of targets for ransomware is also growing. Industries such as healthcare were thought to be off-limits due to the potentially fatal consequences, but a rise in attacks has shown otherwise. Blocking access to a hospital’s information is quite literally a matter of life and death, but adversaries know that blocking access to critical information can be more disruptive to a business than releasing private information. When lives are endangered organizations are that much more likely to pay.
So there’s one thing we know for certain- ransomware is here to stay and it’s constantly evolving. The natural follow-up question is “what can we do?”. The exact measures will depend on the kind of system you’re trying to protect. Many of these prevention tactics you’ve heard - backup your data in the Cloud and on an external hard drive, update your systems and patch vulnerabilities, and watch where you click.
Collaboration across organizations and individuals is also a highly effective method of prevention and mitigation. Different groups have different areas of expertise, and sharing experience or research on various types of ransomware helps to dilute their effectiveness.
Our technical capabilities will also inevitably progress as adversaries improve theirs. What isn’t guaranteed to progress is the public’s understanding of these attacks. This is critical because few if any ransoms could ever succeed without taking advantage of human behaviors. Social engineering isn’t a new concept but it is a continuously problematic element. A company can invest thousands and thousands of dollars into advanced security systems, but if one single person clicks a phishing email, everything grinds to a screeching halt. An individual might click a suspicious link without thinking twice simply because it looks like what they’d expect to find.
Preventing the next Wanacry will require more than just following best practices- it will necessitate a more-widespread understanding of cybersecurity at the individual level. As technology becomes more ingrained within our lives, so too should our knowledge of how those systems can be abused. This is especially important as other systems become more common and inevitably vulnerable, such as with mobile phones and the Internet of Things (IOT). As always, prevention is the best cure.