The Trouble with Ransomware

November 1, 2017 Emily Davidson

Fabian Ubogi, Sales Engineer at Intel Security, has a problem: nobody takes the threat of ransomware seriously enough.

“It’s going to happen to them. If it hasn’t already, it’s just a matter of time,” says Ubogi. “A lot of people thought ‘It’s not going to happen to me,’ and they’re now my customers. Because they got hit.”

What makes ransomware different from any other type of malware or virus? And why has it escalated to the point where Ubogi calls it a matter of “life and death” without a hint of exaggeration?

AN UNREASONABLE DEMAND

Ransomware evolved from the idea of a hacker using malware to encrypt data on a user or corporation’s device and refusing to decrypt it until they receive payment. This threat has existed since the 1990s, but until recently, it was considered an impractical ploy for the bad guys.

Why? Because attempts by hackers to secure blackmail funds through money orders or cash sent to P.O. boxes provided enough of a paper trail for police to track down the perpetrators. Ransomware attackers simply lacked a way for the victim to send payment without exposing the attackers to risk.

So ransomware never really took off until the advent of a more recent digital innovation: untraceable cryptocurrency.

MONEY MATTERS

In 2009, the inventors of Bitcoin introduced the world to a universal and completely decentralized form of cryptocurrency. The hacker community took notice.

Since Bitcoin transactions are not tethered to a physical location, they are extremely hard to track. The bad guys finally had the answer they were looking for. With an easy, risk-free way to collect payment, according to Intel Security, ransomware attacks spiked from 300,000 in the fourth quarter of 2014 to almost 800,000 in the first quarter of 2015.

THE USUAL TARGETS

The goal of ransomware is for the bad guys to sell a person’s data back to them after hacking into their system and blocking access to their files. So the target of these attacks is different than with other types of malware like keyloggers, spyware and botnets that simply exploit personal information.

Not to say that average users and employees aren’t affected by ransomware -- they are, and frequently -- but the most lucrative and terrifying targets are often governmental agencies.

“The biggest problem I see with the government sector is outdated security technology and the slow pace of upgrading. They simply don’t have the budget or the resources to implement the technologies they need to protect themselves.”

Ransomware attacks on government are widespread. In fact, the U.S. Congress suffered so many attacks this past year that they consulted Yahoo on how to protect their Yahoo Mail accounts - and then Yahoo was hacked. According to Ubogi, the mix of outdated technology and underfunded security measures in Government IT makes them an enduring target for hackers.

“[Hackers] are aware of the situation, and they’re taking advantage of it. Protecting healthcare patients’ records and data is very important -- it could be the matter of saving a life or not,” he says.

THE RANSOMWARE ATTACK THAT CAUGHT HIS ATTENTION

In February 2016, the Hollywood Presbyterian Medical Center in Los Angeles was the target of a ransomware attack that denied employees access to the hospital’s computer network and medical records.

“The part that’s really scary is that the hospital had to shut down a lot of machines... the outage lasted for a week,” says Ubogi. “Patients had to be diverted to other hospitals, recordkeeping was maintained using pen and paper. And this infection came from a malicious link.”

After consulting and weighing options, the hospital decided to pay the ransom of 40 Bitcoins (around $17,000 USD) to retrieve access to their files as quickly as possible.

Ubogi says that the issue of paying out a ransomware attack is a contextual decision, but that he always advises against it for a simple reason: “If [hackers are requesting] a thousand dollars and the data is worth millions, there’s no issue. But hackers will see that if you paid once, you’ll pay again. It makes you a target.”

HOW TO AVOID YOUR OWN HOSTAGE SITUATION

Ransomware isn’t going anywhere. Ubogi admits that he tracks Google Alerts for new strains of the malware with advances being made on a daily basis - especially when it comes to exploit kits. In the battle against ransomware, Intel Security is working with law enforcement agencies on operations against a number of ransomware families. But they won’t reveal the details. They are also a founding member of the Cyber Threat Alliance: a group of leading cybersecurity solutions providers who have come together to share threat intelligence on advanced attacks and the tactics of the actors behind them.

When it comes to protecting your data from an attack, he recommends a two-pronged protection plan of vigilance and education.

“Be suspicious,” says Ubogi. “The majority of ransomware vectors come from email and websites. Every email, every link you click, you need to be suspicious. You need to start from there; it’s a mind state we need to change.” This means building a “human firewall” to stop users from letting ransomware onto their endpoints. People are the weakest link.

Next, consider spam and web gateway filtering technologies to keep ransomware from reaching endpoint devices in the first place. Then, apply all current operating system and application patches. Having the latest operating system, application versions and patches reduces the attack surface to a minimum. Lastly, use an application control method that will only allow whitelisted items to execute: blocking unauthorized executables on servers, desktops and fixed-function devices. These tips, when used together, can dramatically reduce the attack surface for most ransomware.

Going back to his first point, Ubogi says the most important step of all is still widespread training across every organization. “It comes down to more training -- as much as we don’t like it. We need more training to make us more aware of what threats are out there.”

WHAT TO DO WHEN YOU DETECT MALWARE

If you suspect your device has picked up malware or is being targeted for a ransomware attack, Ubogi doesn’t mince words about what you need to do next: “Quarantine and format.”

Do not enable macros in documents received via email until you know they’re safe. Then, write access control rules against targeted file extensions that deny writes by unapproved application processes. Doing so will complement your host intrusion prevention system with a similar strategy. Once a process is flagged as suspicious, send it to a security sandboxing appliance for further study.

Because, as he said before, it’s no longer a question of if you’ll be a victim of a ransomware attack, but when. The data supports his statement.

WE NEED TO BE PROACTIVE, AND WE NEED TO DO IT NOW

Ubogi’s ideal approach of increased security infrastructure and widespread education is possible when IT teams and corporations take the threat as seriously as he does.

He says that the era of the Internet of Things only throws more variables into the equation, because every new network-capable device in the workplace adds another opportunity for inter-perimeter infection. Everyone involved, from employees to CEOs to IT managers, needs to step up their game and be ready to repel the inevitable ransomware attack.

Because it’s coming

 

Previous Article
The Vast Underground Malware Economy
The Vast Underground Malware Economy

Next Article
George's Letter: Welcome to Issue 3
George's Letter: Welcome to Issue 3