Ransomware poses a completely unique set of challenges. Arguably, it is one of the most versatile of malware types. We saw it, initially, simply as a means of extorting ransoms from victims in order to get their encrypted files back. Not satisfied with that, the adversary has adapted ransomware techniques to other purposes. For example, we have seen ransomware used for extortion in other ways. In one case, the ransomware did not extort the usual bitcoins. Rather it extracted information as the "ransom" in order get files decrypted. In another case, we saw no ransom demanded. The adversary simply destroyed all of the critical documents on the target. This is sometimes used as an act of political manipulation and sometimes for revenge of some sort.
There are several issues with ransomware that make it difficult to address. First - most obviously - there is the encryption. Typically, this is hard to remove. However, for some strains of ransomware there are tools that are able to apply a key or some other technique to recover files. Unfortunately, this can be unreliable because ransomware writers - the successful ones, anyway - update their products frequently making decryption a game of Whac-A-Mole.
Second, there is the infection vector. There are several, of course, ranging from phishing - the most common - to drive-by, watering hole and direct infection where the ransomware is delivered directly to the victim, perhaps through an infected USB stick. The time to complete infection varies from about two minutes at the slowest to a couple of seconds for the fastest. Naturally, that depends on how many files are going to be infected, where the files reside, what kinds of files, and whether the entire disk is to be infected, sometimes along with the master boot record.
Our malware analysis environment (MAE) is a standalone server running VMware bare metal. We have several virtual machines within MAE including most relatively current versions of Windows, a couple of Windows servers and some Linux. The zoo - our malware archive - is Linux. The entire system is isolated from the rest of our network and, certainly, from the outside.
For our test ransomware, we selected a relatively current version of Locky. We set up our target - a Windows 7 VM - with over 46,000 files in a couple of dozen folders. We snapshotted the target machine and proceeded to infect it. When we executed the malware directly on the victim, it took about three seconds to infect the target completely. With that as a benchmark we reverted the VM back to its clean state and did our testing.
For at least one product we needed a Windows 2008 server as well. We moved the files and folders to the server from our victim machine and shared them to the network. We then infected the victim machine which, of course, attempted to infect the shared folders. The test was successful and we inverted both machines so that we could conduct our tests on the product that required that test bed setup.
There are three phases to a ransomware attack. The pre-attack, or, pre-infection phase, also can be thought of as the delivery phase. The attack, or infection phase, is where encryption takes place on the victim machine. The post-attack phase is the recovery phase. Unless you address all three phases of the ransomware attack lifecycle you run the risk of continuing to have the ransomware in your system and, worse, being unable to recover your encrypted files.
Unfortunately, a lot of conventional wisdom has been to depend on backups. Please don't misunderstand: This is critically important, but it comes with its own set of problems, such as restoring the malware and starting the infection process over again. Clearly, this is not an easy issue with which to grapple. The adversary knows this and new strains of ransomware are proliferating at a remarkable rate - we sometimes see several new ones weekly. Not all of those are killer malwares, of course. Many are clumsy rewrites of existing products that are more virulent, harder to clear out of the target, and that have source code that leaked into the wild.
For all of that, most experts predict a banner year for ransomware, some predicting losses in the billions of dollars. With those kinds of numbers, it's little surprise that the ransomware industry is flourishing.
|Specification Matrix for Ransomware Management|
|Company Name||On-Prem||Cloud||Virtual Appliance||Physical Appliance||Stops attack at Phase 1 (e.g., phishing, drive by, etc)||Stops attack at Phase 2 (infection)||Recovers from attack at Phase 3 (e.g., restore from backup)||Measures to prevent backing up the malware||Removes ransomware||Prevents reinfection|