About the author
Nir Gaist, Founder and CTO of Nyotron, has worked with some of the largest Israeli organizations, written the cybersecurity curriculum for the Israel Ministry of Education, and holds patents for Behavior Pattern Mapping.
Ransomware has long been a menace for organizations and consumers. Global damage cost estimates reach about 10 billion USD per year. After all these years, why does ransomware continue to be so good at being so bad? The answer is a combination of the security industry’s history of largely ineffective responses to ransomware and how ransomware developers use psychology to trick users into thinking they’re responding to requests from a colleague or even donating Bitcoins to a children’s charity.
Ransomware is hardly new and unknown since it has been around since 1989. Yet it remains one of the most common and successful attack types. According to reports, there were over 180 million ransomware attacks in the first six months of 2018 alone. The adoption of cryptocurrencies and Tor have served to amplify the prevalence of ransomware dramatically.
“Even with billions upon billions of dollars invested in cybersecurity and decades of companies deploying firewalls and antivirus solutions, ransomware still succeeds. Understanding why requires examining how the malware functions, and why our existing approaches to fighting it keep failing.”
Every 14 seconds, an organization somewhere in the world falls prey to a ransomware attack. But the bad actors are not narrow in their focus and typically target many organizations and users at once. For example, think back to the global WannaCry attack that resulted in losses of almost $4 billion.
How ransomware works
The details of how one attack gets inside a system or an organization, i.e., its “attack vector” are irrelevant. It can be phishing, exposed RDP or any other avenue that ransomware developers leverage to get in.
Instead, let’s take a look at what happens when ransomware actually interacts with your file system and encrypts data. First, ransomware process(es) locates the files it wants to encrypt. These are most often based on file extensions and target your most valuable assets such as Microsoft Office documents or photos, while leaving operating system files intact to ensure that system will still boot. Then the malware encrypts that data in memory and destroys the original file.
One route ransomware takes is to save encrypted data into a new file and then delete the original.
Another option, and probably the most devious one, is to write that encrypted data into the original file itself. In this case, the original file name is left intact, complicating the recovery by making it difficult to distinguish between encrypted files and those that haven’t been encrypted.
A third method is for ransomware to create a new file like in the first option, but then instead of the delete operation use rename to replace the original file.
After completing the encryption process, the infamous ransomware note is displayed. We know that part of the story quite well from the news coverage.
Security industry falls short
Now that you have an understanding of how ransomware interacts with files to encrypt and destroy the originals, let’s examine the five most common solutions the security industry has developed to thwart these attacks. Unfortunately, none of them have proven to be consistently effective.
First up: static file analysis – the same technique that’s used for malware detection in antivirus, anti-malware or EPP products. These products look for known malicious code behavior or sequences or strings such as lists of those commonly targeted file extensions as well as commonly used words that often appear in ransom notes (e.g., Bitcoin, encryption, etc.). It’s a signature- and machine learning-based method for detecting malicious code.
There are some pros to this approach, including generating low false positive (FP) rates. It is uncommon for a signature-based antivirus to flag a benign file as malicious, and that’s critical because security professionals are overwhelmed by false alarms and suffering from alert fatigue. Another very important point is that this technique doesn’t wait for ransomware to execute, but stops the attack before execution so no harm is done and zero files are encrypted.
However, static analysis has proven to be too easy for attackers to bypass. Malware writers use packers, crypters and other tools to obfuscate and change their signatures. It is well-known in the industry that efficacy of most modern antivirus and next gen antivirus solutions is somewhere around 50-80 percent, meaning up to half of attacks go undetected.
The Nyotron Research Team recently conducted a study of the efficacy of leading antivirus tools and not against new, advanced attacks, but against old, known malware that has been around for years (and in some cases for decades). The various tests we performed include a simple modification of old malware to ever-so-slightly change its signature. The result: a dramatic reduction in detection efficacy, in some cases dropping to as low as 60 percent. Again, this is for old, known malware.
A second technique relies on the blacklist of file extensions ransomware typically uses and gives to the files it encrypted. Benefits are similar to the prior technique – Low false positive rate and it may be able to stop ransomware encryption immediately, so no harm is done and no files are encrypted.
However, it too is easy to bypass. The only thing ransomware needs to come up with is a new file extension or random file extension. For example, CryptXXX and Cryptowall variants used random extensions instead of a specific one. Alternatively, ransomware can keep the original file names along with the original extensions.
A third technique is the use of so-called “honey pot files” to deceive attackers by baiting files and monitoring how attackers try to change them. Once they are touched, that’s considered an attack. However, it does have quite a few downsides, including:
- As other tools as well as users might touch those bait files, there is a chance for FPs
- Also not all damage will be prevented, as many files will likely be encrypted until ransomware touches those decoy files
- And of course, ransomware may simply attempt to avoid touching those file by skipping hidden files/folders, for example (those are the ones that tend to be decoys).
The fourth detection technique is monitoring the file system for mass file operations such as rename, write, or delete within a certain period of time. If a defined threshold is exceeded, the offending process will be terminated. The benefit here is that it doesn’t rely on some specific signature or file extension, but rather on an abnormal activity typically associated with ransomware.
However, some files will be encrypted until that defined limit is exceeded. Malware can also bypass this detection method by using a “low and slow approach” like adding delays between encryptions or by spawning multiple encryption processes.
The fifth notable method is tracking file data change rate. The security product performs an entropy calculation to measure the randomness of data in a file. And like with the previous method, after a certain threshold of change is detected, that’s when the offending process will be deemed malicious and terminated.
This method benefits from fewer FPs than previously mentioned dynamic techniques. Downsides include the fact that files will be encrypted until a level of confidence is reached, so not all damage is blocked. Additionally, this technique can be bypassed by encrypting only parts of files, or by encrypting in chunks. Additionally, using multiple processes for encryption can be an effective evasion technique.
“Most modern security products attempt to leverage the combination of some or even most of these techniques in order to increase their efficacy with various degrees of success. But if we look at some of the more recent examples of ransomware in the wild, we see why none of these approaches have proven effective.”
CryptoMix, or its latest variant DLL CryptoMix, isn’t overly spectacular as far as the technology itself, although it did bypass one of the leading antivirus products installed at our customer’s side. However, what sets CryptoMix apart is the approach attackers took to increase the likelihood their victims will pay ransom.
They claim to be from a charity organization helping sick children, such as International Children Charity Organization. They even have profiles of real children in need, banking on the hope that victims will be more likely to pay if they think a percentage goes to charity. I assure you no money actually goes to any children. Diabolical!
LockerGoga is the ransomware that stopped production at least one of the Norsk Hydro facilities resulting in a loss of an estimate $40 million. According to reports, Norsk Hydro actually had a next gen antivirus product installed, but LockerGoga was able to successfully evade it. It used the method of spawning multiple processes for encrypting files in order to bypass security products. That is, to ensure that even if one process touches bait files or gets terminated by a ransomware detection technique, others will continue to encrypt. At least one sample of LockerGoga even used a valid digital signature making it more trustworthy to static analysis techniques. Encryption itself was very slow, but possibly that’s exactly what allowed it to stay undetected long enough to cause significant havoc.
Chimera is not a new ransomware, but it remains unique in its claim that if the victim doesn’t pay, the attackers will release sensitive data, including photos and videos, onto the Internet with your contact information. Whether they actually do it or not, depending on who you are and what data you possess, this can certainly encourage you to pay up.
Of course, no list of ransomware is complete without WannaCry. Afterall, it’s probably the most famous ransomware as it impacted about 150 countries, hundreds of thousands of systems and resulted in the estimated $4 billion total economic loss.
What makes WannaCry even more frustrating is that it was completely preventable. The only thing organizations had to do to stay safe was to be up to date with their operating systems and the latest patches. Microsoft released the patch against the underlying vulnerability almost two months prior to the attack.
Defending against ransomware
WannaCry teaches a key lesson for all organizations: stay up to date with all patches.
“Your organization may still struggle with basic asset management. In other words, you don’t know what you have. And if you don’t know what you have, how can you protect it?”
Implement a solid backup strategy. You may already have one in place to guard your servers, whether on-premises or in the cloud. However, it’s important to realize your endpoints are also at risk because that’s where at least some of your company’s IP may reside.
Finally, most security solutions and processes only chase “the bad” and that’s a game of cat-and-mouse you can’t win. There is practically an infinite number of malware in the wild, and it just takes one successful attack to cripple your IT systems.
Complement your existing security layers with approach that does the exact opposite – ensuring what’s good. Note I use the word “complement.” I am not advocating for you to stop using your existing solutions. Although a single detection technique may not be very effective, the combination of a few provide some level of protection against commodity ransomware. Combine these tools with ones that track the good by applying a whitelisting-like approach. This not only creates a true defense in depth model, it also serves as that last line of defense against malware and ransomware that is able to evade your frontline defenses like antivirus.
Nir Gaist, Founder and CTO of Nyotron