In the year 2016, a typical ransom ranging from $200 - $ 10K was paid by organizations to the cyber attackers. Our prediction holds true for the year 2015 - 2016 where there was a 72% increase in ransomware attacks. As the cyber-attacks are increasing, this number for the year 2017 is going to increase. The recent ‘WannaCry’ ransomware attacks is just the tip of the iceberg.
When cyber attackers attack a system, and ask for ransom, it is a very difficult to trust that the files will get encrypted as they are not a legitimate organization. There is certain ransomware that look for your backup and try to delete them. Ransomware can arrive from different file types including DOC, .XLS, .JPG, .ZIP, .PDF, and other commonly used file extensions. It can also arrive on system in java script attachments.
Ransomware targets the following files- Database files (96%); Website files (75%); SQL files (81%); Tax files (22%); CAD files (70%) and Virtual desktop files (19%). Ransomware operators that target the files. It uses the company’s data as well as the customer’s data which is critical to the business functioning. Apart from brand and reputation damage it can cause business destruction by halting productivity and service delivery; loss of data on customers and core competencies that is critical to your competitiveness and legal and regulatory implications.
Demystifying the ‘WannaCry’ Ransomware:
WannaCry ransomware encrypted 176 file types in 27 languages. A ransom of $300 ransom was asked to encrypt the files. Also, it came with a 7 day timer, where they said if the ransom was not paid in 7 days, the data will be destroyed. This is similar to any other ransomware. However, the Microsoft vulnerability that WannaCry uses sets it apart from other ransomwares.
This ransomware tries to exploit MS17 – 010 Microsoft vulnerability. This vulnerability affects the SMB Version 1. Server Messaging Block is a protocol which was developed in 1990s. It leverages port 445 and 139. This SMB servers handles certain requests. So, an attacker who can successfully exploit this vulnerability could gain the ability to execute control over the targeted server. To exploit a vulnerability in more situations, an unauthenticated attacker would send us specifically crafted package to a SMB server.
WannaCry tries to exhibit worm like characteristics by leveraging this particular vulnerability in the protocol and spreading itself, which is why the effect of this ransomware is very large.
The mechanism called ‘Kill Switch’:
The other strike of hope came from Malware Tech, who were working to reverse-engineer samples of the WannaCry virus on Friday, when they discovered that the ransomware programmers had built it to check whether a certain gibberish URL led to a live web page. That was hard coded in the ransomware mail body. If someone registered in that domain, the ransomware stopped. So, they registered themselves in this domain. This $10 investment was enough to shut down temporarily. If the domain was unregistered and inactive, it had no effect on the ransomware spread. The moment the ransomware checked that the URL is active, it shut down. Malware writers put this Kill switch in their code to destroy the malware at any given point of time. What we now know is that the latest variant of WannaCry has no Kill switch.
Lifecycle of the Ransomware:
The vulnerability used in this attack was code named ‘Eternal Blue’, a handiwork of a cyber-gang called ‘Shadow Brokers’, which was allegedly stolen from the National Security Agency (NSA). This vulnerability was exploited to drop a file from the vulnerable system, which would then be executed as a service. This would then drop the ransomware file onto the affected system. Encrypted files with. WNCRY file extension. They also dropped a separate component file for displaying the ransom note. Files with a total of 176 extensions including those commonly used by Microsoft Office, Database file archives, multimedia files and various programming languages were used. The files searches for other SMB in the network and it uses this vulnerability to spread to other systems.
This ransomware has got a very unusual worm component. It would scan for and attempt to compromise using the same vulnerability machines on both its LAN and on the internet. This was done on the service before the ransomware was dropped and run. On the internet it scans on the random IP addresses to see if it has an open port or a file port. If it find an open port, it scan devices on the same range. This means that if WannaCry enters an organisation network, it could spread within it very rapidly.
Machine in sleep mode? You might be lucky
Based on the analysis and simulations done for WannaCry, the ransomware attack will not be successful if the machines are in sleep mode. Even if the TCP port file are unpatched. WannaCry ransomware arrives in the PC via open or unpatched TCP port 445. When the machine is in sleep mode ransomware receives a socket error and skips that machine and moves to the next IP.
What happens when you wake up?
When user wakes machine from sleep mode, any of these three things can happen:
1. If affected machine’s LAN was enumerated but in sleep mode. WannaCry skips it - no infection when machine wakes up
2. If affected machine is restarted, LAN scanning is triggered again – WannaCry queries domain used as kill switch - WannaCry exits and skips propagation and encryption routines
3. User wakes up non-infected machine within infected network – No infection
· Back-up and restore - Automated: 3 copies, 2 formats, 1 air-gapped from network
· Put Control Access in place: Limit access to business-critical data
· Patch: minimize vulnerability exploitation
· Don’t pay the ransom: Pay-offs encourage further attacks
· Educate employees on phishing: Awareness, best practices, simulation testing
· Improve security posture: Behaviour monitoring, additional technologies
What can be done?
Disable SMBv1 protocol and ensure the spread doesn’t happen.
Virtual patching and host-based IPS; Breach detection with sandboxing - Reduce the impact especially for Zero day or custom variants; Endpoint protection - Go beyond signature detection.
There are so many technologies out there in the market, what makes one security vendor different from others are the technology used at any given point of time. For instance, to confirm if it’s truly a malware, there are techniques like Sandbox analysis, Run time machine learning etc. Ransomware is here to stay, we need to brace the fact and proactively take measures to safeguard our organisations interest.
The author, Sharda Tickoo is Technical Head, Trend Micro, India