Ransomware has long been a menace for organizations and consumers. Global damage cost estimates reach about 10 billion USD per year. After all these years, why does ransomware continue to be so good at being so bad? The answer is a combination of the security industry’s history of largely ineffective responses, and how ransomware developers use psychology to trick users.
Ransomware has been around since 1989. Yet it remains one of the most common and successful attack types. According to reports, there were over 180 million ransomware attacks in the first six months of 2018 alone. Every 14 seconds, an organization somewhere in the world falls prey to a ransomware attack. The adoption of crypto currencies and Tor have served to amplify the prevalence of ransomware dramatically.
Even with billions upon billions of dollars invested in cybersecurity and decades of companies deploying firewalls and antivirus solutions, ransomware still succeeds. Understanding why requires examining how the malware functions, and why our existing approaches to fighting it keep failing.
How ransomware works
The details of how one attack gets inside a system or an organization, i.e., its “attack vector” are irrelevant. It can be phishing, exposed RDP or any other avenue that ransomware developers leverage to get in.
Instead, let’s take a look at what happens when ransomware actually interacts with your file system and encrypts data. First, ransomware process(es) locates the files it wants to encrypt. These are most often based on file extensions and target your most valuable assets such as Microsoft Office documents or photos, while leaving operating system files intact to ensure that system will still boot. Then the malware encrypts that data in memory and destroys the original file.
One route ransomware takes is to save encrypted data into a new file and then delete the original.
Other options include writing that encrypted data into the original file itself to make it difficult to distinguish between encrypted files and those that haven’t been encrypted; or creating a new file and using rename operation to replace the original.
Security industry falls short
Now that you have an understanding of how ransomware interacts with files to encrypt and destroy the originals, let’s examine the five most common solutions the security industry has developed to thwart these attacks. Unfortunately, none of them have proven to be consistently effective.
First up: static file analysis – the same technique that’s used for malware detection in antivirus, anti-malware or EPP products. These products look for known malicious code behavior or sequences or strings such as lists of those commonly targeted file extensions as well as commonly used words that often appear in ransom notes (e.g., Bitcoin, encryption, etc.). It’s a signature- and machine learning-based method for detecting malicious code.
There are some pros to this approach, including generating low false positive (FP) rates. It is uncommon for a signature-based antivirus to flag a benign file as malicious, and that’s critical because security professionals are overwhelmed by false alarms and suffering from alert fatigue.
Another very important point is that this technique doesn’t wait for ransomware to execute but stops the attack before execution so no harm is done, and zero files are encrypted.
However, static analysis has proven to be too easy for attackers to bypass. Malware writers use packers, crypters and other tools to obfuscate and change their signatures. It is well-known in the industry that efficacy of most modern antivirus and next gen antivirus solutions is somewhere around 50-80 percent, meaning up to half of attacks go undetected.
The Nyotron Research Team recently conducted a study of the efficacy of leading antivirus tools and not against new, advanced attacks, but against old, known malware that has been around for years (and in some cases for decades). The various tests we performed include a simple modification of old malware to ever-so-slightly change its signature. The result: a dramatic reduction in detection efficacy, in some cases dropping to as low as 60 percent. Again, this is for old, known malware.
You can read the full report titled The Illusive 99.9% on our website.
A second technique relies on the blacklist of file extensions ransomware typically uses and gives to the files it encrypted. However, it too is easy to bypass. The ransomware can generate a new file extension, use a random file extension or keep the original file names along with the original extensions.
A third technique is the use of so-called “honey pot files” to deceive attackers by baiting files and monitoring how attackers try to change them. Once they are touched, that’s considered an attack. However, it generates too many FPs and cannot prevent all damage because many files will be encrypted until ransomware touches the decoy files.
The fourth detection technique is monitoring the file system for mass file operations such as rename, write, or delete within a certain period of time. If a defined threshold is exceeded, the offending process will be terminated.
However, some files will be encrypted until that defined limit is exceeded. Malware can also bypass this detection method by using a “low and slow approach” like adding delays between encryptions or by spawning multiple encryption processes.
The fifth method is tracking file data change rate. The security product performs an entropy calculation to measure the randomness of data in a file. After a certain threshold of change is detected, that’s when the offending process will be deemed malicious and terminated.
This generates fewer FPs than the other techniques, but the downside is that files will be encrypted until a level of confidence is reached, so not all damage is blocked.
Most modern security products attempt to leverage the combination of some or even most of these techniques in order to increase their efficacy with various degrees of success. But none of these approaches have proven to be very effective.
Here are a few examples of ransomware in the wild that have proven adept at evading traditional security defenses:
- CryptoMix, or its latest variant DLL CryptoMix: what sets CryptoMix apart is the approach attackers took to increase the likelihood their victims will pay ransom. They claim to be from a charity organization helping sick children, such as International Children Charity Organization. I assure you no money actually goes to any children.
- LockerGoga: Halted production in at least one of the Norsk Hydro facilities resulting in a loss of an estimated $40 million. It used the method of spawning multiple processes for encrypting files in order to bypass security products. That is, to ensure that even if one process touches bait files or gets terminated by a ransomware detection technique, others will continue to encrypt.
- Chimera: Not new but unique in its threat that victims will see their sensitive data including photos and contact information released on the Internet if they don’t pay up.
- WannaCry: Arguably the most famous ransomware impacted about 150 countries, hundreds of thousands of systems and resulted in an estimated $4 billion of total economic loss. What made WannaCry so frustrating is that it was completely preventable. Microsoft released the patch against the underlying vulnerability almost two months prior to the attack.
WannaCry once again teaches a key lesson for all organizations: stay up to date with all patches.
Your organization may still struggle with basic asset management. In other words, you don’t know what you have. And if you don’t know what you have, how can you protect it?
It’s also important to implement a solid backup strategy. You may already have one in place to guard your servers, whether on-premises or in the cloud. However, your endpoints are also at risk because that’s where at least some of your company’s IP may reside.
Finally, most security solutions and processes only chase “the bad” and that’s a game of cat-and-mouse you can’t win. There is a practically infinite number of malware in the wild, and it just takes one successful attack to cripple your IT systems.
Complement your existing security layers with an approach that does the exact opposite – ensuring what’s good. Note I use the word “complement.”
I am not advocating for you to stop using your existing solutions. Although a single detection technique may not be effective, the combination of a few provide some level of protection against commodity ransomware.
Combine these tools with ones that track the good by applying a whitelisting-like approach to create the most effective defense in-depth posture.