unless victims purchased the password nec- essary to decrypt the documents.
Attacks Focusing More
on Organizations
People had typically been the primary tar- gets of “scareware” schemes that warned users their computers had been infected with malware that could be removed only by purchasing an antivirus software. The antivirus software was actually fake, and the only true threat was the warning mes- sage that repeatedly appeared, leading many people to pay the ransom just so the message would go away.
By 2011, anonymous payment meth- ods made it easier for hackers to collect ransoms. Most payment demands require victims to remit payment in bitcoins, but various anonymous cash cards are also popular payment methods. However, hackers can make other ransom demands. For example, “hacktivists” might demand that a company reduce its carbon foot- print or that an individual spread the mal- ware to a set number of contacts to unlock his own computer.
As hackers have refined their skills, they began to focus on larger organiza- tions with the budgets to pay substantial ransoms for the files and systems needed to conduct daily operations. In the past few years, there have been several well-
publicized ransomware attacks on major organizations.
In 2016, Hollywood Presbyterian Medical Center suffered a ransomware attack that shut down its computer net- work for more than a week, resulting in mass chaos. The hospital was forced to transfer some patients to other facilities to ensure that they received the necessary care. Only after the ransom—40 bitcoins or the equivalent of $17,000—was paid so HPMC could regain the use of its mal- ware-encrypted files.
In 2015, the Swedesboro-Woolwich School District in New Jersey was the vic- tim of a ransomware attack. The encrypt- ed files were primarily staff-generated Ex- cel spreadsheets and Word documents. The attack forced the district to delay its assess- ment tests, but the decision was made to not pay the ransom; the district had ad- equate backups to restore the servers.
Whether the ransomware attack is a targeted attack or a mass distribution, the attack will follow five distinct phases. Un- derstanding the phases can help increase the chance of a successful defense: infec- tion, Eexecution, backup removal, en- cryption and cleanup.
Infection. The attack cannot succeed unless the malware can be placed on a computer. Many ransomware attacks result from a phishing campaign, often
through emails with infected attachments or compromised links. However, exploit kits that exploit vulnerabilities in software applications such as Internet Explorer and Adobe Flash are the preferred method for some malware attacks, including Cryp- toLocker.
Execution. An executable file will be placed on the target’s computer, usually beneath the user’s profile in the “TEMP” or “APPDATA” folder.
Backup removal. Within seconds of the execution, the ransomware finds and removes backup folders and files that exist on the system. On systems running Win- dows, the vssadmin tool is often used to delete volume shadow copies; this will cre- ate event log entries that can make detec- tion easier.
Encryption. After removing backups, a secure key exchange may be performed with the C2 server. However, some ran- somware types, including the SamSam malware, do not need to communicate with the C2 server; the encryption can be performed locally.
Cleanup. The final phase is to present the demand instructions and remove the evidence of the malware code. The presen- tation of the payment demand can help identify the strain of ransomware. For example, Locky changes the wallpaper to include instructions, while CryptoWall V3 stores the instructions in a HELP_DE- CRYPT file.
Preparing and Responding to a Ransomware Attack When it comes to handling a ransomware attack, protection and prevention are the best and most effective defenses. There are five critical steps in defending against a ransomware attack: prepare, early detec- tion, contain the damage, eradicate the ransomware and follow a recovery plan.
Organizations need to be proactive about patching to eliminate vulnerabili- ties, and be proactive about backing up their system and store backup files offsite or at least in a location other than the server. Having a well-defined incident re- sponse plan that includes an explicit plan for fast action to a ransomware attack is critical. In addition to adopting the prac- tice of assigning least privileges, especially for file shares, limiting exposure can also
NS8
0817 | NETWORKING SECURITY
Carlos Amarillo/Shutterstock.com