Proofpoint researchers identify a new ransomware variant known as Hades Locker sent via the same spam botnet as recent CryptFile2 and MarsJoke campaigns.
Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee (ransom) to the attacker. The ransom is usually required in a form of cryptocurrency, at a price that increases after one or more deadlines. If the victim doesn’t pay by the final deadline, the data is encrypted forever.
History of Ransomware
Ransomware can be traced back to 1989 where the “AIDS virus” was used to extort funds from recipients of the ransomware. Payments for that attack were made by mail to Panama, at which point a decryption key was also mailed back to the user.
Ransomware has attacked organizations in nearly every vertical, with two famous ones being the attacks on Presbyterian Memorial Hospital, and WannaCry, where Proofpoint was credited in both the discovery and finding the kill switch to the ransomware. This attack highlighted the potential damage and risks of ransomware, as hospitals, labs, pharmacies, and emergency rooms were knocked offline during the attack.
Ransomware has attacked organizations in nearly every vertical, with one of the most famous being the attacks on Presbyterian Memorial Hospital. This attack highlighted the potential damage and risks of ransomware, as labs, pharmacies, and emergency rooms were hit.
Examples of Ransomware
By learning about the major ransomware attacks below, you will gain a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continues to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks are typically incremental.
- WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a killswitch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the killswitch and in deconstructing the ransomware. Learn more about Proofpoint’s involvement in stopping WannaCry.
- CryptoLocker: One of the first of the current generation of ransomware that required cryptocurrency for payment (bitcoin) and encrypted a user’s hard drive and attached network drives. This was spread via an email with an attachment that claimed to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014, however, various reports suggest that upwards of $27 million was extorted by CryptoLocker.
- NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Window’s-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper, since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
- Bad Rabbit: Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake flash player update that can impact users via a drive by attack.
How Ransomware Works
Ransomware is a type of malware designed to extort money from its victims who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are encryptors and screen lockers. Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.
Figure 1: How Ransomware tries to trick a victim into installing it
Enterprise ransomware infections or viruses usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL of a website that is malicious or has been compromised. Ransomware can then run directly, or communicate with the attackers server which stores information used for possible decryption when payment is made. A ransomware agent is installed and begins encrypting files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device via a lock screen. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises, they’ll get a code to unlock their data.
Lock screens are common to both encryptors and screen lockers, and they encourage victims to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying success of decryption after paying ransoms, sometimes never receiving the keys. Some attacks install malware on the computer system even after the ransom is paid and data released. In many cases, ransomware victims who pay are ‘marked’ for future attacks, and their information sold to other ransomware attackers.
While originally focused largely on personal computers, ransomware has increasingly targeted business users, as business will often pay more to unlock critical systems and resume daily operations than individuals. This was especially true for the healthcare industries, where ransomware attacks have shut down hospitals, clinics, and emergency care centers. Banks and other financial institutions have also been targeted, however, few, if any stories appear in the news due to the potential disastrous loss of trust and goodwill for those firms.
Ransomware Prevention and Detection
Prevention for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email gateways are the first line of defense, while endpoints are a secondary defense. User training is an important layer of ransomware protection, but user training comes into play only if ransomware is delivered via an email phish.
IDS systems are sometimes used to detect ransomware command-and-control communications to alert when a ransomware system calls out to a control server. This detection usually happens after ransomware has gained a foothold. File integrity monitoring can also serve as an indicator of a ransomware attack, as policies can be used to detect and alert on unusually high numbers of file changes.
A fallback measure, in case other ransomware preventative defenses fail, is to stockpile bitcoin. This is more prevalent where news of a ransomware attack could lead to significant brand and credibility damage or when immediate harm could impact customers or users at the affected firm. Hospitals and Hospitality markets are at particular risk of ransomware, as patients’ lives could be affected are popular case studies, however hospitality and financial services may do this to prevent people from being locked in or out of facilities or their accounts (and money).
Before / After
How to Avoid Ransomware Attacks
- Defend your email against Ransomware. Email phishing and spam are the main way that ransomware is distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents with URLs, and attachments with embedded malicious links in emails being delivered to user computers. Be sure to choose products that do not solely rely on reputation or are limited to only Microsoft Office documents, as criminals have been known to create variations of some ransomware daily, with combinations of PDFs, Office documents, compressed files, and password protected versions of those documents.
- Defend your mobile devices against Ransomware. Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools can analyze apps on your users devices and immediately alert users and IT to any apps that might compromise your environment. Likewise, SMS phishing has also been another attack vector to install apps that may run ransomware.
- Defend your web surfing against Ransomware. Secure web gateways can scan your user’s web surfing traffic to identify malicious web ads and web pages that might lead them ransomware.
- Monitor your server, network and back up key systems. Monitoring tools can detect unusual file access activities, viruses, network command and control traffic, and CPU loads—possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck. Not only are having backups important, but also testing them. Several case studies have surfaced where victims only had partial or incomplete backups and lost data even though they claimed to have backups.
How to Remove Ransomware
Call federal and local law enforcement. Just as you would call a federal agency for a physical-world kidnapping, you need to call the same bureau for ransomware. Their forensic technicians can ensure your systems aren’t compromised in other ways, gather information to better protect you going forward, and try to find the attackers.
Also learn about anti-ransomware resources like the No More Ransom portal and Bleeping Computer which have tips, suggestions, and even some decryptors for selected ransomware attacks.
Restore your data. If you’ve followed best practices and kept system backups, you can restore your systems and resume normal operations.
Ransomware Survival Guide
Ransomware attackers collected more than $209 million from victims during the first three months of 2016 alone, with the volume of attacks 10 times higher than all of 2015. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.
Hades Locker Ransomware Mimics Locky
MarsJoke Ransomware Mimics CTB-Locker
Proofpoint researchers uncover a new ransomware variant called MarsJoke in a large campaign targeting government and educational institutions.
CBS News: The Big Business of Cyber Ransom
Proofpoint's Ryan Kalember talks to CBS News about the latest cybersecurity threats.