RANSOMWARE: A RISING THREAT. What is ransomware?

Ransomware is a type of malicious program that encrypts files on a victim’s computer, blocking the access to the contents of the device until a ransom is paid, in a form of “digital data kidnapping”. The first documented case of ransomware occurred in 1989. 

Victims are affected financially, operationally and in reputation, as the victim's ability to deliver products and services is impeded. Paying the ransom is not recommended as there is no guarantee that the files will be recovered, It also provides resources to the perpetrators of the attack, enabling them to become better at their malicious activities, perpetuating the problem. In many cases, the data has not been returned or unlocked after the ransom was paid.

2

Why Ransomware attacks have become so prevalent. 

In 2019, the FBI reported 2,047 cases of ransomware, although the number could be much larger as not all cases are reported. The FBI keeps record of US cases only. 

Several factors contribute to the rise in occurrence of ransomware attacks: 

Ransomware almost immediately monetizes. Ransoms are paid within hours or days. 

Proliferation of cryptocurrencies and Tor networks that contribute to anonymity. Therefore, malicious actors are not identified. 

Users are not reliable. No matter how much risk knowledge and awareness a user possesses, there are always bad days and ransomware is just one click away.

There will always be a patch not installed. Different factors ranging from company processes to compatibility issues with old software, applying patches takes time and sometimes the process is avoided completely.

Zero-day (emergent or unknown) vulnerabilities. Vulnerabilities arise faster than the ability of industries to prevent them. Ransomware is the most attractive way of leveraging zero days.

Ransomware as a Service, is a new complex problem, in which a group of malicious actors collaborate, each one performing their specialty. One malicious actor creates the ransomware, and another one delivers it to victims. Each part of the team receives a part of the ransom.

Millions of workers are now working at home without the network security they had at the office.

Ransomware is changing on a daily basis and current systems cannot keep up.

Some ransomware variants destroy backups before encrypting data; making it impossible to recover the information without paying the ransom.

3

All these previous factors make Ransomware a very attractive arena, as more talented individuals are entering and collaborating, getting more and more money to fund their malicious activities coming from victims’ payments. 

The following diagram shows a period of 5 years of creation of Ransomware families, before it became popular with the “WannaCry” global attack in 2017. According to Mitre, this ransomware affected more than 150 countries and E&Y stated that this brought the topic of ransomware back to front and center in the news.

4

Doorbot

Rannoh

Reveton

2012 2013Android.

Fakedefender

RansomLock

Harasom

DirtyDecrypt

DecryptProject

Browlock

PRISM

CryptoLocker

OMG!Ransomware

2014Bucbi

TorrentLocker

Cryptowall

CryptoDefense

Reactor

CTB-Locker

CryptoGraphic Locker

Cryptowall2

CryFile

KeyBTC

Virlock

KEYHolder

Operation Global III

Koler

PrisonLocker

SimplLocker

Critoni

CoinVault

SynoLocker

2015CryptoTorLocker2015

BuyUnlockCode

Cryptowall3

Pclock

Coverton

TeslaCrypt

CryptoFortress

Brandarchor

Scraper

Threat Finder

International Police Assitor

Toxcrypt

Locker

LeChiffre

Troldesh

Fonco

Lockerpin

Linux.Encorder

Brazilian

Chimera

CryptoJoker

Gomasom

Offline ransomware

Radamant

Rakhni

Ungluk

XRTN

LowLevel04

Magic

Fakben

Mabouia

Cryptowall4

CryptoInfinite

PowerWorm

5

20167ve3n

Cryptear

EDA2/HiddenTear

NanoLocker

Ransom32

TeslaCrypt 3.0+

Cryaki

CTB-Locker WEB

DMALocker

Hi Buddy!

HydraCrypt

iLock

iLockLight

Job Crypter

KryptoLocker

Locky

PadCrypt

Sanction

Sport

UnbreCrypt

Viru-Encoder

Xorist

VaultCrypt

TeslaCrypt 4.1A

BadEncrypt

Surprise

Petya

Petya

Cerber

CryptoHasYou

Dominio

FairWare

Fantom

Free-Freedom

Fsociety

Globe

Hittler

PokemonGO

RektLocker

Serpico

Shark

ShinoLocker

Smrss32

VenusLocker

WildFire Locker

Alma Ransomware

CryLocker

HDDCryptor

Philadelphia

Polygot

UnblockUPC

CryPy

FenixLocker

KawaiiLocker

LockLock

MarshJoke

Nagini

Guster

Nuke

Nullbyte

Karma

OzozaLocker

Smash!

ShellLocker

Ransoc

Telecrypt

VondowsLocker

zScreenLocker

Cryptorium

HTCcryptor

Kangaroo

Koolova

KraKen

Locked-in

Popcorn Time

DeriaLock

TrueCrypter

777

8Lock8

BadBlock

BitCryptor

Blocatto

Crypern

CryptXX 2.0

DMALocker 3.0

El-Polocker

Enigma

GhostCrypt

Mischa

ODCODC

Manifestus

Shujin

SNSLocker

Zcrypt

Zyklon

BlackShades Crypter

7h9r

Satana

AMBA

Apocalypse

MIRCOP

Bart

BitStack

Crypt38

CryptoRoger

KratosCrypt

RarVault

Zlader/Russian

Princess Locker

CyberSplitter vbs

Central Security

Treatment Organization

AngryDuck

Survey

CryptoWire

Exotic

Hucky

IFN643

Jack.pot

KillerLocker

Kostya

Lock93

MasterBuster

n1n1n1

Onyx

Alcatraz Locker

VenisRansomware

Deadly For a Good Purpose

AiraCrop

YafunnLocker

CryptoLuck

DummyLocker

encryptJJS

FSociety

Gremit

iRansom

CryptXX 3.0

CryptXX3.1

DEDCrypt

EduCrypt

Goopic

Herbst

HolyCrypt

Kozy.Jozy

CryptoShocker

ProposalCrypt

ApocalypseVM

RAA encryptor

Alfa Ransomware

TowerWeb

Turkish Ransom

Zimbra

CrypMIC

CryptoFinancial

CTB-Faker

CuteRansomware

JagerDecryptor

NoobCrypt

PizzaCrypts

PowerWare

R980

Simple_Encoder

Stampado

SZFLocker

Unlock92

BaksoCrupt

DetoxCrypt

MaktubLocker

KimcilWare

Nemucod

KeyRanger

Crybola

Strictor

MireWare

Samas-Samsarn

SkidLocker/Pompous

Rokku

AutoLocky

Booyah

BrLock

CryptFile2

CryptoBit

CryptoHost

CryptoMix

CryptXX

GNL Locker

EncripsjPC

Gopher

Jeiphoos

Jigsaw

Korean

Lortok

MM Locker

Mobef

RemindMe

AlphaRansomware

TeslaCrypt 4.2

6

What types of impacts face Ransomware victims? 

The impacts range from financial, to operational, and many times reputational, translated in loss of business and lack of competitiveness. 

After our security team analyzed hundreds of ransomware families, we determined that the average requested ransom is 300 USD per device. Prices rise multiple times in some cases, as with Farmobuk ransomware which requests 900 USD per device. That amount multiplied by the number of affected devices can reach significant financial impacts for organizations. 

However the ransom is only a fraction of the total costs in these kinds of events. User computers and servers become unusable, applications in them stop working, and whole supply chains for products and services get compromised, Sales and corporate activities are stopped, impeding the fulfilment of obligations, and in many cases, affecting reputation as well as current and future business opportunities. 

7

Have there been major ransomware events?

All previously commented factors account for huge impacts to organizations. A clear example is Mondelez, an American multinational confectionery, food, holding and beverage company that claimed losses of up to 84 million USD in 2017 after a ransomware attack affected its operations. Government entities have also been impacted in the order of hundreds of thousands of dollars. In the City of Florida hackers were paid $600,000 USD in 2019. 

A major documented case happened in 2017 in which WannaCry ransomware affected hundreds of thousands of computers by using a vulnerability that allowed spreading into other corporate devices through the network. The impact of WannaCry is yet unknown, with some publications claiming 100+ million USD, and others claiming 1+ billion USD in damages. 

8

Are current solutions sufficient against this challenge?

Our security team performed more than a thousand tests with known ransomware samples and commercial anti-malware products of the most recognized brands.

Our main findings were:

Even with the latest malware protection signatures, some known security products failed to detect and stop between 9% and 24% of the ransomware samples. Devices were totally encrypted.

Security products rely primarily on signatures to stop Ransomware; deeming them ineffective against new samples. As thousands of samples are created every day, it becomes impossible to keep up.

Security products depend on having an internet connection to increase its effectiveness, however internet connections can have reliability or configuration issues.

Security products with a behavior detection feature are ineffective. Security vendors claim their products use behavior detection, however tests performed showed little effectiveness in that. 

Ransomware encrypts files in milliseconds, therefore even if some endpoint protections reacted minutes after the beginning of the attack, hundreds or thousands of files were already encrypted. In some cases, the malware protection tool blocked the ransomware before creation of the ransom note, Thus the victim could not recover their files even if they wanted to pay. 

Together with all the previous results, we must understand that the current pandemic also affects the security capabilities of companies, both for protection, detection and response, as a bigger part of employees work from home, they now depend on home connections to get signatures and patches, together with the use of monitoring tools to access logs stored on a diversity of locations.

We must recognize that affected organizations had already information security investments, in network, agents, and incident response, however all this deemed ineffective against a threat that is evolving so fast.

All these results demonstrate the need of a security solution to act against this specific kind of threat, as ransomware will cause more and more challenges in years to come. 

9 According to Kaspersky a virus signature is a continuous sequence of bytes that is common for a certain malware sample.

1

Where is Ransomware heading? Ransomware attacks will become an everyday occurrence and even a more common challenge for organizations and society in general, as it will find different ways of monetizing the victims. Some trends that could be feasible in the future are: 

I) Attacks targeted against supply chains in time-critical industries.

At this point, affected supply chains are a collateral effect of ransomware attacks, however organizations in several industries are time-critical. The current pandemic situation has stressed industries such as retail, e-commerce, delivery,  communications, healthcare, among others, increasing the impact that an attack on the infrastructure could have, and consequently increasing the willingness to pay, as well as the ransom amount in case of a successful ransomware attack. The previous statements make it reasonable to assume that malicious actors will target time-critical organizations.  

II) Victim categorization, even for not targeted attacks. 

Most ransomware’s cases are “one (ransom amount) size fits all” type of attack, but ransomware will have a bigger chance of making money once it identifies the type of victim, taking into account not only the device, but by guessing what type of person it belongs to. The ransomware could categorize the device based on the type of content, files creation date, filenames and folder names, whether the machine is connected to a domain or not, among other factors. After that the ransomware could take several steps ranging from encrypt right away, to wait until more external devices are connected, and even defining if exfiltration of information is worth it or not.

III) Ransomware attacks mutating to Wiper attacks. 

Not every attack has an immediate monetization objective, as shown in the attack suffered by Saudi Aramco, a Saudi company with an annual revenue of 300+ billion USD, that affected 30 thousand computers by permanently deleting them. The attack was based on Shamoon, a Wiper malware, whose purpose was to delete and overwrite contents of the affected computers. Ransomware attacks could mutate into Wiper attacks by simply deleting the decryption key, making it infeasible to recover the affected files. 

IV) Ransom based attacks to digital assistants, IoT and cars. 

With computers entering more and more into our wearable devices, our cars and our personal assistants, one can only imagine a future in which cyber criminals could require ransom for not taking hostage a personal assistant, or a house with all of its electronically enabled devices, or even for not stopping an autonomous car in the middle of the desert. For sure all these events seem like from a very distant future, and very dangerous to occur, however technologies are advancing at a rapid pace, and cyber criminals are criminals after all. 

10

RansomShield: an AI expert protection solution for ransomware.

RansomShield is focused in preventing the effects of ransomware attacks. At HackerStrike, we realize that anything can and will fail regarding avoiding a ransomware delivery to the devices. Let us clarify what we mean by “anything can fail”. A ransomware can infect a device because of a missing operating system patch, a missing software update of one of the many applications running on the device, a legacy application that has vulnerabilities that cannot be solved, a distracted user that enters a webpage that should not, or a malicious attachment that arrives in an email. There are simply too many points of entrance. 

RansomShield focuses on preventing the effects, i.e. actually getting the device encrypted, using breakthrough technology based on micro neural networks that work on every device with RansomShield (node level) and also at an organization level (hub level). The neural network at node level defines a unique behavior pattern for each device, and the HackerStrike cloud at the hub level does the same. With this model, RansomShield acts on any deviation providing instant protection.

RansomShield provides protection from a micro neural network running on each device, with full capabilities. On the other hand, traditional systems provide only a certain level of functionality at the device level; requiring connection to the console and to the internet to access full capabilities. 

RansomShield’s self-healing technology informs other members in the hub of anything malicious happening at another node, changing the state of alert of nodes and updating its behavior to respond to an attack, even if the node shows no signs of the attack already. This is happening inside the organization without requiring internet connection or anything else. Traditional systems do not have that level of awareness on the ecosystem of the organization. 

RansomShield is stepping up to the level of the challenge of protecting organizations and individuals from an even more advanced threat landscape. 

 

11

References

https://ir.mondelezinternational.com/news-releases/news-release-details/mondelez-international-reports-2017-results

https://www.nytimes.com/2019/06/19/us/florida-riviera-beach-hacking-ransom.html

https://pdf.ic3.gov/2019_IC3Report.pdf

https://www.ey.com/Publication/vwLUAssets/ey-radar-360-for-ransomware-defence-and-remediation/$FILE/ey-radar-360-for-ransomware-defence-and-remediation.pdf

https://www.ey.com/Publication/vwLUAssets/ey-important-considerations-for-responding-to-ransomware-attacks/$FILE/ey-important-considerations-for-responding-to-ransomware-attacks.pdf

https://attack.mitre.org/software/S0366/

HACKER STRIKE LEGAL DISCLAIMER.

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Hacker Strike reserves the right to modify the contents of this document at any time without prior notice. Although Hacker Strike uses reasonable efforts to include accurate and up-to-date information herein, Hacker Strike makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Hacker Strike disclaims all warranties of any kind, express or implied. Neither Hacker Strike nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition.

12