Saturday, October 22, 2016

Dangerous and getting worse: Ransomware Corporate Crime

Of all the ways that that corporate computer crime can occur, ransomware is the most damaging. This style of malicious attack can be delivered directly upon infection or after a system has been harvested for valuable data or utilized as a botnet node, allowing a final chance for an infected machine to be monetized. (Spring, 2016) Because it doesn't try to persist across reboots or maintain stealth over long periods of time, ransomware can work its destructive activity as soon as it lands on a system, even without Admin or root access. (Krebs, 2013) As such, typical separation of privilege defenses provide limited benefit because the files that are most at risk during a ransomware attack are those that the logged in user needs or creates. They have write access to their data, so malware they accidentally run does too.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)

Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer.
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ.
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP.
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET.
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security.
TALOS. (2016). Ransomware: Past, Present, and Future.
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost.
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.

No comments:

Post a Comment