Are You Ready for Ransomware?
At the BSides Ottawa conference on IT Security, a major theme was ransomware — malevolent software which typically encrypts as many files as possible with a secret key and then demands money (generally a Bitcoin payment) for the decryption key. If you or your company has recently been bombarded with spam emails containing attachments, the chances are good that many of them have been attempts to install ransomware on one or more of your computers.
The sophistication of such attacks is quite high: when modern variants demand money they may may have already disabled Windows backup services, and attempted to encrypt any accessible network or USB drives. The decryption key is not stored on the computer, and the only way (bar programming errors) to decrypt the files is to pay the demanded ransom. One piece of ransomware even includes a link to a help desk service which will walk victims through the hopefully unfamiliar processes of buying Bitcoins to pay the ransom and decrypting the files. Another offers free decryption of one file, to prove that decryption is possible.
Even when the authorities manage to track down one of the servers involved in the extortion process, it's not entirely clear what they should do. If they close down a server it will prevent any more payments to the malware authors; at the same time it will cause more problems for any victim who had no backups and no option other than paying the ransom.
Even worse, it seems that users are still click on links and opening attachments from fake emails. One speaker claimed, (and no-one in the audience seemed to disagree), that it took at most ten carefully crafted emails before someone in a company could be persuaded to open an attachment or click on a link which installed malware. If someone is targetting your company, rather than just broadcasting general emails, it's very hard to distinguish an attack.
But it's not all bad news. Ransomware has a number of patterns which are hard to disguise, and which intrusion protection systems may be able to recognize:
- Many files accessed in a short period of time.
- Changes in the entropy of a file. (Entropy is a statistical measure or randomness. Encrypted files are more random than unencrypted ones).
- Changes in "honey pot" files which are placed on the system specifically to detect changes.
- Changes in file extensions to indicate that a file is encrypted.
- Use of system commands to stop or control backup services: these are unlikely to occur in normal everyday use.
What to do?
Unfortunately there were no easy solutions. Conference speakers suggested:
- Keep educating your staff about malware and deceptive emails.
- Have an intrusion protection system: intrusion detection is not good enough.
- Have offline backups. (Note that replication is not the same as backup.)
- Instruct users to immediately disconnect their computer from the network and notify IT if they notice anything suspicious.
- Pull encrypted drives from the computer and keep them on a shelf: sometimes a method of decrypting the files will be discovered at a later date. (See below for some resources on this).
- BSIDES Otttawa (2016 archive of presentations not yet available)
- September 2016 Ransomware Reports
- OK, panic—newly evolved ransomware is bad news for everyone, an Ars Technica piece by Sean Gallagher
- In the Bitcoin Era, Ransomware Attacks Surge.
Resources to Decrypt (some) Encrypted Ransomware Files
Michael Z. Bell