In the digital era we live in, almost everyone is aware of malware in one form or another. ‘Malware’ is an umbrella term that encompasses many different attack methods. This includes everything from the annoying pop up ads trying to sell you a product (adware), to more targeted attacks that capture a user’s input (spyware). But in the last 2-3 years, we’ve seen one attack method move to the front of the stage: ransomware.

Ransomware note

Rise of Ransomware

Ransomware’s popularity has risen steady since roughly 2014. Now it’s the most preferred and profitable attack method for cyber criminals to use. According to SonicWALL, their Global Intelligence Grid saw roughly 3.8 million ransomware attacks in 2015, a rise from the 3.2 million attacks in 2014. 2016 saw an astonishing 638 million ransomware attacks! That’s over 16,000% increase. Imagine if everyone in the U.S. was hit with ransomware, twice!

It’s no surprise, given the amount of success that cyber criminals have had turning a profit. The average ransom demand in 2016 was $679, more than double the average ransom of $294 in 2015. SonicWALL reports that nearly $209 million was paid in the first quarter of 2016 alone. With the increase in volume of attacks as well as the elevated ransom demands, no one is shocked by estimates from the FBI that put ransomware on track to be a $1 billion dollar source of income for cyber criminals annually.

Ransomware Variations

Due to the continued success of ransomware attacks, more and more ransomware variants are being released. According to Trend Micro, 50 new ransomware variants were discovered in the first 5 months of 2016 alone. The infographic below, provided by security company Symantec, shows the many ransomware variations uncovered between 2014 and 2016.

Symantec: Ransomware Variations

Among the new variants of ransomware, a growing concern for 2017 is Ransomware-as-a-service. This is exemplified in variants such as Spora. ‘Script-Kiddies’ can now sign up, create their own payload and simply agree to pay a 30% commission of all ransoms paid. To make things worse, Spora and other variants have the ability to encrypt files offline. As we saw with DDoS-as-a-service from groups like LizardSquad, giving this ability to the public is a very slippery slope. DDoS-as-a-service has gradually become the ‘new age’ fire alarm pranks for students. If Ransomware-as-a-Service follows the same path, school systems may be in a lot of trouble.

Ransomware Incident Response

With a majority of IT professionals surveyed stating they would never consider paying the ransom, and less than 50% of all ransomware victims ever fully recovering their data we need to turn our focus to post-incident response. Most IT professionals have accepted the sobering truth that attacks will happen and having a solid incident response protocol is more crucial than ever.

While backups are going to be our friend here (especially backups stored off-site), only 42% of surveyed professionals were able to fully recover their data from backups. This was most commonly due to incomplete backups either unmonitored or failed backups, a loss of accessible drives that also were encrypted or a loss of 1-24 hours of data from where the last incremental backup was taken.

We’re unable to fully rely on our backups, and of course we can’t trust the criminals to actually follow through on their ‘promise’ to decrypt our data. We have to be more proactive in protecting our data. In most cases this will mean training our end users to be more security conscious! According to an Osterman Research survey, users are twice as likely to be infected via phishing emails than by visiting an infected site.

Protecting Your Network

A colleague of mine wrote a great blog on helping to protect your corporate networks against ransomware here. Even with good security controls in place, having additional layers to help catch possible infections is a good best practice. Additional measures should include practices like limiting what file systems our end users have access to, and restricting end users to read-only access to file share.

Having complete visibility into your network traffic is almost standard practice today. Scrutinizer can provide users with the visibility they need to monitor all conversations taking place on their network. This provides security teams with the forensic data they need to analyze where the attack came in, and more importantly determine whether any other users communicated to the known bad host.

Of course, it never hurts to go the extra mile. Plixer offers a network probe that can help alert you to infected machines BEFORE they can communicate to a C2 server, allowing you to catch and prevent the infected machine from pulling down a payload that may encrypt you entire file share. It’s unrealistic to believe you can stop every attack before it happens. More realistic is being able to prevent additional damage and attribute the Who, What, and When. This way, if other affected machines were in communication with the same host, you can take immediate action.

I encourage every user to trial Plixer’s FlowPro Defender for free. This provides you with detailed layered-7 analysis of all of your DNS traffic and will immediately alert you when malware uses DNS for exfiltration or C2 communications.

Jeff Morrison

Jeff Morrison

Jeff Morrison is a Solutions Engineer here at Plixer. He is responsible for travelling on-site to provide assistance with initial deployment, setup and design, in-depth training, and custom configurations. While in the office Jeff is responsible for providing technical assistance on initial overviews, providing training for internal resources, and researching integrations with 3rd-party vendors. When not on the road travelling, he enjoys playing music, riding motorcycles, video games, and spending time with friends and family.

Related

2 comments on “2017: The Year of Ransomware

  1. Jeff, thank you for your sounding board, the Ransomware Discover Timeline diagram is experiential and useful. Recently, Jan. 17, 2017 (Friday, 13th) our client experienced Cryptxxx V1. It was a total invasion; sync tenacles covering the remote workforce. Additionally, it opened a doorway to it’s maker, who strolled the Raid 5 like a’kid in a candy store; deploying a more up-to-date version on a secondary (industry) server thus requiring an additional (2) ‘bit coin keys.’ The new version trippled the Ransom amount of V1.

    The client was petrified balancing the Ransome Letter Timeframes vs. our Forensic and OS Strip-Away Process that took 63 solid working hours to achieve 100 percent recovery for a normal employee workday. This included reconstituting third-party proprietary software; and open communication with those programmers. We barely avoided the client paying the 2nd bit coin Ransom amount within it’s stated timeline; which, literally offered a Holiday Season discount if payment was received before the last day…

    Forensics / OS Stripaway revealed that Cryptxxx V1 arrived as a downloaded musical time-bomb months earlier, and scheduled to execute at 1:00am, Friday the 13th. NOTE: A Quickbooks corporate scan revealed the timebomb a week earlier and reported it by phone to their client contact who did not understand the gravity of a situation; (“it was not my responsibility, that’s owned by IT”).

    Question: Anyone interested in creating a collaboration team that crosses-over traditional organizational boundaries to solve these type issues on a hybrid timeframe new clients? If so, send a note. Again, thanks Jeff for the excellent sounding board.

  2. Thank you Ken for taking the time to share your real world scenario! I completely agree with your assessment that this is no longer just a problem for IT departments, this is very much a cross functional problem. While it’s true that this is growing concern for IT departments, it should equally be concerning for the business side as well.

    63 working hours is a lifetime in incident response! This is exactly what our focus has been for some time now. We strive daily to help IT professionals reduce their incident response time by providing them with the data foot print and visibility they need to perform in depth forensic analysis. Leveraging NetFlow data and our FlowPro probes for performing deep packet inspection can help drastically reduce our time to resolution!

    Thank you again for sharing your story, I hope this helps to continue incident response dialogue and inform users of the very real problem we face on a daily basis!

Comments are closed.