Ransomware by the Book

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and thanks for joining us. I'm Dave Bittner from the CyberWire. This is episode five of the Recorded Future podcast. Looking back at predictions for what to expect in cybersecurity in 2017, one thing that was on just about everyone's list was ransomware. It's quickly risen to one of the top cyber threats these days, and shows no signs of slowing down.

On today's podcast, we'll speak with a man who wrote the book on ransomware, or co-wrote one, anyway. Allan Liska is a senior solutions architect at Recorded Future, and co-author of the book, Ransomware: Defending Against Digital Extortion. Stay with us.

Allan Liska:

There are two types of ransomware. The first is what we call a locker ransomware, and a locker ransomware is a utility program virus that prevents you from accessing your system. So, it doesn't encrypt anything, all it does is keep you out of it. This type of ransomware is most commonly found on mobile phones. So somebody downloads a bad app, from the app store, they open it up, their phone's locked, and they can't get access to it until they put in a bunch of iTunes gift cards, or whatever the currency is.

These are generally fairly easy to get around. You may lose a little bit of data, but if you reset your phone, or often even reboot your computer, you can get around that. The more common type of ransomware, and the type that is in the news, is the crypto ransomware, and that is ransomware that encrypts files on your system. Sometimes it encrypts the whole disk, but mostly it's just encrypting select files on your system, and requires you to pay a ransom, in order to gain access to those files. So, you pay a ransom, in theory, the bad guy gives you a key, you put the key in, and you can then unlock your files again.

Dave Bittner:

Ransomware certainly has come to the fore, in the past year or so, but historically looking back, how long has this been around?

Allan Liska:

Surprisingly a long time. Ransomware was first introduced in the 90s. There were a couple of problems with early ransomware. One, there weren't built-in crypto libraries into the systems, so you had to have your own crypto libraries, which made the idea of delivering ransomware much more balky, and there was no effective way to pay the ransom. There wasn't anything you could do in order to get the money easily from the victim to the attacker. So it really didn’t take off at all, in fact it kind of faded away.

From there, we go to bitcoin. In the 2010s we had the development of bitcoin, and other cryptocurrencies, but bitcoin is the primary one. Now we have an anonymous way to transfer money from victim to a bad guy. Not completely anonymous, but effectively untraceable. Now, you have the means to collect payment that can't be pulled back by the banks, and we have the benefit of better processors, built-in crypto libraries, and the major operating systems. Now it's much easier to write ransomware, and have that ransomware delivered, and effectively installed and run, so it's reliable, and you can get your money with no way to get it back. We really start to see the rise of this type of crypto ransomware late 2011, early 2012.

Dave Bittner:

Are we seeing ransomware mostly affecting consumers, or is it affecting businesses as well?

Allan Liska:

There are two ways that ransomware is delivered. The first is through mass spam campaigns. That's probably the most popular delivery method, not necessarily the most effective, but the most popular delivery method. The second method is through exploit kits. You go to a website that's been compromised, the compromised website finds vulnerability in your browser, or one of your browser plugins, it exploits it, and then loads up the ransomware.

The ransomware delivered via spam is indiscriminate. We see like the Locky campaign at its height was sending out tens of millions of emails every month. But what we saw was that on the consumer side, most of that ransomware wasn't getting through. So when you go home at night, you probably have a Gmail account or an Outlook.com, or maybe even a Yahoo account, and the security teams behind those accounts, have gotten really good at quickly identifying ransomware, and spam-type emails. A lot of that winds up in your spam folder, and you as a consumer never see it.

I have a Gmail account at home, and I can go into my spam folder, anytime I need ransomware samples, and there's a half dozen new ones in there that I hadn't seen before. But I never actually see them, but I know I can pull them out and extract them. So with businesses, especially small-to-medium-size businesses, a lot of them don't have the same level of protections that are in place.

They're too big for using standard Gmail, so they're using business Gmail, which doesn't always have the same protections in there, because Gmail in that case is much more liberal about letting email into your inbox, because they don't want any business communication disrupted by accidentally sending something to spam folder. A lot of the especially small-to-medium-size businesses aren't at the point where they can afford, like a proof point or semantic mail gateway, something that's going to block a lot of that on behalf of the business.

So, they've sort of become the sweet spot of the most vulnerable targets, because even though they may not be getting the bulk of the email, they're seeing the bulk of these alerts.

Dave Bittner:

I see. Do you think a lot of ransomware incidents go under reported because people are ashamed, or they don't want their customers to know that they got hit?

Allan Liska:

Absolutely. There's still this stigma. Even though I think by some accounts something like almost 50 percent of small-and-medium-size businesses were hit with some form of ransomware last year, there's still this stigma that I've done something wrong, because this ransomware got to my employees, or to me, or whatever.

I do think that there's not a lot of reporting. Now some of that's going to change, because we've already seen HIPAA has changed requirements, that they consider ransomware a reportable offense. I think more, you're probably going to see that with PCI, as PCI continues to update. They're going to define ransomware as a reportable offense. So, more of these businesses are going to be forced to report it.

I would hope beyond that, that businesses would see this as a chance to share information to help protect others in their industry. If you keep it to yourself, especially if it's a new technique, something that hasn't been seen before, then you're just leaving the next person vulnerable to that, and I think it's really important that we share this type of information as widely as possible, to allow people to protect themselves.

Allan Liska:

Suppose you get hit with ransomware, should you pay the ransom?

Allan Liska:

The security guy in me says no. If you pay the ransom, you are helping the ransomware guys make more and better ransomware. You're encouraging bad behavior. That's the security guy in me. The business side of things realizes it's not always that simple. So, it’s a matter of what makes sense from a business perspective, with a couple of caveats. One, just because you've paid the ransom, doesn't necessarily mean that you're going to get your files back. Some ransomware is straight up scam. So, you'll get hit with this ransomware, you'll pay the ransom, nothing will happen. We saw that with the Petra ransomware, which just overwrote your master boot record, produced a ransom note, you paid the ransom, your master boot record was still overwritten, and there was nothing you could do about it. But more so, there's a matter of, "How much is it going to cost you to pay the ransom, vs. getting the files restored, getting your business back up and running, etc."

So, from a business perspective, the answer is sometimes yes. We see this especially with hospital chains, right? Or healthcare providers where patient services is tantamount, and so even if there are backups, it may be faster to pay the ransom, get the key, and get patient services back up and running as quickly as possible vs. a backup, which may take hours and hours in order to get those restored and get them back in place, and so on.

There are cases where business-wise it unfortunately makes more sense to pay the ransom, and that's something we just have to accept as part of the consideration.

Dave Bittner:

I've heard descriptions of these incidents where someone will get hit with ransomware, the bad guys will demand a ransom, they'll pay the ransom, and then the bad guys come back and say, well now we need more from you, and so that negotiation process begins. Does part of that negotiation include having the bad guys prove that they can actually decrypt some files?

Allan Liska:

Oh yeah, absolutely. If you are going to pay the ransom, if you've made the business decision that you have to do that, the first thing that I would ask is, "Okay, I need to decrypt a file, I need you to prove to me that this actually works," because some ransomware is very professionally developed, and well done, others are crap. They're just not very well done, and even if the bad guy intends to give you the keys to un-encrypt your files, it just flat out may not work. So, you absolutely, before paying anything, you want to make sure that your files can actually be decrypted, and you need proof of that before paying anything.

Yes, unfortunately ... This would be the other thing I would say is, if you are a large company or a fairly large organization, and you've been hit with ransomware, go home and start the negotiation there, because if the bad guy sees your IP address, does a WHOIS lookup on it, and says "Oh, you're a $100,000,000 company, your price just went up to $300,000 for ransom." That hurts your bargaining position, whereas if they go and say, "Oh okay, well this is a Comcast home IP address, okay you're just a home user, then that's fine, yeah, no problem, we'll stick with the original ransom." That is part of the way the more sophisticated actors work, is they are looking at who the victim is.

Dave Bittner:

Yeah, it makes me wonder, just like there are professional hostage negotiators, is there an opportunity for there to be professional ransomware negotiators?

Allan Liska:

You know what? That may be a whole new job that nobody's ever thought of, that hopefully will be a job that has a very short shelf life.

Dave Bittner:

Sure. So, let's talk about backups.

Allan Liska:

You don't just need backups, you need backups, and you need to test your backups. One of the ... again, as doing research for the book, one of the interesting things that we found out is that a lot of times, the security team, especially in the larger organizations, the security team has no idea what the backup strategy is, because that's handled by operations, or IT, or there's another group that's responsible for backups. But when a ransomware attack hits, the security guys are the ones that are responsible for dealing with it, so they go to the backup guys and say, "Okay, you know, can we have this backup?" "Well no, we don't backup every single desktop, why would we?" "Okay."

Before an attack happens, it's a really good idea for the security team to sit down with the IT team, buy some pizza and expense it, so that everybody has a good time, and talk about what the backup strategy is. How often backups are tested? Are they tested in a real-world situation where you don't just test to confirm that the backup's okay, but you actually try and restore from the backup. Have a good understanding of what is backed up, and then, what is not needed to be backed up.

Also very important, know where the backups are stored, because one of the things we've seen with ransomware is there are ransomware that look for network drives, and then they go off and encrypt everything on those network drives. So, if your backups are stored on a SAN system that is connected to the network, and that can be encrypted from the desktop, well then your backup isn't very effective. So, your backups do need to be restored in a way that is not easily accessible from somebody's desktop.

Dave Bittner:

Let's touch on the relationship between protection against ransomware and threat intelligence.

Allan Liska:

There are a couple of ways that you can use threat intelligence to help protect you. As a defender, finding out what the latest indicators are, and with ransomware there's a whole lot of them. There's the file hashes, there's the IP addresses for the command and control hosts, there's the domains for the bad websites, there are the emails, email addresses that the ransomware attacks are coming from. So those are sort of the basics, right? What we consider the minimal kind of threat intelligence, right? Those are the indicator sets that'll say, "I need to put this in my mail protection system, in order to block any email coming from these indicators, this email address, whatever.”

But there's more that you can do with ransomware. The methodologies of attack are very important, and a good threat intelligence provider will have that information for you. How does this particular ransomware work, and how does it work over time? So, for a lot of the bigger ransomware families, the Lockys, the Servers, the Sporas of the world, we see pretty regular updates. They're almost on an agile cycle, where every six weeks, there's a new sprint, and there's a new version of the ransomware coming out, and they're using different methods of delivery, and so on. So understanding what the new attack methods are, that is part of threat intelligence, and that's really important, because that gives you a strategic view of what you need to do to protect yourself.

I always encourage people, again, because we want security to be part of the solution, not part of the problem, I encourage you to reward users. I'm a big fan of challenge coins. It's just something simple like that. If somebody forwards you something that maybe have gotten through your defenses that they think looks suspicious, they forward it to you, and you go, "Yeah, you know what? That's a really good example of a bad thing, have a t-shirt, have a challenge coin, here's a $5 Starbucks gift card." Or even just a, "Hey, this is a great job, we really appreciate this work you're doing." That kind of encouragement of users gets them more involved, and keeps that situational awareness going throughout the year.

Dave Bittner:

Our thanks to Allan Liska for joining us.

You can learn more about ransomware with an upcoming webinar, featuring Allan Liska and Bardia Omran, from BT Global Services. Visit recordedfuture.com/webinars for all the details, and to sign up.

You can also find more intelligence analysis at recordedfuture.com/blog.

We hope you've enjoyed this show, and that you'll subscribe, and help spread the word among your colleagues and online. The Recorded Future Podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show's produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.