SoS Musings #29 - Ransomware Nightmare 

SoS Musings #29
Ransomware Nightmare

Ransomware attacks remain a significant threat to government agencies, financial institutions, schools, businesses, and individuals, calling for continued research and advancements surrounding the prevention of such attacks. Ransomware is a type of malware that encrypts files and demands the payment of a ransom in order to decrypt the files. It has been discovered that ransomware is often delivered through actions initiated by users such as clicking on malicious email attachments and URLs as well as malvertising and drive-by-downloads. The McAfee Labs Threats Report for August 2019 highlighted an increase in ransomware attacks by 118% in the first quarter of 2019. In addition, security researchers have observed the use of more powerful malware and the adoption of new attack techniques by cybercriminals in the launch of ransomware attacks. According to Malwarebytes’ quarterly report, titled Cybercrime Tactics and Techniques: Ransomware Retrospect, there has been a 365% increase from Q2 2018 to Q2 2019 in the detection of ransomware targeting businesses, while there has been a decline in ransomware attacks targeting individual consumers as it is suspected that cybercriminals are seeking gain more profit by targeting higher value targets. More than 50% of Malwarebytes’ ransomware detections account for attacks against machines located in the U.S. Organizations and security professionals are encouraged to continue their efforts to fighting ransomware attacks.

In the development of techniques towards preventing ransomware attacks, it is important for security professionals to examine past and current ransomware attacks. There are six ransomware attacks that have made the biggest impact within the last five years, which include Teslacrypt, SimpleLocker, WannaCry, NotPetya, SamSam, and Ryuk. From 2015 to 2016, TeslaCrypt ransomware largely targeted the gaming community in that it encrypted ancillary files such as saved games, user profiles, and more, associated with 40 popular video games, including Call of Duty and World of Warcraft, as well as PDF documents, photos, iTunes files, and Word documents. A $500 Bitcoin ransom payment was demanded of TeslaCrypt victims in order to decrypt these files and if there were a delay in payment, the ransom increased to $1,000. In 2014, SimpleLocker emerged as the first Android-based ransomware, encrypting SD card files, including images, documents, and videos, and demanding the payment of 260 Ukrainian Hryvnia worth $21, in order to decrypt of these files. WannaCry ransomware arrived in 2017, infecting thousands of computers in more than 100 countries at a rapid rate and impacting the operations of over 100,000 businesses. Following closely behind WannaCry, was NotPetya ransomware, which was initially reported as a variant of Petya, a strain of ransomware that emerged in early 2016, demanding that victims pay to recover their files. NotPetya was discovered to be purely destructive in that it kept computers’ master boot records and master file tables encrypted despite the payment of the demanded ransom. Multinational companies, including Danish business conglomerate Maersk, pharmaceutical company Merck, FedEx’s European subsidiary TNT Express, food producer Mondelez, and more, were impacted by NotPetya. Since 2016, SamSam ransomware and its variants have been targeting organizations with a significantly low tolerance for downtime, such as those within the public-facing civil sector or the healthcare sector. These types of organizations are attractive targets for the hackers behind SamSam as they rely on real-time data and networked systems, thus the longer it takes to pay the ransom for the decryption of such data and systems, the more damage could occur. Ryuk is another of strain ransomware that has been active since August 2018, impacting more than 100 U.S. businesses, most of which have been logistics companies, technology firms, and small municipalities. The FBI recently issued a flash alert in which it is stated that Ryuk is capable of deleting files related to its intrusion, stealing credentials, establishing persistence in the registry, and more. The newest Ryuk ransomware instructs victims to contact the attackers via one of several email addresses to find out how much the ransom is and which Bitcoin wallet must be used to pay the ransom. The trends in ransomware strains and incidents must be further explored.

Recent incidents indicate the rise in ransomware attacks on municipalities, educational institutions, and healthcare organizations. A ransomware attack on Johannesburg's electric utility, City Power, left some of the city's residents without power and impacted residents' ability to purchase electricity, upload invoices, and access the electricity provider's website. Baltimore City suffered a ransomware attack, which disrupted city government emails, the processing of calls at the city’s 311 call center, 911 services, and more. Over 20 municipalities in Texas have recently been hit with ransomware, affecting computer systems, city businesses, and financial operations. Other municipalities that have fallen victim to ransomware attacks include Key Biscayne, Lake City, Riviera Beach. Louisiana Governor John Bel Edwards, declared a state of emergency in response to ransomware attacks on three Louisiana public school districts - Sabine, Morehouse and City of Monroe - which resulted in the loss of data stored on servers, the disabling of some technology systems, and the takedown of office phone systems. Grays Harbor Community Hospital in Aberdeen Washington just faced a ransomware attack that has resulted in the encryption of more than 85,000 patients’ health data by attackers contingent on the payment of a ransom. Although much of this data was recovered, there are parts of the electronic medical record that are still encrypted and inaccessible by the hospital and Holston Medical Group. Such incidents call for the development of solutions.

As ransomware remains a major threat, there must be continued research, developments, and exploration surrounding the protection against this malicious software as well as the response to it. Andrea Continella and his team of researchers at NECSLab developed a tool, called ShieldFS, that automatically detects ransomware and performs a system restore from backups before the targeted system can be locked down by hackers. ShieldFS detects new ransomware-like attacks in addition to known types of ransomware through the identification of cryptographic behaviors attributed to ransomware. Researchers from the Coordinated Science Laboratory at the University of Illinois describe a tool that can be used to prevent ransomware attacks in a paper, titled Project Almanac: A Time-Traveling Solid State Drive. According to researchers, the tool can allow ransomware victims to save their files without having to succumb to the demands for ransom payments. The tool discussed in the paper enables solid-state drives, which are used in most computers as a component of the storage system, to save old versions of files instead of getting rid of them when the files are modified. The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) encourage State and Local government partners to regularly back-up their systems, increase employee cybersecurity awareness and education to draw further attention to the importance of not clicking suspicious links that could lead to ransomware infection or other attacks, and develop or strengthen their cyber incident response plans. In addition, organizations are advised to apply security patches, verify email senders, maintain preventive software programs such as antivirus software, and use caution when clicking links, opening emails, and attachments. When hit with ransomware, it is recommended by the FBI that victims do not give into the demands for ransom payments as the payment of hackers’ ransoms would motivate them to execute more ransomware attacks if their demands are met. Solutions to ransomware must continue to be explored and developed by the Science of Security community.