So much of what we do depends on technology. Imagine if a company providing an online service can no longer provide that service to its customers. In fact, we don’t have to imagine – just this year Garmin, the popular GPS manufacturer fell victim to a variant of the “WastedLocker” attack, taking most of its services down for 5 days as IT staff presumably worked around the clock to restore functionality.
What are the building blocks of ransomware?
While details in different implementations may vary, all ransomware pretty much follows the same pattern: exploit a weakness in an organisation’s defences to run arbitrary code in the context of a privileged user, and run a process which goes out to anything the user can access, replacing it with an encrypted version of the file. The key is only provided to the user if they pay the ransom, usually via an untraceable payment method such as bitcoin.
Malware commoditised
Introducing an additional layer of abstraction, often malware authors are not the ones actually performing these attacks. Allegedly, black markets exist where interested parties can purchase ransomware tools, much like you or I might purchase Microsoft Office. Sophisticated attackers use this software as the “payload” of an active exploit, coupling it with a 0-day attack. Less sophisticated attackers might engage in social engineering, tricking a user into running the malicious program. Either way, the result is the same. Anything a user can access, so can malware running in their context.
How can we protect against this threat?
Ransomware is an especially difficult threat to protect against. Oftentimes, the first thing ransomware will try to do is go after system backups! The “3-2-1 rule of backup” is a canonical rule of the trade: store your data in 3 places, at two separate physical locations, 1 of them offline. What is meant by an offline backup? The most well-known example is tape. Dollar for dollar, tape is an extremely cost effective medium for data archival and offline backup. (Of course, the cost is staggering compared to not doing anything at all, and it can be difficult to convince one’s management of the importance of paying for a fire extinguisher when nothing is on fire). Unfortunately, even with newer technologies such as LTO-8, tape is still extremely slow to restore from at scale. If a file server was hosed by ransomware, restoring from tape might take a few days and make a lot of sense. If an entire datacenter has been encrypted, often businesses will choose to pay the ransom to avoid extended downtime.
well-known ransomware attacks
One of the most well-known ransomware attacks was “Petya” in 2016. Petya infected the MBR of a windows workstation, encrypting a hard drive’s file system table preventing windows from starting up. In 2017, an attack sharing part of Petya’s codebase with some additional “enhancements” surfaced. This was named “NotPetya”, and coupled with the well-known “EternalBlue” vulnerability in the SMB1 protocol. This variant was so dangerous because it behaved similarly to a network worm, hopping from computer to computer without human intervention. Critically, NotPetya was eventually determined not to be ransomware at all – despite demanding a ransom, NotPetya did not provide a mechanism for the damage to be reversed!
In April 2017 “WannaCry” came onto the scene. Like NotPetya, this infamous attack relied upon the SMB1 vulnerability EternalBlue to spread within internet-works. One of the most terrifying facets of this attack was the impact to the NHS in England. MRI scanners were taken offline. It is not too much of a jump to consider what a tempting target critical energy grid infrastructure would be to these bad actors.
What should I do if I am already the victim to ransomware?
First and foremost, breathe. This is one of the worst experiences for any IT department to be faced with, as hard as it is, keeping your cool is your best bet. The first and most important thing to do is to alert key business stakeholders. A conversation needs to be had so that direction can be given what should be prioritised. Additionally, there is little point in beginning to restore things until “ground zero” can be identified and remediated. Oftentimes it is simply a user’s workstation, but ransomware can start from servers, IOT devices, or rogue equipment plugged into your network. You should also determine any reporting obligations. These vary by country. Remember, recovering from a ransomware attack is a marathon, not a sprint. Standing up infrastructure in a hurry can lead to leaving open vulnerabilities that can lead you right back to square one in a jiffy! Talk things out with your peers and superiors, and remember to eat, sleep, and stay hydrated. Good luck!
Also know that not all ransomware is created equal. Less sophisticated attacks might generate the keypair locally, and the decryption key can be recovered from disk. Other attacks might rely on weak encryption, and “master keys” exist online. Certain firms exist which claim to be experts in helping organisation's recover from a ransomware attack. Some of them are legitimate, but others are predatory. Many will simply pay the ransom on your behalf without telling you, and charge you for the privilege!
Additionally, paying the ransom encourages these criminals to continue perpetrating these acts of digital violence. If your company is in a position to recover from backup, this is widely considered the more ethical response.