Have you ever had one of those moments where you said, “Mark my words, this is going to happen”, then it actually does happen? Feels good, doesn’t it? Makes you feel like a wizard.
I’ve been researching ransomware for a while now. Sometime back in January, I was talking with a group of friends and peers and we landed on the topic of where we thought the capabilities of ransomware were headed.
This discussion eventually became a 38 page whitepaper on the past, present and future of ransomware.
To make a long story short...
Ransomware has been around since the mid-80's, having originally been distributed by floppy disk. It was researched in the mid-90’s as cryptovirology, and has plagued the eastern bloc european nations throughout the early 2000’s. As a multi-million dollar a year industry, the ransomware threat isn't going anywhere anytime soon. Like any good money making scheme, once somebody smells blood in the water it draws the attention of bigger predators.
In the paper, I hypothesized that the future of ransomware was in automation and utilization of self-propagation to maximize spread of the payload and/or the possible targeting of enterprise networks. Up until about mid-February, there were some ransomware strains that would scan for and encrypt unmapped network shares, but that was about the extent of ransomware’s propagation.
And then SamSam happened
SamSam indicated a shift in targeting for ransomware operations -- ransomware attacks were now aiming for entire enterprise networks. SamSam was spread by skilled attackers. These attackers would compromise JBOSS servers in a network’s DMZ by using free commodity pentester tools (in this case, a suite known as “JEXBOSS”), pivot through the network, escalate their privileges, identify and delete (if possible) network backups, then use a combination of batch scripts and psexec to “pass the hash” and propagate their ransomware payload over the network as fast and as far as possible. The ransomware would kill any backup jobs in progress, disable and delete Volume Shadow Copies, encrypt data on the system, then use sysinternals sdelete.exe to delete itself from the system after execution. While batch scripts and psexec aren’t exactly “sophisticated”, they proved to be effective.
The paper mentions SamSam as a sort of “portent” for what the future of ransomware holds. I then go on to talk about worms and malware strains of yesteryear, factors that have ensured their continued success and propagation, and how these techniques could be used to develop ransomware we are likely to see in the future.
Normally, being the one to shout “I told you so!” while doing a dance or jig can be deeply satisfying, but I assure you that having to tell clients, users, friends and family, “I’m sorry, there’s nothing I can do for you other than tell you if you don’t have backups to pay the ransom”, really doesn’t hold any pleasure for me.
Zcryptor, a new strain of ransomware
This ransomware variant has the ability to propagate itself through external drives using autorun.inf. Zcryptor makes a copy of itself in the root directory of all attached drives, then crafts an autorun.inf to automatically execute the malware when it is introduced to a new system. There have been a number of malware strains that have used this propagation method in the past for spreading malware through removable drives, usually as a method for propagating into “airgapped” networks, or networks that have no outside access to the internet -- Conficker, agent.btz, even versions of Stuxnet utilized autorun.inf to spread payloads into such networks.
Consider for a moment that Conficker is 8 years old now, and still a massive threat to critical infrastructure networks that may or may not be airgapped, but usually have terrible patching policies due to the “if it ain’t broke, don’t fix it” mentality, combined with the rigorous change control process put in place in critical infrastructure facilities. While most Critical Infrastructure networks (e.g. ICS/SCADA) usually have failsafes for bringing systems under manual control in the event of an ICS system failure, ransomware in these networks could be expensive both in terms of manpower required to manually operate said systems, restoring functionality to infected systems, and eradicating the infection.
Fortunately, while Zcryptor takes a step forward in propagation methods, it seemingly takes a step backward in effectiveness. According to the Microsoft Malware Protection Center (MMPC) article, the current version of Zcryptor doesn’t take any efforts to disable or delete Volume Shadow Copies from the system upon execution, meaning that so long as you utilize Volume Shadow Copy (also know as “Previous File Versions”), or otherwise have a robust backup system in place, you shouldn’t have a problem recovering from this threat.
So, what can you do?
There are quite a few factors of common ransomware propagation methods to be aware of and you should also have some idea of how to mitigate their effectiveness. Below are descriptions of some of these factors and my recommendations for preventing the spread of ransomware:
Most commodity ransomware spreads through mass spam/phishing campaigns through the use of weaponized (macro-enabled) office documents.
There are a variety of ways that weaponized spam email campaigns can be dealt with:
Instill the idea of “trust, but verify” to your users.Have your users exercise critical thinking before opening email attachments. Were they expecting an invoice email? Has the vendor/business partner sent invoices this way previously? Call them and ask them to confirm if they sent a document/invoice before opening the file. If the file is an office document and specifically requests you to enable or run office macros to view content, teach them to forward these emails to IT immediately for analysis.
Change the program that windows associates to scripting languages to open in notepad.exe.There is a way through Group Policy to change file associations so that notepad is used to open certain scripting formats that simply execute when double clicked. This excellent document from How-To Geek lists a bunch of commonly abused windows file formats. You’ll want to pay attention to: .bat, .cmd, .hta, .js, .jse, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .reg, .vb, .vba, .vbe, .vbs, .ws, .wsc, .wsf, .wsh -- These are all file extensions associated with scripting on windows and are commonly abused in phishing campaigns. Experiment with changing their program associations as a mitigation factor.
Block or quarantine emails with commonly abused file attachments.If it’s within your power, and you have a mail filtering solution that supports it, block all the file extensions mentioned in the How-To Geek article at the mail security appliance, perhaps with the exception of .doc, .xls, .ppt (many businesses still use the old office file extension formats to ensure backwards compatibility and ease of use.), if your mail security solution supports it, consider quarantining incoming emails with office file extensions if you have the staff and/or bandwidth for that. Users will get an email that message X from email address Y was quarantined. The users can forward this message to support to verify they were expecting an e-mail and you can remove the email from quarantine.
Consider not using email as a file storage and file sharing medium.Email is the literal embodiment of scope creep. It started as a method of sending messages to be recovered asynchronously. Now it has turned into this hulking monstrosity that is the current de facto method for sending and receiving files on the internet. There are so many cloud file hosting solutions and file sharing solutions today. As a security practitioner I have a habit of shying away from them since I don’t trust them. However, I live in the real word, and realize that most users like the convenience of these solutions. Killing e-mail as a file sharing/storage medium is literally the one thing they’re built for and are good at. Most enterprise-grade file sharing applications allow you to generate links that you can send to business partners for them to upload documents. Additionally, these solutions also allow your users to upload documents and generate links that can be shared with that partner to allow them access to your documents. I fully realize that this isn’t exactly an easy to implement one-size-fits-all solution, and would likely require tons of planning and restructuring of business workflows, but I’m including it because If you kill e-mail as a file sharing vector you almost certainly kill mass phishing campaigns.
Zcryptor also spreads through fake adobe flash installers.
If you have Adobe Flash installed, it will notify you when a new update is ready to be installed, typically. If a web page is telling you to update adobe flash, or prompting you to download Adobe Flash Player, I would err towards NOT trusting it.
Consider implementing adblocking solutions in the enterprise to reduce user exposure to malvertising.A lot of fake application downloader campaigns are done through malvertising (malicious advertisements). By blocking ads in your network, you’re eliminating a large amount of risk.
As always, keep your systems up-to-date.Ransomware is commonly distributed through exploit kits as well. As the name implies, exploit kits attempt to exploit vulnerabilities in a user’s web browser and/or plugin platforms (e.g. Silverlight, Flash, etc.) to download and execute malicious payloads. Exploit kit operators scramble to add new exploits all the time, sometimes in under a week from the initial notification, which is why keeping your systems patched and up-to-date is very important. This also applies to antivirus and other security solutions (e.g. EMET, etc.)
Consider imposing limitations around the use of removable media, if possible.
There will always be enterprises or special cases where removable media cannot be eliminated from an enterprise network; however, consider some of the following for mitigating USB drives as an avenue of infection/propagation:
Disable the use of USB mass storage devices entirely.Technet has a detailed setup guide on how different classes of removable media can be disabled in various ways (totally disabled, read-only, etc.) that can be used to reduce your exposure to USB drives and/or other removable media devices. Additionally, some endpoint security products like Symantec Endpoint Protection allow you to disable the use of USB drives and/or audit their use in the network.
If disabling outright isn’t an option, consider limiting what USB device drivers/device IDs can be loaded/installed on a system.Another technet guide shows you how to configure Group Policy to limit which Device IDs are allowed to be loaded by windows. This can be used to only allow authorized usb drives to be connected to your systems.
In situations where access to USB drives is necessary, but should be heavily monitored (e.g. airgapped networks), consider implementing a sign-in/sign-out system for USB drives -- inventory and access control.Keep an inventory of USB drives that are allowed to be connected to systems (e.g. group policy enforced) and require users and/or vendors to sign out USB drives when required, and sign then back in when they are done using the drives. Procedures can be built around this to scan the USB drives with antivirus solutions before and after exposure to air gapped networks, and ensure that drives are formatted after every use.
Ensure that autorun/autoplay is disabled.Most modern versions of windows disable autoruns by default, but it doesn’t hurt to ensure autoruns are disabled entirely to prevent autoruns being used as a propagation method. There are numerous guides for disabling autoruns through group policy.
Ultimately, ransomware isn't going anywhere anytime soon...
In conclusion, the ransomware epidemic continues to grow and likely isn’t going anywhere anytime soon. Self-propagating ransomware is a very real threat that your users and enterprise need to be aware of in order to combat effectively. If you follow some of these mitigation steps you can prevent your organization from being another victim or headline.