17.06.28 - The Real Ransomware Threat to Come - Part 1

In this article, the first of two, we focus on the realities of today's Ransomware threat and the logical progression that tomorrow brings.

Introduction

In the past couple of months, we've seen widespread Ransomware attacks on multiple targets across the globe. Different from the ongoing and constant threat Ransomware poses, these affected the daily lives of millions of people who depend on services managed by systems that were taken down. They initially included hospitals, medical care, and power production followed by disruptions in the global supply chain for shipping, pharmaceutical and oil production, the Chernobyl nuclear facility, law firms, banking, and more.

In some respects, we got off easy. Both attacks were limited in distribution, in some respects due to a kill switch/ vaccine, in others due to limited forms of replication. The financial losses aren't insignificant, but damage could have been more prevalent, with talks of potential threat to life not that far-fetched.

So what of the emerging threat that, rather than destroying data, instead steals it and threatens public disclosure? We investigate this reality, backed with current evidence, and talk about what needs to be done in order to prepare - not for what's coming, but for what is already here.

Accepted Mitigations for Today's Threat

Today's Ransomware threat is fairly straightforward - infiltrate a host, encrypt files, and require payment to acquire a decryption key that, with properly built malware, is not available on the host computer. There are at least four well-known and distinct ways to combat this threat today:

1. Make sure your computers are using the most up-to-date software, with the latest security patches.
2. Utilize protective software designed to stop Ransomware. Though new, these technologies have been effective.
3. Implement an automated back-up/ restore procedure for critical data, then test restore regularly.
4. Implement procedures to make Bitcoin available to pay a ransom and recover encrypted files.

We promote all but the last, and there are of course other things that can and should be done, for example purposing devices with the minimal set of services required to perform assigned duties. This won't have as much impact in a desktop environment as it will for hardened industrial PCs used in supervisory control on a plant floor. Nonetheless, this can be a highly effective way of minimizing the resulting attack surface.

The Threat of Public Disclosure

Ransomware threats are evolving, but we're not talking about penetration techniques, i.e. how a threat enters a network. There are literally hundreds if not thousands of ways to achieve this goal, and right now more often than not malware enters through phishing/ spear phishing attacks. These are fake emails crafted to fool users into visiting malicious sites, and they have proven effective due to a combination of human nature and poor controls.

Today's Ransomware threat is based on information sabotage, and the results are basic data loss and/ or hundreds/ thousands of dollars. What happens when that information is first stolen, then used for further leverage? Data may include someone's love letters to a mistress, the home address of a key employee, or damaging intellectual property secrets. These threats are likely to come with much higher demands, and can directly affect human life.

For proof, we need not look very far.

An Existing Public Threat using Personal Information

Very recently, the hacking group called the Shadow Brokers threatened to disclose the identity and home address of an alleged former member of the NSA Equation Group, a team responsible for developing very dangerous security exploits. The Shadow Brokers, you may recall, are the team responsible for stealing secrets from this same NSA team. The threat requires that the alleged ex-NSA employee subscribe his company to the Shadow Brokers dump service.

Compare this to a typical Ransomware attack that effectively erases data and demands hundreds of dollars in return for recovering content. Even without a backup and restore solution, a lot of corporate data can be found with peers or by looking through email archives. This allows you to recover some of the encrypted data, and quite often data that's up-to-date. This results in varying degrees of business disruption, then life goes on (and people forget).

But by threatening public disclosure of the home address for someone involved with such a controversial topic, it may be putting lives in danger. Some might surmise that the Shadow Brokers and threat recipient are one in the same. Others believe these threats are unfounded. Whether or not they are real, it exposes a much more dangerous dynamic, and the value associated with this threat much higher than we usually see. In this case, the ransom requires a service subscription that, on last look, ranged between a few hundred ZER and a thousand XMR, which translates to values somewhere between $40,000 and $70,000 USD - not even close to the typical ask of a few hundred or few thousand dollars. The stakes are obviously much higher.

Reality Check

Stop for a minute and ask yourself a question: Does your company hold records that include your name, phone number, home address, and emergency contact, in protected storage - or is this information available in a Word document or PDF file in an email archive and on someone's computer in HR? Answer is, most probably on both your computer and on one in HR, if not more.

When we look at the recent Ransomware attack, we find low-level details that show how localhost credentials are stolen and used for lateral movement. This is how the threat changes from a Virus to a Worm, self-propagating to new hosts. What if these same credentials are used to access documents that contain this sensitive employee information? If your company is involved in anything controversial, doesn't that put employees at physical risk? What does that mean for company liabilities, should someone be tracked down and physically assaulted? We've already seen swatting attacks on prominent public figures. What happens when employee records are disclosed for all to see? This can carry much more dangerous and significant consequences.

By looking at the realities of this recent attack, we can see that we are, as a community, getting off easy. Should this attack have been designed to propagate to a wider target (rather than to subnets of an infected host), without a kill switch, purposed to steal and publicly post information, en masse, when recipients didn't pay a hefty ransom, where would that have left us? What happens when this takes place next week, next month...constantly?

Encrypting Host Application Data

Sensitive host application data has to be encrypted, with tight access control, else it has to be (securely) removed. The latter isn't terribly practical, and in reality, sensitive information flows through host computers used by those that haven't been properly trained, on systems that lack controls to protect content. How many people understand the threat associated with an unprotected file attachment in a Sent Items email folder, and how easy it is for Ransomware (and other forms of malware) to get to that file's information? Few and Very. Until host application data is properly protected, we as a community face far greater threats than most have been discussing.

There are a few providers that offer solutions with host data encryption, though they still fall short for reasons described in Part 2 of this article (available shortly). These are also typically very expensive, and most often require significant long-term IT commitments with dedicated specialists. Even if they were suitable and didn't require additional staff, they would still be out of reach for many that cannot avoid the realities of unauthorized data disclosure.

The SSProtect component security suite was built for these purposes. Designed from scratch to provide aggressive host data protection, the system is scalable and easy to use. Deployment doesn't require additional investments in IT infrastructure, and doesn't require dedicated personnel. This makes it a viable consideration for companies both large and small. When paired with next-generation anti-Ransomware/ anti-Malware protection and other known techniques, you can quickly and easily realize protections that are suitable for both today's and tomorrow's most advanced threats.

Conclusion

Ransomware is here to stay, and today there are a number of techniques that are part of established corporate security programs, when they exist. As the threat matures, attackers won't stop at sabotage by encryption, holding decryption keys for ransom. Instead, attackers will steal the information in the files they can access when they penetrate a host computer. This creates a much more damaging threat than that posed by a payload that's mostly destructive in nature. And as this threatens individuals and critical corporate secrets, the value of protecting against disclosure rises dramatically, along with liabilities.

The proper solution relies on proper encryption and control over host data. Traditional host encryption hasn't been widely deployed because it's difficult to use and not highly effective. However, with cloud adoption and faster networks, today's solutions can and do deliver suitable protection against these and other emerging threats.

Stay tuned for Part 2 where we discuss details associated with effective protection. In the meantime, feel free to email us with questions, comments, and/ or suggestions using support@definisec.com.