By Marcus Almeida, Inside Sales & SMB manager at Intel Security
Ransomware attacks continue to grow. According to McAfee Labs, ransomware samples grew by 169% in 2015 and the total malware samples now number almost 6 million. The technique is not new, it has been around for a long time, the first prototypes of the malware were developed in the mid-1990s. However, the criminal modality is gaining more and more popularity due to the impossibility of tracking the virtual currencies used in payments redemptions and also by offering Ransomware as a Service packages available on the deep web.
Ransomware uses encryption to extort victims, attacks can cause loss of access to information, loss of confidentiality and leakage of information. The attacks can be aimed at both consumers and companies of all sizes. It is important to understand how the anatomy of a ransomware attack works to prevent it more effectively.
There are six steps that an attack takes to achieve its goals. The first step is distribution. In fact, cybercriminals use well-known distribution methods, usually malware is spread through phishing scams involving fraudulent links, email attachments or file downloads that are installed on the endpoint from compromised websites. Even known, the technique is still very effective, one in four recipients opens phishing messages and, surprisingly, one in 10 clicks on attachments received in those messages.
The second step is infection. The binary arrives at the user's computer and initiates the necessary processes to complete its malicious activities. This step may include newer techniques and sophisticated behaviors. For example, the CryptoWall 3 malware works as follows: Generates a unique computer identifier; certifies a “survival reboot” by installing a program to be executed when starting the machine; disables Windows copies and error repair and recovery systems, disables defense programs; it injects itself into explorer.exe and svchost.exe and retrieves the external IP address.
The third step is communication. The malware communicates with the encryption key servers to obtain the public key needed to encrypt the data. CryptoWall 3, for example, connects to a compromised WordPress site and reports its status. All control server traffic is encrypted using the RC4 encryption algorithm. The fourth step is to search for files. Ransomware systematically searches for files on the system. It normally searches for files that are important to the user and cannot be easily replicated, such as files with extensions of jpg, docx, xlsx, pptx, and pdf.
The next step is encryption. The process is carried out by moving and renaming specific files, the information is "scrambled" and can no longer be accessed without being decrypted. The last step is the ransom request, when normally a warning appears on the screen of the infected computer demanding payment in bitcoins to then send the victim the key that can unlock the machine.
Knowing how a ransomware attack works in detail is essential to create strategies that can stop the malware from acting before it can encrypt the machine. The most proactive method of protecting the network from attack is to prevent the threat from reaching the endpoint in the first place. Using a security solution that includes web filtering, antispam, antimalware and keeping operating system and application patches up to date helps block the arrival of malware.
To avoid the infection stage, it is recommended never to activate macros, unless you know very well what you are doing. Office macros are often used by ransomware in the process of infection. It is also important to restrict users' access permissions. Surfing the web, opening several applications and documents and working with several different programs while connected with an administrative profile, for example, increases the vulnerability. It is also recommended to use a sandbox tool, which will better analyze suspicious files and avoid contamination.
For the communication phase, it is recommended to use network firewalls, which have a standard feature to block malicious domains. Another tip is to block access to Tor, an anonymous Internet communication system based on a distributed network used to ensure privacy on the internet. This tool is used by ransomware to obscure communications from the control server. In situations where Tor is not required, it is recommended to block it. The ransomware attack can be stopped if it cannot establish control, so blocking Tor will stop the ransomware using this strategy at this stage. For those using proxy and gateway appliances, these technologies can be configured to scan and block ransomware attacks. Most ransomware cannot continue operations if they are unable to retrieve the public encryption key required for asymmetric encryption.
And finally, keep an offsite backup. After the backup is done, turn off the drive and keep it away from all computers. Thus, the ransomware cannot detect the backup and damage it.
Ransomware uses encryption to extort victims, attacks can cause loss of access to information, loss of confidentiality and leakage of information. The attacks can be aimed at both consumers and companies of all sizes. It is important to understand how the anatomy of a ransomware attack works to prevent it more effectively.
There are six steps that an attack takes to achieve its goals. The first step is distribution. In fact, cybercriminals use well-known distribution methods, usually malware is spread through phishing scams involving fraudulent links, email attachments or file downloads that are installed on the endpoint from compromised websites. Even known, the technique is still very effective, one in four recipients opens phishing messages and, surprisingly, one in 10 clicks on attachments received in those messages.
The second step is infection. The binary arrives at the user's computer and initiates the necessary processes to complete its malicious activities. This step may include newer techniques and sophisticated behaviors. For example, the CryptoWall 3 malware works as follows: Generates a unique computer identifier; certifies a “survival reboot” by installing a program to be executed when starting the machine; disables Windows copies and error repair and recovery systems, disables defense programs; it injects itself into explorer.exe and svchost.exe and retrieves the external IP address.
The third step is communication. The malware communicates with the encryption key servers to obtain the public key needed to encrypt the data. CryptoWall 3, for example, connects to a compromised WordPress site and reports its status. All control server traffic is encrypted using the RC4 encryption algorithm. The fourth step is to search for files. Ransomware systematically searches for files on the system. It normally searches for files that are important to the user and cannot be easily replicated, such as files with extensions of jpg, docx, xlsx, pptx, and pdf.
The next step is encryption. The process is carried out by moving and renaming specific files, the information is "scrambled" and can no longer be accessed without being decrypted. The last step is the ransom request, when normally a warning appears on the screen of the infected computer demanding payment in bitcoins to then send the victim the key that can unlock the machine.
Knowing how a ransomware attack works in detail is essential to create strategies that can stop the malware from acting before it can encrypt the machine. The most proactive method of protecting the network from attack is to prevent the threat from reaching the endpoint in the first place. Using a security solution that includes web filtering, antispam, antimalware and keeping operating system and application patches up to date helps block the arrival of malware.
To avoid the infection stage, it is recommended never to activate macros, unless you know very well what you are doing. Office macros are often used by ransomware in the process of infection. It is also important to restrict users' access permissions. Surfing the web, opening several applications and documents and working with several different programs while connected with an administrative profile, for example, increases the vulnerability. It is also recommended to use a sandbox tool, which will better analyze suspicious files and avoid contamination.
For the communication phase, it is recommended to use network firewalls, which have a standard feature to block malicious domains. Another tip is to block access to Tor, an anonymous Internet communication system based on a distributed network used to ensure privacy on the internet. This tool is used by ransomware to obscure communications from the control server. In situations where Tor is not required, it is recommended to block it. The ransomware attack can be stopped if it cannot establish control, so blocking Tor will stop the ransomware using this strategy at this stage. For those using proxy and gateway appliances, these technologies can be configured to scan and block ransomware attacks. Most ransomware cannot continue operations if they are unable to retrieve the public encryption key required for asymmetric encryption.
And finally, keep an offsite backup. After the backup is done, turn off the drive and keep it away from all computers. Thus, the ransomware cannot detect the backup and damage it.
EN 
PT 
