Ransomware attacks are a huge concern these days, especially for corporate networks. Successful assaults can lead to locked up data and systems, as well as stolen and leaked data, bringing chaos to the targeted companies.
Indeed, when the ransomware reaches its target, it’s practically game over. The malware encrypts files and spreads to the entire system to maximize damage, which forces companies to lock down the whole network to stop the propagation.
Encryption is the Key
Encryption is used everywhere. Encrypting is neither hashing nor obfuscating files. Those techniques are often combined, but they are not the same. Hashing and obfuscating techniques are helpful for evading detection tools. Ransomware can take your data hostage because of encryption.
They use different types of cryptography, from modern symmetric ciphers such as AES or DES to asymmetric ciphers that require a public key and a private key. The idea with encryption is to prevent any reverse operation without a key.
Most ransomware strains display a special note after the encryption stipulating that the only way to decrypt your files is to send bitcoins to some Tor hidden server. It’s not always true, though, as some are decryptable, and you should not pay the ransom.
For example, an ancient malware, Jigsaw, contains the key used to encrypt files in the source code. Fortunately, you can now use efficient removal tools and services to get rid of variously known ransomware strains.
However, files encrypted with the most recent ransomware, used in some pretty dramatic attacks, aren’t decryptable. That’s why hackers ask for ridiculously large ransomware payouts. Besides, encryption techniques are evolving to bypass detection tools and operate in silence, making the first line of defense quite useless in some cases.
Your Backups Can Fail
Don’t get me wrong. A good backup strategy is essential for your safety, but backups are useless without a functional restoration process at the largest scale. Enterprises sometimes forget to test their procedures regularly, which can result in massive failures at the worst moments.
Even if your recovery procedure is robust, attackers can delete all backups before encrypting data, so you have nothing to restore. It happens because backups are available online most of the time, and hackers already have access to the network and admin privileges. In addition, ransomware likely encrypts data in real-time, so attackers can corrupt the backup files used for recovery, ruining the whole point of the procedure. That’s why immutable backups are critical, along with the old guidance to keep multiple copies in multiple formats in multiple places, including offline, or “air gapped,” in addition to having the bandwidth or technology to restore that data quickly.
Backup has always been critical; if the ransomware scourge has done anything positive, it’s bringing attention to data protection and security practices that should have been done all along. This is a place where most companies likely need to hire pros to help.
What Happens During Ransomware Encryption?
Operating systems use encryption as a security feature. Theoretically, ransomware would only have to divert this native function, for example, by using a private key, known only by the attackers, to encrypt your files, but many existing tools would be able to undo the trick.
Modern ransomware such as WannaCry has been using hybrid schemes that combine symmetric and asymmetric encryption. The files are encrypted using a symmetric cipher (such as AES), which runs fast and does not require any internet connection, but the ransomware’s executable contains the public key of a remote command and control server hidden on the dark web.
This public key is used to encrypt the symmetric keys using, for example, the RSA algorithm, so every time a machine gets infected, new RSA key-pairs are generated.
It looks pretty efficient, but even with that level of encryption, researchers have managed to find the prime numbers used to generate the RSA key-pair inside the memory of some infected computers that did not shut down.
Recent attacks by the REvil group didn’t just encrypt data. The malware was also able to exfiltrate critical information before the encryption. As ransomware protection improves, especially with removal and recovery strategies, hackers use stolen data as new leverage, so they can still threaten the victims if they do not pay the ransom.
It happened this year with Quanta Computer, an Apple supplier. The attackers threatened to leak stolen Apple blueprints, which could be financially devastating for the company. They asked for the equivalent of $50 million.
The attack was quite sophisticated, involving supply chain vulnerabilities. Once the machines were infected, sensitive data were sent to the command and control server before the encryption. The malware was built with advanced debugging and locking systems, opening the command prompt to interface with Windows Explorer and delete shadow copies used for recovery.
Intermittent Encryption is a New Threat
In August, Sophos revealed a new ransomware family called Lockfile, which relies on intermittent encryption.
The trick consists of encrypting every 16 bytes of a file to remain undetected by ransomware protection solutions. Encrypted documents get a .lockfile extension.
In addition, the encryption does not require a lot of input/output (I/O) disk and does not communicate with a command and control server, which makes it much harder to spot and allows for encrypting files without internet access.
This new encryption approach is the most interesting. With this technique, text documents remain partially readable, but the hackers don’t care. The purpose is to fool static analysis such as the chi-squared (chi^2) method used by some ransomware protection software.
Besides, by using memory-mapped I/O, the malware lets the system write in files, making the encryption an internal process.
The finishing touch is that the malware can delete itself once the encryption is finished.
Further reading on ransomware protection and recovery: