Over the last few years, ransomware has emerged as one of the most devastating and costly attacks in the hacker arsenal. Cyber thieves are increasingly using this form of attack to target individuals, corporate entities and public sector organizations alike by holding your system or files for ransom. Unlike other forms of cyber theft that often involve stolen financial or healthcare information, ransomware cuts out the middleman. In cases where an attacker steals health or financial documents, they must sell them on to third parties to make money. As far as ransomware is concerned, the money comes directly from the victim.
Ransomware is a quickly growing threat vector. According to the FBI’s Internet Crime Complaint center (IC3), infected users made complaints about ransomware 2,453 times in 2015—nearly double the figure for 2014. What’s more, these figures most likely represent only the tip of the iceberg, as many users pay their ransom without making a report to the authorities. A recent survey conducted by a Cyber Security Research Center at the University of Kent found that over 40% of those infected with CryptoLocker actually agreed to pay the ransom demanded, which is a big incentive for hackers to target more systems.
Lastly, hackers are rapidly iterating both malware and distribution techniques. In early Q2 of 2016, a new variant of ransomware, known as CryptXXX, emerged on the scene. This program is packed in such a way that users and antivirus software may initially confuse it for a Windows DLL file. Further layers of code are deliberately designed to obfuscate the functionality of the program and thwart security researchers. According to research from SentinelOne, this functionality includes the ability to deliberately hunt down and steal bitcoin wallets, as opposed to simply waiting for a ransom.
CryptXXX has since evolved its abilities even further since detection. A new version of the virus now includes the ability to steal network access credentials and search for and encrypt shared drives attached to the initially-infected endpoint. The implications are ominous. Most ransomware authors don’t know whether the data they’re encrypting is actually of value to their targets. By adding the ability to spread in this manner, cyber criminals have drastically increased their odds of winning a payday.
Other attackers are swiftly refining their toolkit in order to hit specific targets as well. SamSam, for example, bypasses the process of infecting users via a phishing attack or drive-by-download, and goes straight for unpatched vulnerabilities in JBoss. KeRanger diversified to begin infecting OS X users. Most ransomware is less creative than one might assume, given the breathless reports of its efficacy. However, even the most basic attacks have shown an alarming ability to bypass traditional security measures.
While many endpoint security products including traditional antivirus, host IPS, clustering and sandbox technologies have tried to prevent ransomware attacks, none of these solutions have been successful in preventing this latest form of attack. SentinelOne is the only vendor to provide “Next Generation” Endpoint and Server Protection to successfully detect and prevent ransomware-based attacks. We’ll now discuss in more depth how ransomware works and how SentinelOne protects against it.
While some ransomware has shown a nascent ability to seek out valuable data, and specifically target it for encryption, most malware has no idea what it’s trying to hold for ransom. It could end up targeting vital patient records—or a couple of photos from the last company outing. With this in mind, hackers are going for volume, rather than precision.
Exploit kits are one way to hack users en masse. Criminals will typically purchase advertising space, allowing them to host banner ads on various sites. The ads themselves contain exploit kits, such as Angler, that execute inside a user’s browser when they detect certain vulnerabilities. Angler then downloads and installs ransomware in turn. This strategy, known as a drive-by-download, can infect hundreds of people with just a single ad.
Spear phishing campaigns are another way to target either individual users, or large classes of users within a single enterprise. In a failure that speaks volumes about the effectiveness of security awareness training, many users will still download and enable macros on suspect Word documents. Other strains, such as Petya, may require users to enable User Access Control.
Persistence pays off
Most ransomware uses certain techniques that prevent both average and advanced users from ever reversing the infection. Although Petya has a relatively crude infection vector, it persists in a user’s system by overwriting the Master Boot Record. Other malware hides out in traditional locations such as the registry.
Also of importance is preventing the user from ever restoring an infected endpoint to a pristine state. Ransomware will contain additional functionality, apart from encryption, to seek and destroy system restore files known as Shadow Copies. It will also disable Windows backup tools and mess around with other systems that may restore or defend the system’s integrity, such as Safe Mode, Recovery Mode, and Windows Defender.
SentinelOne changes the game by bringing in behavioral detection. Instead of trying to identify malware that may have been obfuscated using several techniques, it looks at what it’s actually doing. Is a program creating new executables without authorization, disabling key windows features, or otherwise taking actions to perturb the integrity of a computer or server? Then it may be malware, and SentinelOne will chart this history of the suspect program as it goes through a network, allowing administrators to understand its attack path and reverse its changes at any point. SentinelOne offers next-generation protection on both endpoints and servers – both.
Learn more about Ransomware Download Whitepaper Now