Targeted ransomware on the rise
The gap between large organisations’ cyber defences and ransomware sophistication is getting narrower, as evidenced by a number of targeted ransomware attacks against giants such as Garmin, Honda and CWT Travel over the past few weeks.
At the end of July, Garmin was the victim of a crypto-ransomware attack that forced its most popular services offline for three days while its internal network and production systems were encrypted and held for a $10 million ransom.
Garmin was attacked by the Trojan WastedLocker, a strain of ransomware that has become noticeably more active since the first half of this year, says Kaspersky.
This particular version was designed to specifically target Garmin and contains several unusual technical aspects. Firstly, Kaspersky says it employs a user access control bypass technique. Once launched on a compromised device, the Trojan checks whether it has high enough privileges. If not, it will attempt to silently elevate its privileges by tricking a legitimate system binary into launching the Trojan’s body hidden in an alternate NTFS stream.
Moreover, WastedLocker employed a single public RSA key to encrypt the files, which would be considered a weakness if the malware were to be massively distributed, as the decryptor would only have to contain the one private RSA key to decrypt everyone’s files. However, in a targeted campaign, as was the case here, a single RSA key is an effective approach.
When data recovery costs an eight-digit amount and requires weeks of downtime, paying a seven-digit ransom is an economically sound decision.Ilia Kolochenko, founder and CEO of ImmuniWeb
Fedor Sinitsyn, security expert at Kaspersky, says the Garmin attack highlights that there is a growing trend of targeted crypto-ransomware attacks against large corporations, as opposed to the more widespread and popular ransomware campaigns of the past, such as WannaCry and NotPetya.
“While there are fewer victims, these targeted attacks are typically more sophisticated and destructive. And there is no evidence to suggest that they will decline in the near future. Therefore, it’s critical that organisations stay on alert and take steps to protect themselves,” he adds.
Another good example of targeted malware is the recent Honda attack, adds Jonathan Kaftzan, VP Marketing at Deep Instinct. The cyber attack, which resulted in significant operational downtime for the car manufacturer, was the result of a type of ransomware dubbed Snake, aka Ekans, a strain that is relatively new, and was designed to kill computer processes related to industrial control systems (ICS).
Instead of relying on a ‘mud against the wall’ means of distribution, in which the number of infections is more important than the quality of each infection, Snake cherry-picks specific targets so that each infection yields dramatically more revenue.
Snake also uses obfuscation techniques not usually seen in less targeted strains of ransomware, removing shadow copies and killing processes related to supervisory control and data acquisition (SCADA) and ICS devices, virtual machines, remote management tools, network management software, and more.
To pay, or not to pay?
“This sort of ransomware attack has seen a threefold increase over the last year,” says Kaftzan. When it comes to ransomware, detection is too late. Cyber criminals know only too well that ponying up the ransom is often easier, faster, and cheaper in the long run for organisations, than having to deal with long-term recovery services and damage claims.
In the case of business travel company CWT, reports say that attackers claimed to have scrambled files on 30 000 computers and to have uploaded two terabytes of the company’s data. However, the company coughed up $4.5 million to the bad actors, according to a record of the ransom negotiations seen by Reuters.
Ilia Kolochenko, founder and CEO of Web security company ImmuniWeb, Master of Legal Studies (WASHU) and MS Criminal Justice and Cybercrime Investigation (BU), says: “Paying a ransom is not necessarily a bad tactic. When data recovery costs an eight-digit amount and requires weeks of downtime, paying a seven-digit ransom is an economically sound decision.”
He adds that the data recovery element of the saga needs to be distinguished from the legal implications and data erasure promised by the attackers. “As many recent cases demonstrate, cyber gangs rarely honour their promises to delete stolen data even after receiving the full payment. Similarly, payment of the ransom will not absolve any third-parties of their legal duties if they are affected by the data breach, including a duty to report the incident to competent authorities and notify victims whose PII was compromised.”
However, aside from these interrelated intricacies, the payment of ransom may help mitigate further damage caused by systems downtime and inability to serve customers, says Kolochenko. “Given that ransomware attacks are becoming incrementally more sophisticated and thus harder to prevent, we should expect a further surge of successful intrusions followed by a payment of ransom being dictated by economic efficiency.”
Better than cure
To lower the risk of falling victim to ransomware, Kaspersky advises using up-to-date versions of all OS and applications, as well as using a VPN to secure remote access to company resources. “Use a modern endpoint security solution with behaviour detection support and remediation engine allowing automatic file rollback, and a number of other technologies to stay protected from ransomware.”
In addition, Kaspersky says educating employees is key, as is using a reliable data backup scheme or solution.
Kaftzan says while there is no ‘magic-bullet’ solution that promises100% protection, businesses should upgrade their anti-virus and even next-generation solution, to a prevention-oriented solution that is based on deep learning.
“These solutions offer powerful automated capabilities for detecting and preventing attacks before they are executed, potentially helping organisations save anywhere between 74% to 91% of the cost per breach, depending on the nature of the attack,” he ends.