By Peter Mylonakos
Faculty Member, School of STEM at American Military University
“The Internet Is the 21st Century Crime Scene” – Manhattan District Attorney Cyrus Vance Jr.
So I was going through the pages of SC Magazine, the publication for IT Security Professionals which I often read, and I could not just pass by the page with the Threat Statistics. “ThreatStats” are just a couple pages which summarize malware trends, top breaches for the month, TOP 10 Internet threats, various attack statistics and other security paraphernalia. It is actually a good idea for one to peruse through these as they can quickly identify some of the top ongoing threats and other useful information. However, this time my eyes just landed on the first line of the page which simply stated “CryptoWall Trojan was the #1 attack used by U.S hackers in August”. At first I thought that it was a mistake. I thought “Ransomware” malware was just an exclusive right of Russian cyber thieves but I thought wrong. Moreover, why this interest in “Ransomware” one might ask. Well, it just so happens that I came face to face with this Trojan and I experienced in person how dangerous it could be.
Ransomware: What is it?
Ransomware is a type of malware that encrypts a computer user’s files that are located on mapped network drives. As many of you know most corporate users access their data through shared and personal mapped drives on file servers. Infections typically happen by visiting a web site with malware or falling victim to opening an infected email through phishing.
Once a user gets infected with a Ransomware Trojan such as “Cryptolocker” or “Cryptowall” to name a couple, the Trojan phones home (Wait, is this ET the movie?) to a C2 (Command and Control Center) where it contacts the perpetrator’s infrastructure to register and generate new encryption keys. Yes the Trojan uses asymmetric cryptography and it sends back to your computer a public key to encrypt any documents it may find on those mapped drives. (Can anyone say Backup)? Once the files get encrypted a message similar to the one below is displayed when the user tries to access any of his/her files.
The malware uses RSA 2048 encryption to encrypt the files. One might wonder how strong RSA 2048 encryption is. Well, it is estimated that a powerful enough computer can take close to 6.4 quadrillion years to crack the key. But wait, it gets even better. The version of malware that I encountered (Cryptowall 3.0, oh yes they have versions) got self-destructed once it finished its job of encrypting. Is this “Mission Impossible” or what? A forensic examination of the infected system found a deleted trace of the executable however the file itself could not be recovered.
Cyber criminals such as the creators of “Ransomware malware” typically hide their web C2 infrastructures behind anonymous networks like TOR (The Onion Relay) so they cannot be tracked. Since all activity and traffic is anonymous it makes it easier for the malware creators to interact with their victims without the possibility of being identified and caught. In fact they instruct their victims on how to use TOR for example and how to pay the ransom through Bitcoins, which is a form of “Crypto Currency” without physical characteristics like the dollar would be, in order to maintain anonymity. Bitcoins are stored in online exchanges in anonymous wallets and cannot be tracked.
And now what do we do?
Most infections take place through malicious E-mail attachments disguised as normal files or by visiting websites using old browsers and plug-ins or by downloading free software. Statistically speaking the most common infection vector is the E-Mail one as the popularity and ubiquity of E-mail has played a major role. So what can be done once it has been determined that an infection has occurred? Without getting too much into the incident response process, the immediate actions are:
- Remove the infected computer from the network and do not delete any files or run an anti-virus program.
- Understand the scope of Infection and assess the damage.
- Try to identify the type of malware
- Evaluate the situation once the damage has been assessed.
The last step is rather important as it will determine your course of action and next steps. If you are among the lucky few that have a working backup strategy and you have tested it you are in a fairly good position to get most, if not all, of the files back. Those who use Virtualization and have created snapshots of servers or those who use shadow copies are in an even better position. If you do not have a working backup you can decide to employ a third party entity to decrypt your files but the chances of success are slim to none, you can choose to do nothing at all and accept the fact that the files are lost forever or you can try to negotiate and pay a lower ransom so you can get the files back.
Keeping Safe
Connecting to the Internet for business or personal use does not come without dangers and there is always the possibility that an infection may occur with adverse consequences for the running environment. Without trying to bring catastrophe or being characterized as a “doomsday sayer” I should inform you that there is hope. Even though we cannot completely eradicate all threats we can certainly take measures to minimize the threat landscape. So what can we do?
Backup and Backup and Backup again.
Ensure that you backup all the files on you file servers on a regular basis and test it often through restoration procedures. Ensure your copies are safe and always maintain an off-site backup or data replication in a DR (Disaster Recovery) location.
Anti-Virus / Layered Defense.
Make sure to protect your environment with anti-virus software that includes antispam and Anti-phishing capabilities. Also, ensure that your network perimeter defenses are using mechanisms that block malicious email content and attachments through the use of email gateways and firewalls. To the extent possible create a baseline of “allowed to run software” and prevent the execution of everything else, a method called whitelisting.
Access Controls / Privileges.
Carefully assess the access controls of the files in your environment and do not give write access privileges to users that only need read access. In order to further minimize the threat ensure that accounts with administrative privileges are restricted as much as possible. IT personnel with “Admin” privileges should always use normal non-privileged accounts when performing normal duties.
Security Awareness Training.
Many people forget the human factor and do not realize that Information Security is not always a technology issue. It is imperative that every respectable InfoSec organization should make an effort to educate end users on the dangers of doing business online.
It is the responsibility of the organization to provide ongoing security awareness training for employees as malicious actors constantly change their tactics in order to evade and bypass company defenses. The weakest links are the end users and it is imperative to keep them up-to-date with the ever changing attack types and threats.
About the Author
Peter Mylonakos, CISSP, CISM, MBA, M.Sc., is an Information Security Officer for Western Federal Credit Union, a financial institution based in Torrance, California. He is responsible for and oversees all Information Security functions within the organization. He enjoys cultivating new ideas that effectively address InfoSec’s challenges in the new century and promotes Information Security through active defense mechanisms. He is also an adjunct professor in cybersecurity, network security, and Operating System Hardening Strategies at American Military University. He can be reached at Peter.Mylonakos@mycampus.apus.edu.