Finding The Hidden InfoSec Story

Ransomware At Work

Photo Credit: christianreimer Flickr via Compfight cc

Imagine, if you will, that you’re working away in your company’s office one day when there’s a knock at the door. It’s a courier, carrying a large package. You open the locks on the door and sign for the package before placing it on your desk. As your company regularly takes deliveries of packages, you think nothing of the delivery.

Though not expecting the package, you recognise the courier, the size and weight of the box with supplier branding on the outside so you go ahead and open it, and in it you find a bizarre electronic device. You haven’t been expecting any packages, nor can any of your colleagues in the office recall ordering such a thing, so you leave it on your desk, making a mental note to return it to the postman the next day and explain the mix-up.

After work, you lock up as usual and head home, having forgotten all about the package. Overnight, however, the device starts up, emitting a signal which alters the codes on your office’s fob-controlled locks and alarms, thereby rendering your access fobs useless.

You arrive the next morning, keys and fob in hand, oblivious to any change. When you try your fob on the locks, you’re disturbed to find that the door remains secure.

The courier who delivered the package appears – only he’s not wearing his postie shorts. He’s wearing overalls of a repossession company called “Ransom Removals”. He’s unsurprised at your doorway difficulties, and goes on to explain that his company has hijacked your office security. If you do not pay them a sizeable fee to have the locks changed back, they will begin removing important items – laptops, filing cabinets, even niceties like your prized fish tank – unless you pay them some money. Their enormous removal lorry is waiting around the back of the office to swallow up all your important bits and pieces, and if you haven’t paid up by the end of the day, they’ll drive it to their massive incinerator at a secret location and destroy the lot.

Imagine the office is your laptop and the courier and package is an unsolicited email that appears to be from a trusted third party source – that’s essentially the concept of ransomware. You’re bound to have heard about this threat by now – it’s one of the fastest-growing methods employed by cyber criminals to hijack your business, and one of the easiest ways they can monetise their craft.

Made to order

Part of ransomware’s current explosion of popularity is down to the appearance of malware kits and Ransomware-as-a-Service (RaaS) on the dark web and other platforms. These can be ready-made and designed to implant ransomware to a chosen target network with minimal input from the user, and are generally put together by professional hackers who post their product online as available to the highest bidder. These are then picked up by less-technically able individuals who “charter” the ransomware to be targeted at a source of their choosing.

Going back to our courier-turned-removal-man scenario, imagine if he and his troop of goons operated as a service-for-hire. They could be chartered by anyone with cash to set up their operation on an organisation’s office with the aims of hampering that business’ operations and extorting from them a fee.

One key difference between our real-life example and the cyber threat is the overheads. The postman / removal man would have to buy and fuel a lorry, pay his troop of workers, pay himself, and keep up all the other costs associated with running an extortion business, whereas all a hacker needs to craft a ransomware attack is access to a computer and the internet.

Once the kit is created and up for sale on the dark web by a malware vendor, the hacker needs only to deploy it and wait for his ransom cash to start rolling in – making this a very attractive, low-cost, low-risk business model for the cybercriminal. This relative ease of entry to the market has given rise to a lucrative trade of Ransomware-as-a-service online.

Under the radar

In order to inject their carefully crafted malware into a network, hackers will generally exploit the trust of an individual on the network using social engineering – employing various tactics based on a bit of research into aspects of an individual’s day-to-day habits.

In our example, the social engineering came in the form of the repo man impersonating a trusted source – which took the form of a courier – to implant the seemingly harmless but ultimately detrimental package to the office. The person behind the social engineering has likely researched your business, or even kept lookout at your offices, allowing them to conclude that your business often accepts packages and wouldn’t likely question an unexpected delivery. They’ve identified the courier as an easy-to-impersonate individual who is generally anonymous in the eyes of your company in order to exploit your trust. Think about it – do you know the name of the last person to deliver a package to you?

Online, social engineering could take the form of an email that appears to be from a contractor or outside agency who regularly work with your company, containing an attachment of a seemingly-legitimate invoice or similar document. By ‘spoofing’ the email address of someone you believe to be a trusted communicator, hackers can implant ransomware and other malware into your network, potentially compromising all machines by gaining access to just one account. By unwittingly opening the attachment or clicking any links in the email, you could open up your business network to a whole host of malware – including ransomware.

Encrypted or blocked?

In the example above, the items from your office were to be taken away and destroyed – similar to how a recently uncovered ransomware variant, dubbed Hitler, works. Ransomware can also either prevent access to your computer and files, or use encryption to change them into a form which you cannot access or use without the decryption key, which the perpetrator attempts to force you to buy.

Locking you out of your office – in much the same way as being locked out of your computer – prevents the availability of your files, one of the three “CIA” tenets of cybersecurity. Encryption alters what’s in your files, thereby compromising their integrity. In any of these scenarios, the cost to your business could be catastrophic.

Whatever kind of ransomware you’re faced with, paying the fee will only feed the industry. Ransomware-as-a-service is becoming a more and more attractive business model to entrepreneurial hackers, with the Cerber variant of Ransomware in particular standing out as a mature ransomware business model – running more than 150 active campaigns using a franchise model and releasing more every day.

Shark, another group getting their teeth into the market by riding the recent wave of ransomware, provide a platform for hackers to sell their wares in the form of kits. The site is now taking 20% commission on each kit it sells, putting the tools to craft ransomware in the hands of novices and motivating ransomware creators even more.

We don’t negotiate with info-terrorists…

Going back to the example with the courier / repo man and the locked office, you’re outraged, and flat-out refusing to be extorted in order to gain access to and protect what’s already yours. If you arrived at your office to find this situation facing you, what would you do? Call the police, of course.

Whilst projects like No More Ransom are involving law enforcement agencies in the fight against ransomware, there’s not a huge amount more that can be done by law enforcement once your computer is put into lockdown, unless there’s some way of tracing the source of the attack.

It’s always preferable to act to prevent a ransomware attack and be able to quickly and effectively deal with one, rather than try to thwart one once it’s already taken hold. Following cybersecurity best practice can stop you ever having to deal with a situation where you have to start from scratch.

Backing up data regularly shouldn’t be seen as a chore – these days it is relatively cheap and highly automated. Just make sure you regularly check your backup service is working properly and in the event ransomware does affect your network, your hardware can be replaced and your valuable data restored.

Thorough education at all levels of your organisation of how to spot threats and when to be suspicious of communications or dodgy downloads can drastically lessen the risks to your company and prevent malicious software ever gaining access to your network. With figures from the Ponemon Institute highlighting that only 39% of workers believe they’re taking the appropriate steps to protect company data, investing in your staff’s understanding of the threat ransomware and the potential for security breaches is a strong step to protecting your information assets.

I’m not saying don’t trust your postman, just keep your wits about you.

Author: Jack Matthews

Share This Post On