Ransomware: How it Has Evolved to be Faster, Stealthier and to Strike Harder

Ransomware attacks have gone from being a nuisance to becoming a significant financial burden, as well as a major threat to our critical infrastructure.

In 2019, we talked about how to defend yourself against ransomware, but attackers have since strengthened their capabilities. We’re now seeing thousands of variants, with names like Ryuk, Dreamon, Ragnar Locker, Crysis, RansomEXX, and Clop, to name a few.

How Ransomware Got Faster

Finding shortcuts and removing unnecessary steps can save time when seconds count. And it takes a lot of time to encrypt a multi-gigabyte file using a 4096-bit key with AES-256 encryption. One trick is to skip encrypting large files, hoping the victim doesn’t notice. Another is to encrypt only part of the file, which is often enough to cause an application-halting error when accessed.

Additional scenarios include the infection checking the physical location where it’s running. If the infector sees it’s not in a targeted country, it may delete itself and move on. Some ransomware variants will self-destruct if they think they’re within any of the nine Russian Commonwealth of Independent States.

Ransomware can also spread from highly connected internal network nodes, such as Windows domain controllers. Since these kinds of servers interact with most internal systems, they are excellent launching points to spread infections quickly.

How Ransomware Has Got Stealthier

Staying dormant upon load is a trick to bypass antivirus filters, which expect malware to begin executing immediately. Most modern ransomware will turn off antivirus software if it can. If not, it will obfuscate or encrypt itself and only unpack into memory to evade disk scanning tools.

As for the encryption process, it’s helpful to examine it from a technical point of view. After loading the file into memory and encrypting it, it can replace the original file in a few ways:

  • Write the new encrypted data into the original file itself.
  • Save the encrypted file as a new file, delete the original, and rename the encrypted file to match the original.
  • Save the encrypted file as a new file and use the built-in rename-and-overwrite-file function to replace the original file.

It is worth noting that ransomware can slow down system performance noticeably while it’s encrypting, and new variants can hide this by displaying fake error messages.

How Ransomware Strikes Harder

Near the end of 2019, the Maze ransomware added a new feature: data leakage extortion. Not only can this malware encrypt all your data, it can exfiltrate the confidential data to its servers. This has quickly caught on with ransomware authors.

A common response to early ransomware was to perform forensics on its binary, which sometimes provided the encryption key, so you didn’t have to pay to unlock your data. Sometimes it was to inform threat intelligence on ransomware and create new defenses.

Ransomware countered with self-destructing malware. If the service running the program stops, it crashes the machine so memory cannot be read. Ransomware won’t run if it detects itself inside a virtual environment or a debugger, and the code can mislead analysis tools. Some variants won’t activate without the remote attacker sending an unlock code, making it difficult for defenders to capture and analyse the program.

Stopping the Evolved Ransomware

Practical and pragmatic security awareness training is a powerful first step, but it can’t end there.

No matter how sophisticated the ransomware code is, the infection still needs to get into your systems. It does this: (1) by phishing; (2) by gaining unauthorized access, by guessing/stealing login credentials or entering through a trusted third-party; and (3) by exploiting known vulnerabilities. Our advice here is to:

Once ransomware gets into your systems, which is likely in organizations with large attack surfaces, you need to set up defenses in depth. Ransomware will target your domain controllers, so harden and patch them.

Reducing the Impact of Ransomware

If ransomware is going to exfiltrate terabytes of data, you need to restrict or monitor outbound traffic. This means tools like SSL decryption and inspection. Early detection is key, and comes from good endpoint detection and protection, as well as comprehensive network monitoring and protection. You also need to be sure to back up critical systems and data, storing them offline to avoid corruption from attackers.

Don’t forget to build templates so that you can quickly reconfigure systems from scratch. If you are unlucky enough to be infected with ransomware, contact law enforcement. This will help bring the perpetrators to justice and can lessen potential regulatory violations if you decide to pay. Even if you pay the ransom, you should still rebuild any potentially compromised systems to ensure they are clean. Finally, prepare and exercise an incident response plan so everyone knows who to notify and what to do when attackers strike.

What’s Hot on Infosecurity Magazine?