Ransomware Just Got Nastier: Paying It Does Nothing
July 7, 2017
A new strain of malware is spreading rapidly inside corporate networks, holding data for ransom, and causing permanent data loss even if ransom is paid.
Malware comes in all shapes and sizes. Some are masters of stealth, quietly stealing your information to commit identity theft. They can turn your computer into a soldier in a denial of service army, waiting for orders to overload a target with fake traffic. Other malware want to make themselves known, either to increase the reputation of the culprit or to reap some kind of reward.
Ransomware will lock your files and computer with instructions on how to unlock your system for a fee.
Ransomware is not the first financially driven computer virus but it certainly streamlined the process of collecting monetary rewards. Instead of relying on traditional bank accounts or money drops, victims are forced to purchase around $300 of Bitcoins, a digital currency, to send to the culprit behind holding your computer hostage.
Unless the hacker makes a novice mistake, it is possible their identity will never become known.
In April of this year, news broke that a dozen vulnerabilities and toolkits belonging to the NSA were leaked and distributed to the dark web. These exploits allowed the developer to deploy a self-replicating worm which would recursively spread to other machines.
After the leak from the NSA, the toolkits and other files made their way into malware less than a month later. This new variant of a classic attack spread quickly over the internet and multiplied exponentially once inside of the networks of businesses and governments.
Sometimes you eat the bear, sometimes the bear eats you
Viruses rely on different methods to spread and infect their hosts. From email attachments, altering trusted websites to deliver the malicious code, or more elaborately, taking advantage of secret backdoors in software and hardware.
The NSA is one of the largest employers of mathematicians with the sole intention of breaking security, monitoring communications and syphoning data without detection. They do this by traditional research and reverse software engineering, as well as by hanging around the same places where hackers and criminals exchange goods. The NSA often purchases exploits and vulnerabilities, reporting a majority of what they find.
Earlier this year, a cache of exploits and vulnerabilities, with clever names and well documented instructions, was stolen from an NSA contractor and released online. The toolbox included several unpatched Windows vulnerabilities which existed in almost all versions of the software.
It is not known if these secrets originally came from the dark web, but they certainly ended up back there. Microsoft worked quickly to release patches while malicious actors simultaneously weaponized new and previously written malware with the new delivery method.
Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea to the rescue
About a month later, the WannaCry malware exploded at a devastating rate, reaching over 99 countries and infecting 75,000 computers on its first day. This malware was so prolific because once inside a network, it automatically replicated using only two Windows vulnerabilities.
Once a computer was infected, the virus would insert itself into the boot record of the operating system, which allowed it to load before anything else. Once important system files and personal documents were encrypted, the user was then prompted to pay up bitcoin or lose all of their files.
WannaCry seemed to be unstoppable, seizing operations around the globe including FedEx, United Kingdom’s NHS, Merck, hospitals, transit systems and other government institutions. After a few days of spanning the entire globe and infecting over 250,000 systems, the malware was effectively halted.
Normally, when security researchers experiment on active threats, they run code in “sandbox” environments. These are often virtual machines or isolated computers which are infected on purpose with the intent of learning the workings of active threats.
The developer of WannaCry added a call to a nonsense URL (the title of this section) which no one would accidentally register. If the malware was running in a sandbox, all communication with the outside is spoofed, or faked.
Should trying to access the nonsense URL result in anything but a “domain not registered” message, the malware trigger a shutdown to prevent further examination.
A security researcher at malwaretech.com discovered this killswitch and actually registered this 41 character domain of random numbers and letters. Within a few days, new instances of WannaCry had stopped, allowing everyone more time to recover and update their systems.
It looks like Petya, acts like Petya, smells like Petya . . . it is NotPetya
Even though the killswitch had been activated and no new victims would be claimed by WannaCry, the vulnerability which made it possible was still a very real threat. Someone could easily make a new variant of the malware and leave out the kill switch.
Which is what happened. In the days after WannaCry, an even more devastating variant dubbed Petya emerged. Ukraine was hit the hardest by the new version of the virus because it included vulnerabilities for a certain tax software, which is required by law.
The leak of the NSA vulnerabilities contained some of the most effective backdoors and payload delivery methods ever known. To make matters worse, even the most inexperienced developers could get their hands on the source code and slightly modify it. Which is what happened with NotPetya. It looked very similar to the Petya worm, except it differed in a few key ways:
- Instead of targeting specific files, the whole disk was encrypted, including the master boot record and the master file table.
- The bitcoin address was the same across all instances instead of one address per machine, which can easily be traced to one owner.
- An identifier string, sent to the owner once the ransom was payed, was some randomly generated characters and would not be usable in recovering your files.
- The email address for contacting the malware owner and retrieving the decryption key was quickly disabled by the email host once it was discovered what was happening.
This particular strain of malware using some of the most prolific exploits ever seen, started out financially motivated but quickly evolved into a data wiper.
How can businesses protect themselves from future attacks
With new technological advances come risks. Unfortunately, the bad guys will always be one step ahead of the good guys. Businesses and law firm run the risk of being infected and their files held for ransom.
This recent series of malware which crippled businesses, governments and even an entire country had made that clear. However, there are security measures your firm can implement against attack. The two best security measures include updates and backups.
For best security, ensure that every desktop, laptop, router, tablet and phone is running the latest firmware and operating system is updated. Vendors often say what their updates fix, which in turn give hackers a small window to go after those who don’t have the latest patch.
Having frequent backups is another way of avoiding devastating loss of important data. Dissuade employees from saving important files locally by having a centralized backup solution that takes snapshots at regular intervals.
But it is not enough to only use backups. For true data security, backups should be kept separately from the subject of the backup. Backing up one hard drive to another hard drive in the same computer will not save your files from ransomware. It is also advised to perform regular tests of a recovery to ensure the backup process is working as intended.