Hijacking and ransom payments. They’re something typically associated with war zones, Somali pirates, criminal networks and Hollywood movies. But the digital transformation is bringing them closer to home in the growing threat of #ITnapping for ransom.
Hijacking in information technology can take many forms. One is man-in-the-middle attacks in which attackers eavesdrop or alter communications between two parties. This very successful practice has allowed cyber criminals to reap hundreds of millions of Euros from banks and their clients around the world.
In another scenario, cyber extortionists bluntly confront victims with the fact they’re being hijacked/compromised, rather than maintaining secrecy. Unfortunately, the attack does not stop at ransom. Malware may include multiple “payloads” to exploit your system in parallel.
The most common ransom schemes are based on
- Lock screens
- Encryption of files/computer systems
- Distributed denial of services (DDoS) attacks to disrupt online operations
- Release of stolen data to the public
Cryptolocker, Teslacrypt, Cryptowall, CTB-Locker, Locky, Lockerpin.A and KeRanger are infamous pieces of ransom malware that hide in Word, PDF, RTF, ZIP or Excel document attachments and downloads from the Internet. Once set free, a large number of file types (more than 600) are encrypted on Microsoft Windows/Apple operating systems, Web servers or Android smartphones. Files in your organization’s network or “mapped” cloud storage space could be hit as well. The attacker then either plainly tells the user that he or she has to make a payment to receive a decryption key, or the user sees a bogus message that the system has been locked by Microsoft or a law enforcement agency due to copyright infringement or illegal activities related to terrorism and pornography.
DDoS or DRDoS attack extortion activities are far simpler. If the ransom is not paid, the infrastructure to execute these attacks is readily available and only takes an anonymous email to communicate the demands. Moreover, poor Internet Service Provider (ISP) security practices, IoT or modem device setups help cyber criminals launch massive attacks.
In light of mobile device proliferation, IoT (over 6 billion devices), Industry 4.0 and connected cars, more ransom scenarios are likely to emerge. Imagine an attack on an insulin pump, pacemaker or vehicle that holds an individual or group ransom with a death threat. That’s a worst-case scenario that’s now more real than the latest episode of “Homeland.”
To pay or not to pay — and how?
Ransom schemes have been immensely successful over the past three or four years, even leading the FBI to publicly state “ransomware is that good … we often advise people to pay the ransom.” However, Germany’s federal police and agency for information security (BSI) advises against paying ransom.
According to a study by Bitdefender, an information security firm, up to 50% of ransomware victims decide to pay the requested ransom amount. It is ultimately up to your organization to make a payment or not. If the data is valuable and there is no way to retrieve it (e.g. backups), payment might be the only option.
Unless it’s a targeted attack against a high-value asset, current ransomware extortion activities are based on scale and reach. This is why ransom amounts are low – anywhere from $10-20, $300-600 to under $10,000. For cyber criminals, it’s a game of guessing the right “ransom price,” a trade-off between paying the ransom and paying for an alternative solution.
Hijackers have a vested interest in encouraging you to pay, and they provide a permanent solution in return once payment is confirmed. In fact, they have to build appropriate “victim customer service” infrastructures to manage large volumes of communication, trace payments and the provision of decryption keys. Some cyber criminals are not as professional as others; sometimes the decryption keys don’t work, causing irreversible damage to an organization’s data.
The scope of ransom payments is about anonymity and diluting the money trail. Cyber criminals will ask you for a PaySafeCard, gift card, voucher or Bitcoin, a cryptocurrency transaction. Gift cards and vouchers especially help cyber criminals avoid detection.
In general, we maintain the view of some law enforcement and information security authorities: Avoid ransom payments in IT hijacking situations! Any ransom payment you make will add to the growth of the industry. Furthermore, if you’re attacked, make sure you inform law enforcement authorities and your Information Sharing and Analysis Center (if available) to help investigations.
Protecting yourself and the organization
In case of cyber extortion, the first order of business is to stay calm and analyze the situation. Are you the only one affected or is there a risk of it spreading inside your network? What countermeasures do you have in place (e.g. DDoS protection)?
Disconnecting an endpoint from the network is key to stopping the connection to command and control servers. If you’re in a vehicle, not all functions might be under the control of the hijackers. Shut off the engine or put it in neutral.
Below is a list of recommended measures for IT department managers, administrators and end-users:
- Frequently back up your system(s) and keep one outside of your network infrastructure. Remember that ransomware will encrypt mapped drives automatically. If you can use a backup to access the files encrypted on your endpoint, there is no need to pay ransom. However, ensure your backups actually work.
- Always patch your operating system and applications.
- Keep your endpoint protection, such as antivirus/malware scanner, updated.
- Employ advanced threat prevention solutions using next-generation technologies such as next-generation firewalls or zero-day detection and protection (e.g. Checkpoint’s Sandblast or Palo Alto’s Wildfire ).
- Set certain rules that block command and control server communication via your IPS/IDS.
- Block access to critical websites.
- Employ security monitoring and analytics across the entire infrastructure.
- Consider buying DDoS protection from ISPs (Internet Service Providers) or CDN (Content Delivery Network) providers such as AT&T or Akamai.
- Buy a cyber insurance policy. Some cover cyber extortion/ransom payment, incident response professionals, as well as other recovery activities.
- Increase your employees’ awareness about cyber threats through trainings and bulletin services.
- Be suspicious about emails that includes attachments/external links or phone requests from unknown sources.
- Monitor IT hijacking/ransom trends and keep your incident response plans updated. Visit the Ransomware tracker or find detailed ransomware threat analysis from vendors or government authorities (BSI ransomware publication).
Also be sure to follow secure development lifecycles with security gates to increase the security of your products:
- Establish a professional patch management process, including the entire patch lifecycle.
- Run a bug/zero-day bounty program to identify vulnerabilities before the cyber criminals do. Integrate this knowledge in your risk management program.
Alexander Schellong is CSC’s General Manager Cybersecurity in Central & Eastern Europe, Italy and Turkey. Wolfgang Kiener is CSC Cybersecurity Strategist.