Why ransomware attacks are so successful.

Maybe that’s an over-complicated explanation so here’s a more simplified one: Ransomware is a form of software that is cleverly designed and used by people with ill intent to encrypt and secure data without prior consent from the owner. The data is locked with encryption and decryption keys which are complex in nature. These keys are required to reverse the data encryption and used as leverage by the hacker. The encryption techniques and strengths also vary depending on the type and variant of ransomware, making decryption progressively more difficult with every new revision without the exact keys. Adding to the complex nature of the encryption, each targeted attack can use different variations of the keys, making it virtually impossible for a single method of decryption to be effective.

How is ransomware delivered?
There are various delivery techniques depending on the type and target of the attack. Low-profile ransomware attacks are typically carried out using a Trojan virus that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. These emails can originate from spoofed or previously compromised user accounts and users are typically ask to log into commonly used online services like Onedrive, Microsoft Office 365, Paypal, Netflix, Bank accounts and so on, but can also contain the direct download link for the malware itself.

The malicious emails are usually part of a campaign, distributed in mass indiscriminately and specially crafted to look like the services they are spoofing. In the scenario where user credentials are stolen it should be viewed as reconnaissance and can lead to a more complex hack in the near future. The credentials can be utilised to gain entry into the victims’ or their company’s systems, opening themselves to a potential data breach prior to getting their files encrypted. There are however exceptions with one high-profile example being that of the “WannaCry worm” which travelled automatically between computers without any user interaction. WannaCry utilised software vulnerabilities to gain access.

Software vulnerabilities account for a large part of cyber security as they affect all devices both on and off the internet. A single piece of software can have numerous vulnerabilities in a single revision – operating systems like Microsoft Windows, for example, can have security loopholes that allow anyone with the necessary knowhow to gain entry. One needs to bear in mind that devices like, computers, servers, cellular phones and so on run multiple software packages and network or internet-accessible services at any given time which potentially increases the security risks. A hacker would only require one point of entry or vulnerability to exploit in order to gain access.

Most vulnerabilities are publicly known and can be exploited using free penetration testing tools or by experienced hackers. Ransomware attacks though are more complex in nature and are typically aimed at high-profile targets who would be greatly affected by downtime and stand to lose thousands to millions of Rands per day, forcing them to consider payment of the ransom as being a more viable option economically.

Then there is the scripting method of delivery. Scripting is an extremely effective method for delivery as the script could make use of authentic system components and commands while being programmed to evade anti-malware software and other detection tools. Scripting itself is commonly used by system administrators and software packages to manage devices and infrastructure. A script is effectively the same as a user typing commands at a terminal or workstation, which it then saves to a file and then creates the perfect disguise when blended in with normal activity to make the activities especially dangerous and difficult to detect.

With common knowledge of operating systems and/or networks, a script could be written to steal or create system credentials, disable certain protection functions and run tests to make sure the system is defenceless. It can also typically pause and retry, download malicious files, scan and distribute them across discoverable network resources and report results back to its creator. This is often all within one script that could delivered as is or embedded into other files.

All methods of ransomware delivery involve some form of reconnaissance beforehand including, but not limited to; credential theft (phishing emails) and account takeover; researching people on social media and their connections (spear phishing); scanning the internet for open or accessible services and vulnerabilities, and; brute force attacks (password guessing), to name a few. Most attacks will also use some combination of techniques to gain access.

What are the ransomware attackers after?
The simple answer is ‘data’. Personal data in particular can be highly valued and has become more valuable than oil in recent years, which partly explains why companies like Facebook and Google are valued at billions and trillions of dollars respectively. Data can also contain very private information like banking accounts, home addresses and/or customer databases or hold sentimental value, such as family pictures and videos. Whether you have it or own it, it can be valuable to someone else as well in some way or another.

Most small-scale attacks have an estimated value of between US$50 – 500 and a large-scale attack could easily cost US$1000 – 100,000 (or more) for the ransom demand. In South Africa, this converts to anything between R1000 to R10 000 for a small-scale attack, most typically aimed at home users and small businesses, as they make up the larger percentage of ransom pay-outs. This can also be due to smaller targets being the most at risk as their budgets do not always allow for high-end cyber security measures or teams to manage infrastructure and they need to recover their data.

Cyber criminals usually take full advantage of the perceived value of their attack and issue the ransom demand accordingly. The bigger the attack, the higher the ransom value. All they appear to want is quick money and they will leverage attacks towards multiple targets at the same time, even selling their own techniques and/or stolen information to third parties to generate income.

How do they get away with it?
If it is not clear by now, threat actors (hackers and the like) are crafty individuals who also have access to well-established hacker communities and resources. Among these resources are guides and tools that help hide their identity, as well as their location, and any other trackable information that they may be exposing over the internet.

The following is a list of some tools and services that may be used for a typical attack:

• VPN and/or Tor network services – hides/changes location, IP address and many other internet tracking information.
• Free email services like gmail or hotmail – used to create fake accounts that are set up using false or fraudulent information.
• Website hosting services – used to create spoofed websites and login portals.
• Penetration testing tools like Kali Linux or Metasploit – used to create malware campaigns.
• Copy/paste scripts – sold to less experienced hackers.

Using the above-mentioned tools, services, and techniques in conjunction with each other will make it extremely difficult for anyone to track down the source of a compromise. Adding the sheer amount of active ransomware campaigns at any given time means that it has become nearly impossible to completely defend against these attacks, which is increasing their success rate dramatically.

Nearly impossible, however, is not the same as impossible and there are techniques for defending against attacks of this calibre.

1. Make sure all software is up to date with the latest security patches.
2. Pay close attention to links and file attachments in emails and who they are from.
3. Use complex passwords that are difficult to guess with – as a minimum, 12 characters (e.g. ztl1R!).
4. Avoid the use of one password for multiple accounts (as much as possible).
5. Separate business and personal log-in credentials.
6. Use a VPN whenever possible – such as F-Secure Freedome VPN.
7. As a business, consider investing in EDR software which is able to detect suspicious activity on a device or network before real damage can be done – for example F-Secure RDR.
8. Lastly, think before you click. If something seems suspicious, it probably is. Consider asking someone else in the know, or Google to find out more about links or files before opening them.