Ransomware is one of the most feared security threats today and it is fast becoming one of the most profitable areas of cybercrime for attackers.
Ransomware allows criminals to monetise their cybercrime efforts quicker than previous tactics allowed. Historically, cybercriminals would have to steal their target’s data, and then find an avenue to resell that data to make it profitable. With ransomware, criminals are simply stealing a person’s data and selling it back to them for a price. The victim already owned the data so they will definitely want it back. This therefore means the cybercriminal does not have a hard sell ahead of him. In addition to this, with the rise of anonymous currency, such as Bitcoin, there is even less of a chance of cybercriminals getting caught. Attackers can make hundreds to thousands of pounds per infection and get paid immediately, instead of going through other risky steps to make a profit.
In addition to this, a large percentage of organisations have no way to combat ransomware and many will pay out of fear they will lose their data forever. This in turn drives more attacks because cybercriminals see how profitable ransomware can be. A zero-day exploit can be worth thousands of pounds but the seller must find customers and many of the customers they are targeting not very trustworthy; with ransomware, the victim pays the attacker and then the ransomware can be used over and over against multiple victims.
So what do organisations need to know about ransomware in order to help protect against it?
The typical infection path comes from a phishing attack which would entice a victim to open a malicious document. However, attackers are beginning to target websites in addition to end-users. Attacks against websites leverage vulnerabilities in the code hosting the website in order to gain access to the underlying operating system. The most common attack vector here is via remote command injection. An attacker will attempt to run arbitrary commands on the web server with the end goal of downloading and executing their malicious code. The attack surface which could potentially allow for command injection is quite large. Attackers can get in via any combination of operating system vulnerabilities, web server vulnerabilities, web application vulnerabilities, or vulnerabilities in website plugins or extensions.
Once attackers are able to infect a machine, the ransomware will attempt to encrypt anything it deems important to the victim. For websites, this can include webpages, images, and scripts. Once encryption is complete, a message will be displayed to visitors of the webpage stating that the website has been infected with ransomware along with instructions for the web administrator on how to purchase the decryption key and return the website to normal operation
Since not all security vulnerabilities will be patched, particularly in-house web applications, website owners should invest in security testing of the public-facing website. This should include vulnerability scanning and penetration testing. Vulnerability scanning will test the website and web applications for known vulnerabilities. If any patches are missing or any configuration is known to be insecure, a vulnerability scan will prioritise what’s important to fix based off the potential impact to the system scanned. For custom applications, a web application scanner with a non-transparent proxy that allows interaction with the security is ideal. This type of vulnerability scanner can interact with the website to manipulate fields, cookies, and other session data to look for common vulnerabilities in web applications.
Penetration testing is different than vulnerability scanning. While it’s important to know if there are any vulnerabilities, a penetration test will answer the all-important question: What’s the impact of any vulnerabilities that exist? A penetration test will determine if a specific vulnerability is actually exploitable. If the vulnerability can be exploited, the penetration test will determine what the potential impact will be.
For example, if a specific vulnerability is successfully exploited, an attacker might be able to access personally identifiable information for customers or employees. Penetration testing requires a human behind the keyboard to perform the testing. Automated scanning can complete a lot of legwork initially, but pen testing using real humans is required to provide in-depth security testing.
Protecting against ransomware
The best protection is to have layers of security in place to try to stop the ransomware from getting to the target and training employees in best security practices. Organisations should also make sure they have strict change control, file integrity monitoring, and have clean timely backups of critical systems. Stopping the ransomware before it is embedded is the most cost-effective way to eliminate the threat but if it gets on a target the target it will need to be wiped and restored from a clean backup or built again from scratch.
The 3-2-1 rule
The final component of protecting against ransomware is knowing what to do if an attacker is somehow able to bypass every security control in place and encrypts critical data. To avoid paying the ransom, recent backups are required. There aren’t any known examples of ransomware attempting to encrypt data residing within databases, so in the short term it’s important to start backing up critical website files; for example, everything within the /var/www directory should be backed up frequently. Since ransomware will search the entire file system, and potentially network locations as well, website administrators should follow the 3-2-1 rule of backups. Keep three copies of the data, in two different formats, with one of the copies off-site. By keeping data in different locations, the chances of the ransomware encrypting all of the locations are significantly reduced.
Don't become a victim
Ransomware is a real threat to many different types of organisations. End users must stay vigilant in the fight against ransomware. Don't click on links or open attachments which are unsolicited. Backups should be kept up to date and offline to reduce the likelihood of ever having to pay to recover critical data.
Travis Smith, Senior Security Research Engineer at Tripwire