As we move into 2019, we will continue to see a rise in more sophisticated Ransomware attacks; with the newest one, “Anatova”, making the latest headlines. McAfee discovered this recent Ransomware flavor in a private peer-to-peer (p2p) network and made some surprising discoveries upon closer inspection. We will cover a little more on that later. This article is designed to help gain insight into what Ransomware is, what it does, and how we can avoid and/or protect ourselves and our customer’s data from such an attack. Before we continue, how about a brief primer lesson/history on the topic of discussion?
What Is Ransomware?
Ransomware can be categorized as malware that prevents access to, or limits the use of a computer information system. The user is typically locked out of their device or files until a ransom is paid. Although, paying the ransom usually does not restore their system or their encrypted files. In fact, the Federal Bureau of Investigations recommends NEVER paying the ransom. Ransomware attacks are on the rise and here a just a few statistics from Osterman Research, sponsored by Malwarebytes, on ransomware and other security-related issues for over 1,000 small to mid-range businesses surveyed in 2017:
- 22% Had to cease operations immediately due to ransomware.
- 35% Were ransomware victims.
- 50% Infected with ransomware received demands of $1,000 or less.
- 1 / 6 Ransomware infections caused 25 hours or more of downtime.
- 90% Resulted in more than 1 hour of downtime.
At first glance, these numbers don’t strike fear into the hearts of battle-hardened System Administrators (although they should). But, we need to remember this is solely for ransomware alone, with a sample size of only 1,000 organizations. Consider the other wolves at the door:
- 81% Experienced a Cyberattack in the last 12 months.
- 66% Suffered a data breach.
These numbers, as stated before, are from a small number of surveyed businesses and do not even begin to scratch the surface of the damage that is occurring to countless organizations. We are all at risk if we stick our heads in the sand and pretend the threats aren’t real, especially when there is so much we can do about it.
A Brief (I Promise) History of Ransomware
Depending on which search engine you use, typing in “Ransomware” and executing your search will result in a slew of “Free” security scan offerings from various vendors as well as articles all about Ransomware. Each site you navigate to will give varying claims about the history of Ransomware and who/where/when this malicious type of encrypting software originated. As far as our research has determined, the first documented ransomware virus was the “AIDS Trojan”, aka PC Cyborg virus, created by biologist, Dr. Joseph Popp in 1989. We have read multiple accounts of this story and there are many variations, so for the sake of time and clarity we will cover only the highlights.
The virus was written on floppy disks and then distributed to nearly 20,000 attendees of the World Health Organization’s (WHO) AIDS conference in December of 1989. The disks included leaflets warning that the software would “Adversely affect other program applications” and also stated “that your microcomputer will stop functioning normally” (Reminder to read those EULA’s thoroughly!). The user was then asked to pay $189 to the PC Cyborg Corporation. It was later concluded that Dr. Popp did this to bring attention to the AIDS crisis, as he was a consultant for the WHO in Kenya, likely witnessing the devastating effects of untreated HIV and AIDS firsthand. He defended himself, stating that he would use the profits from the malware to fund AIDS research. He eventually avoided prosecution, deemed mentally unfit to stand trial in England.
The fatal weakness in the AIDS Trojan, and others like it, was pointed out by Adam L. Young and Moti Yung. These types of Trojans relied on symmetric encryption alone, and the decryption key could be extracted from the Trojan. This led Young and Yung in 1996 to implement their experimental proof-of-concept cryptovirus, this time incorporating asymmetric encryption, better known as public key encryption. By using the asymmetric model, the encryption key (public key) is included with the crypto virus and only the attacker has access to the decryption key (private key). Without the private key, the data that has been encrypted on the victim’s machine, is inaccessible. This is the basic technique that most if not all Ransomware Trojans utilize today.
See, I told you, brief! Now that we covered all that, let’s get to the geeky stuff about Anatova…
Anatova Ransomware – Same Old Hat?
You may be asking, “What makes Anatova different from other types of ransomware?”, which is funny because we asked the same question! According to the McAfee release on Anatova, their statement read as follows: “We believe that Anatova can become a serious threat since the code is prepared for modular extension.” In essence, Anatova has been designed to allow for additional functionality, which could potentially run prior to the encryption routine. The additional modules would more or less turn Anatova into a Malware suite, providing capabilities to create back-doors, collect sensitive data, or inject other types of chaos prior to encrypting the files. The sophistication of this new ransomware is somewhat concerning, as it is hypothesized that Anatova was created by malicious actors with a higher level of programming knowledge, opposed to previous ransomware variants that have been created using source-code readily available for purchase on the web by nuisant script-kiddies.
Anatova does a few interesting things that previous versions of ransomware did not, leading researchers to conclude that Anatova was developed by professional criminal hackers.
The payload for Anatova is hidden inside icon files resembling popular video game titles, enticing the would-be victim to download it. Once executed, it requests administrator rights and begins encrypting all files under 1 MB while also attempting to do the same to any connected shares it detects. This is critical because one infection on a corporate network will potentially cascade to all the mounted remote shares.
It attempts to run a check on the currently logged in user and runs the user’s name against an encrypted list. If any match is found with one that is contained in the list, the program will exit without even attempting to encrypt the files. This list comprises many default names used by security analysts and sandboxed VMs (Lesson here, use a unique name when creating the user on your sandboxed test VM security ninjas!).
The software also runs a system language check and exits if any of the Commonwealth of Independent States (CIS) countries are detected. Countries like Syria, Egypt, Morocco, Iraq, and India, are all spared the fate of Anatova. Why these specific countries are excluded is up for speculation as researchers are still, well, researching…
After the language check, Anatova looks for a specific flag of “0” or “1”, and if “1” is present during the check, two additional DLLs are loaded. This is what leads the team at McAfee to believe that Anatova has been prepared for modularization (Currently, the tested malware samples, have never triggered the “1” flag condition).
If all that wasn’t enough, Anatova also begins to enumerate all the processes on the system, comparing them with a list. If it discovers that some are on the list, it will launch and then kill the process, essentially unlocking the processes files, so that it can access them for encryption.
Anatova does a few more things to finalize the disaster but you get the picture. If you are interested and want a more extensive overview on Anatova, we recommend you read the Anatova McAfee teams write-up.
Help Me Obi-Wan…
Have you ever heard the term, an ounce of prevention, is worth a pound of cure? These are words to live by in today’s cyber-warzone. The last line of the previous paragraph hopefully did not invoke feelings of helpless terror, but instead, instilled hope that we could actually do quite a bit to limit the impact of such incidences, or render them ineffective to the point that the profits would not outweigh the risks of being caught. Self preservation is a powerful drive (prison is no fun I hear), one we would do well to leverage against attackers as IT security professionals, and as regular everyday users. Let’s face it, we will not be able to change human nature, but we can create a system that recognizes that some people will behave unethically, and instead of rewarding that behavior with ransoms paid in Bitcoin or Amazon gift cards, we simply make it unprofitable, unproductive, and increase the risk while reducing the potential for reward.
Now, you probably have heard this before, so many times you can’t even count, but I’m going to say it again, and again, and again. Backups! Backups! Backups! Backup everything! Backup your drives, back up your system images, heck, backup your backups of your drives and system images. Once you are done with backing everything up, disconnect the backups and store them in a secure area with limited access. Doing this eliminates one of the greatest risks associated with ransomware, inaccessibility to the data. If the technological countermeasures failed, and the attack was successful, then so what? Wipe the system, restore from backup, and move on with the day. Spend more time researching why the technical solution was ineffective, and less time recovering from a catastrophic data loss. By regularly performing backups, you maximize your overall efficiency and protect not only your network, but the business and everyone else who depends on that business to stay profitable. Since many organizations have specific requirements, especially for Service Level Agreements (SLA’s) and data access policies, each organization will need to implement their backups to fulfill their specific needs.
How Do I Stay Clean, Man?
Although we would love to provide you with the magical incantation that would rid you of all the possible nasties lurking out there in Internetopia, we would probably get into a bit of trouble with our robot master overlords (They don’t like to share). Unfortunately, there is no magical spell that we have as of yet, to eliminate all the threats that face our networks and IT infrastructures. We do, however, have some pragmatic approaches that will help to mitigate some of the risks, and reduce your attack surface. Here is a short list of practical ideas that you can rattle off to impress your robot masters!
- Backup your Data (Repetition…)
- Make sure that you have the most up-to-date patches for software and services running.
- Know what you have, who has it, and where they have it. Keeping a tidy inventory and knowing what/who is connecting to your network can aid in alerting you when cyber knuckleheads attempt to penetrate your defenses.
- Do not store all your eggs in one basket. Network segmentation is crucial. This provides you with another layer of defense. Make it harder for those criminals to get what they want.
- A chain is only as strong as its weakest link. Everyone has to become a defender. This is not the most popular one for many people, as it can be cumbersome to train less technical individuals. It is, however, a very necessary step in mitigating the risk to your organization.
- Develop your Disaster Recovery Plan (DRP). You need to conduct a Business Impact Analysis (BIA) and formulate your recovery strategy before an attack or outside event ever materializes.
- Communicate with everyone about current and potential threats you are facing. Let everyone know if the network was attacked, if a virus was found, or if insecure practices were identified. This helps to keep everyone aware that the threats are real and reduces overall complacency.
- Stay informed of new threats and conduct ongoing analysis on the products, services, and devices you use, to monitor for newly discovered vulnerabilities.
- Finally…Conduct Penetration Testing. Ideally this would be contracted out to a trusted third-party Penetration testing company (like Riptide) who is certified in identifying all types of vulnerabilities, from the exterior of your building, to the internal network that carries all those ones and zeros to their destinations. Third-parties are recommended because they remove the conflict of interest and identify whether or not the network has been compromised by a malicious insider, which is one of the greatest threats to an organization. These individuals can go undetected for years causing irreparable damage, and many times, are never even caught.
So with these tips in hand, and your new found knowledge of Ransomware, do you feel more confident that we actually have a lot of options at our disposal to reduce the threat that ransomware poses to our data and our IT infrastructures? By taking a proactive (and not a reactive) stance against such threats, we provide our customers with the confidence to trust that we are securing their data, while at the same time securing our networks and protecting our own organizations to the best of our abilities.