Ransomware

Article by
Obedience Kuguyo
Ransomware Trends around the Globe by Obedience Kuguyo

Ransomware as a Service (RaaS)

Ransomware is a type of malicious software that threatens to publish the victim's data or
perpetually block access to it unless a ransom is paid. Today, ransomware is used to infect
computers and extort money from a victim and has become a trend of criminal activity even by
low-skilled hackers. The nature of ransomware attacks is starting to change and will continue
to evolve new resistant strains of ransomware are being developed and sold on the dark
market for an affordable price with options to customize the code to meet certain security
resistance. RaaS is fuelling criminal entities to invest in ransomware code and markets with
most cyber-criminals now reverse engineering ransomware strains to develop better and
resistant versions for their cybercrime arsenals of a wide range of attackers, like a keylogger or
a network scanner.

Why are more advanced cybercriminals modifying ransomware for their cyber arsenal.
As a cybersecurity expert, Ive seen many attacks already where skilled attackers get into a
network, get what they need, and leave ransomware behind to further extort money or destroy
systems. Part of the reason for this is that it serves as a useful distraction: To show the victim
that they have been hacked by a certain group and that It wasnt just a virus infection but
rather a targeted one. I have seen most people ignoring their network defence after a single
machine has been infected by ransomware attacks it is common that systems administrators
fail to look around their network area for other signs of a network breach, making it easier for
the attacker to escape unnoticed and infect the whole cluster of machines on the same network
environment.

But another reason and the more common one is that cybercriminals wants to make a ton of
money from unsecured systems and ransomware attacks can give them an instant cash out
which is mostly untraceable using cryptocurrency system such as Bitcoins and Zcash. In some
circumstances, rogue nations practising espionage can also conduct state-sponsored
cybercriminal activities and infect target countries with ransomware as cyberwarfare and to
find new sources of revenue. These countries make use of contractors within the target country
who have very good access into many organizations around the world to throw around their
ransomware.

The rise of more sophisticated ransomware attacks designed to shame the victims.
Press coverage of recent ransomware attacks such as WannaCry and Petya has generated a
considerably large interest from hacker groups in ransomware sample and analysis. The world
must expect to see growth in these kinds of attacks with more copycat attacks coming up from
different geographical areas as more samples of ransomware are being downloaded for reverse
engineering and analysis. These attacks will be more directed at profitable systems around the
world especially those of the such as:
Self-checkout systems at grocery store chains
Bank ATMs
Hotels
Computerized billboards
Hosting servers

1
 Government institutions
Profitable groups

Basically, any organization that has a kiosk-type system exposed to the public and running on
older, insecure versions of Microsoft Windows can be infected and new strains for Linux and
MacOS are being developed and sites claiming to have such services on the darknet are
beginning to advertise their malware services for interested groups.

If these types of systems get infected with ransomware, everyone knows you have been hit and
there is a lot of pressure to resolve the problem quickly and the victim might even pay the
ransomware in the hope of restoring back their infected resources. Cybercriminals have
developed ways to infect the Internet of Things (IoT) devices with ransomware. They have
devised ways to attack the whole cluster network of IoT devices connected on the same network
using open protocols that are facing the public internet.

Examples of ransomware using no executable as payload to evade security defences.

Ransom32 is a type of ransomware developed entirely in JavaScript and PowerWare
(developed in PowerShell.) It uses no executable payload that needs manual installation on the
physical host so downloading this ransomware is very easy if JavaScript is enabled in your
browser as Ransom32 payload will execute through loading the JavaScript. This trend of
intelligent ransomware obfuscation technique will continue to grow because it is easy to evade
antimalware protections and it is also easy to deploy with less suspicion from the victim
through web-hijacking and clickjacking. Execution of the payload runs on the background and
the victim wont suspect anything.

This type of ransomware uses a combination of scripting languages (such as PowerShell and
JavaScript) and Microsoft API calls to encrypt the files on a victims machine. The encryption,
the ransom note, and the call out to a command and control server are completed without an
executable file. These ransomware families can avoid detection by many traditional security
vendors because they are taking advantage of legitimate processes on the system, so everything
they do is legitimate.

Ransomware attacks via e-mail service

Spam campaigns are losing the fight against consumer webmail providers such as Gmail,
Outlook and Mimecast. These services have increased their security defences to identify new
ransomware campaigns being sent over through their service by employing Artificial
Intelligence or AI machine learning algorithms. AI have proved to be useful in learning
dynamic changes in ransomware and its family. They are also able to filter he origins of the
sample in certain circumstances but they can be less effective in learning new kinds of threats
emerging in the cyberspace. These services also rely on the open threat exchange and it is only
when a threat has been identified these service providers can come up with a solution to further
their security to block these new emerging threats.

As ransomware attackers look to expand their attack surface, the easiest way to do that is
increase the number of people who see their email or to have the ransomware auto-install when
the victim opens the email. If the ransomware groups can find weakness in the security of these

2
providers, or use some of the millions they have made to buy zero-day exploits to take
advantage of weaknesses that may exist, they can increase the number of successful installs
and increase their revenue even more. This is what is happening today, Shadow Brokers leaked
the Eternal Blue vulnerability and cybercriminals have used vulnerabilities associated with the
exploit to build up ransomware such as WannaCry and attacked hundreds of thousand systems
across the world.

Ransomware on IoT devices

Ransomware attacks are now targeting almost every computing system even IoT devices. Since
these devices tend to be synched with a local server or a cloud environment, it is too easy to
wipe and replace them, so in my opinion, there is no compelling reason for a victim to pay the
ransom and have their systems replaced back to normal by cybercriminals. To think of an
effective Ransomware attack on these systems will be a waste of time and a non-profitable
business for a cybercriminal who inspires to profiteer in using Ransomware as a service as I
dont think ransomware is going to be effective against these targets.

There is a discrepancy between the IoT device itself and the Windows systems that serve as
the face of these IoT systems; those will be subject to attack in the same way as other Windows
systems. In fact, in some way they may be more susceptible to ransomware. The control
systems of these IoT devices often run specialized software that controls the functions of IoT
devices. This specialized software usually requires a specific version of Windows, one that is
often outdated, unpatched or with less support in terms of its core development.

IoT devices are mostly built on Linux/UNIX/Specialized OSs that handle the day-to-day
functions of those systems. They are too obscure to be a reliable target for mass-produced
ransomware. There is also a difference in the way the file systems are set up between
Linux/UNIX systems and Windows computers. This makes it ineffective to attack Linux IoT
devices. Most people act as local administrator on their home computer, and even a lot of
companies allow their users to have local administrative access to their workstations. In
practical terms, this means that the user can access every file on the system. When a victim
inadvertently installs ransomware that ransomware also has access to everything on the system
and can encrypt it all. Linux/UNIX systems operate differently. The user only has access to his
or her files, not all files on the system. Even if a user does accidentally install ransomware the
ransomware will only be able to encrypt the users files, not all the files on the system. For
ransomware to be effective on a Linux/UNIX system the attacker would either need a victim
logged in as root or to package a privilege escalation with the ransomware.

Consumer-grade IoT and more complex enterprise systems

There is a distinction to be made between consumer-grade IoT devices, such as home routers
and web cameras and the more complex Supervisory Control and Data Acquisition (SCADA)
systems that control things like the water supply, electricity supply, nuclear energy stations or
traffic lights. These systems also run on specialized operating systems, but they are not
disposable in the way consumer IoT devices are. Russians hackers are allegedly developing
ransomware and malware to target SCADA systems for huge profits and if these sectors are
left without appropriate security defence layers, they will soon become more attractive targets.
Law enforcement action on ransomware and cybercriminals

3
There is a strong need for the security community to collaborate with law enforcement agencies
in a big way to permanently shut down the attacking domains behind ransomware and the
exploit kits that deliver them. Law enforcement agents should be trained on cyber security, and
cybersecurity units within the law enforcement agencies should work together with other
nations to help stop the spread of ransomware and malware related activities. Law enforcement
agencies should also consider collaborating with security researchers and malware analysts
when it comes to dissecting ransomware and offering new protections and cyber response
methodologies.

How to Ransomware Prevention Tips

As of today, ransomware attacks are here to stay. Computer users should adopt a certain set of
skills and best practices to prevent ransomware attacks from happening. This can prevent
bricking their systems and data loss. Ransomware attacks are on the rise since the beginning
of 2015 and 2016 and people should expect to see this type of growth in 2017 with more
resistant types of ransomware being developed and targeting more complex systems. If victims
continue to pay ransom and fund the growth and development of these new ransomware
families, there will more complex, hardened and effective ransomware attacks that will brick
computer systems.

Here are a few best practices to minimize the risk and data loss associated with ransomware
attacks:
Backups confidential/ useful data and test to verify the backups regularly.
Disable Microsoft Office macros by default, and selectively enable them for those who
need macros.
Keep web browsers, services and plug-ins such as Adobe Flash, SMB protocol and
Microsoft Silverlight updated, and prioritize patching systems with new update
releases.
Uninstall any browser plug-ins that are not required for business purposes, and prevent
users from re-installing them by putting in place effective access control systems and
policies.
Scan incoming emails for suspicious attachments, including examining all compressed
attachments.
Disable or remove the PowerShell, wscript, and cscript executables on all non-
administrative workstations to prevent infections.
Automatically quarantine any email that has an attachment containing a script or a .scr
file extension or from an unknown domain name.
Do not give all users in the organization local administrative access to their
workstations if its an organization computer system.
Use threat intelligence to gain visibility into your organizations external threat
environment and monitor for any emerging ransomware threats to your organization
with proper/reputable security and reporting tools such as Symantec Solutions and
Kaspersky.