Ransomware has become one of the top threats to consumers over the course of the past few years, and it has begun to spread to enterprises as well of late. But as bad as this problem has become, researchers say that what we’re seeing right now may be just a ripple in the water compared to the tsunami that could be on the horizon.
For much of the history of ransomware, the attackers have targeted individual users. There are a number of logical reasons for this, mainly the fact that consumers are seen as easier targets and more likely to pay a ransom than enterprises. Businesses have dedicated IT and security teams, better defenses, and more resources for potentially recovering lost data than home users do, so consumers have borne the brunt of the ransomware attacks.
But that has changed recently, as ransomware gangs have begun to turn their attention to enterprises. One reason for this shift is that if an attacker is able to disrupt a business’s operations sufficiently, he is likely to get a quick payment in order to get things running again. The most prominent example of this phenomenon is the attack on Hollywood Presbyterian Medical Center in February, which rendered large portions of the hospital’s network unusable and inaccessible. After notifying law enforcement, hospital officials decided the best course of action was to pay the ransom and get on with its business.
“The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000. The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” a statement from Allen Stefanek, president and CEO of the hospital, said.
Perhaps the biggest factor, though, in the move toward ransomware attacks on enterprises is the ability to infect multiple machines, destroy backups, and pull in a large payment all at once rather than relying on multiple smaller payments from individual victims. In order to get that large payment, though, the attacker needs to have the ability to get his ransomware on large numbers of machines in a target network, and that requires rapid infections and lateral movement inside the network.
Enter the self-propagating ransomware worm.
“We anticipate a trend towards ransomware that can self propagate.”
Researchers from Cisco’s Talos team did an in-depth analysis of the current state of ransomware attacks and looked at what the future may hold, too. They analyzed the recent attacks featuring the SamSam ransomware, which has some functions that allow it to spread on a network. It goes after network backups and looks for mapped drives.
“The ultimate goal for this stage of invasion is to locate and destroy networked backups before mass-distributing ransomware to as many systems on the network as they are able to access.. After finding the backup systems and destroying any local backups, or otherwise denying access to said backups, the adversary scans and enumerates as many Windows hosts as they can. After the hosts are enumerated, the attackers utilize a simple combination of a batch script, psexec, and their ransomware payload to spread the ransomware through the network in a semi-automated fashion,” a paper from Cisco Talos released this week says.
Attackers who use ransomware have to maintain the infrastructure for infection and payment and also need to spend a lot of time and effort finding new targets. The move to enterprises as key targets helps alleviate some of the issues the attackers face, and also increase the amount of money they may be able to bring in.
“SamSam is interesting in that it indicates a change in focus from individual end user targeting to the targeting of entire networks. Additionally, the semi-automatic propagation method, while simple, is highly effective. Ransomware authors are beginning to see an opportunity in attacking enterprise networks. They are likely to develop ransomware with faster and more effective propagation methods in order to maximize impact and probability of receiving payment,” the paper, by Talos researcher William Largent, says.
The Talos researchers laid out the details of a hypothetical ransomware framework that includes a file infector module, autorun module, exploits for common bigs in authentication infrastructure, command-and-control communications, and other functionality. They then describe a detailed, and entirely plausible, attack scenario against a fictional enterprise network that involves an initial network compromise, elevation of privileges, enumeration of network resources, and eventually infection and encryption of key desktops, servers, and backup management systems.
“The attackers have access to modify group policy and modify the domain’s GPO to deliver an MSI wrapped version of their custom ransomware implant. They then leave the network and simply wait for the ransom to be paid. The malware spreads exponentially thanks to a combination of compromised hashes and/or username/passwords and software pushes via GPO spreading and executing the malware,” the paper says.
“Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3200 workstations are compromised; half the organization’s digital assets, and the vast majority of the company’s data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation. The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like.”
The results of the attack may sound extreme, but looking at the details of the attack on Hollywood Presbyterian reveals that it’s not far-fetched at all. Attackers continually adapt, as the evolution of ransomware over just the last year or two shows, and when there’s a pile of money at stake, they will adapt even more quickly.
“It is inevitable that these adversaries would look to the past for effective malware behaviors to advance the efficacy of ransomware. Combined with new methodologies in targeting, we anticipate a trend towards ransomware that can self propagate and move semi-autonomously throughout a network to devastating effect,” Largent says in the paper.