How can a malware encrypt a company existence ?

More than 4,000 ransomware attacks occur daily, according to FBI.

In May 2019, Baltimore City government system was hit with a ransomware attack that estimates put the cost to recover over $18 million dollars, even the ransom price being only $75,000 worth of Bitcoin. This attack impacted vaccine production, airports, hospitals and ATMs.

2017 was the year of ransomware attacks with the massive global attack of WannaCry that infected 200,000 computers across 150 countries, with damages ranging from hundreds of millions to billions of dollars.

How can a simple program ruin your company ?

Ransomware is a form of worm that spread across computers using some exploit such as EternalBlue over some vulnerability. This malware prevent legitimate users from accessing the data, and asks for money, generally cryptocurrency, in exchange to retrieve the unreadable data. Only the author of the attack can decrypt the infected computer.

It isn’t a new kind of malware, in fact, it dates back in the day at 1989 with the “AIDS trojan” that encrypted only the filename and displayed message claiming the expiration of some user’s license software. Since then, the malware evolved a lot, but at its core, stills the same: Find all the files on a infected computer, encrypt each one and asks for the ransom.

Why are files unrecoverable?

Using both symmetric and asymmetric encryption, ransomwares can make files only accessible when decrypted by the server private key, as explained in this article.

The encryption process uses symmetric encryption for file encryption, because of the high speed rates, and public key cryptography for AES-keys encryption and server communication.

Using both combinations, the ransomware can be fast, work Offline and also decrypt (if the authors purpose is to do so).

After encrypting the original files, the ransomware overwrites it with random generated data and deletes it. This process is called shreding. Even if recovery tools are used to recover deleted files, the original file is useless.

Ransomwares also delete shadow copies, so there’s no way to go back to a system snapshot before the ransomware attack.

Using Tor network

Because ransomwares use Tor network for keys/information exchange between server and infected machine, the server location is basically untraceable.

Tor network ensures IP cryptography, meaning that the server’s IP is encrypted at each hop of the network.

There’s only one way to find the server location, being between the last Tor node and the server, as showed in the first scene of the first episode of Mr Robot.

Not being able to find the server location, there’s no way to get the server private key by any cyber crime police department.

Cryptocurrency as method of payment

Using cryptocurrency as the ransom payment, makes basically the authors of the attack anonymous.

The average amount requested after a ransomware attack is $1,077 worth of crypto coins for each computer infection.

Damages beyond ransom price

Sometimes the ransom price is low, but the damage caused by the attack is much higher. Going from real-time/historical data unavailable to making services and medical devices, such as, RMI scanners and blood-storage refrigerators, offline, as being the National Health Service hospitals in UK an example, infected by the wannacry ransomware in 2017.

How is the attack leveraged ?

Every now and then some critical vulnerability such as RCE can be found either in running services and operating systems. This is the entry point to the malware do it’s work.

WannaCry was the first ransomware that exploited the EternalBlue vulnerability and after his massive attack, others also did exploited, such as petya, and its variations.

Even critical vulnerabilities being a entry point

surprisingly, 92% of malware is still delivered via email.

It’s easy to fool a non technical person to click a phishing link and download malicious files. Even a technical person can be fooled to download and execute the malware.

Since 50% of Internet users will click on a link from an unknown sender.

The spread of a malware inside a company isn’t very hard. The scenario showed in this YouTube video by CISCO, isn’t far from reality in the majority of companies.

Being a lethal malware, there’s any escape ?

The light at the end of the tunnel

When bad implemented, ransomwares can be reversed and files can be recovered.

Ransomwares can fail, and badly

Sometimes ransomware developers fail at some stage of the process. Either encrypting files with weak encryption scheme, or dropping the encryption key as plain text on disk or hiding the encryption keys on the source code.

The 2018 “Trends in design of ransomware viruses” paper, brings a list of vulnerable ransomwares.

There are some ways that ransomware make files recoverable, such as:

Weak encryption algorithm

A weak encryption algorithm is defined as an algorithm that uses a key of insufficient length, opening up the possibility that the encryption could be broken (i.e. cracked). On the ransomware scenario, files could be recovered.

Weak key generation

Both symmetrical and asymmetrical encryption need keys, and these are supplied by the attacker, so there’s a need to generate strongly random keys. Normally the Operating System supports random numbers generator, such as /dev/random on Linux and CryptGenRandom on Windows. They use random (i.e. pseudo-random) events on the computer, such as mouse movement and keyboard presses.

Hardcoded keys

Hardcoded keys happens when the key ships with the ransomware, this key can be found inside the compiled malware in minutes by the researches. They get the encryption key, and use the decryption routine to make a tool available to decrypt the files. As example showed below by Jigsaw ransomware.

Ransomware Examples

Here is some examples of ransomwares that miss-implemented core functionalities.

Linux.Encoder.1 ransomware

Using time as seed for key generation, the ransomware is vulnerable to key recovery, since researchers can guess keys. Bitdefender made a tool for recovering Linux.Encoder.1 encrypted files.

Jigsaw ransomware

There’s no need of explanation here.

Counter measurements

You can avoid paying and spreading the ransomware by following these steps:

Recurrent backup

Offline backup storage

Take infected machines off the network

Avoiding being infected by the malware takes more effort.

There’s a huge need to implement an anti phishing campaign between employers of your company and implementing a digital signature based email communication, also, keeping your operating system and programs updated is crucial.

Final considerations

Being a catastrophic malware, ransomware impact go beyond ransom price, but, as seen, ransomware can miss implement core functionalities and be vulnerable to file recovery.

If your company gets hit by some ransomware, Don’t panic

Don’t pay the ransom.

Paying the ransom encourages cyber crime and you don’t have any guarantee that files will be recovered.

40% victims decide to pay up, don’t want to get into this statistics.

Wait for private keys leaks or be discovered, and wait some security company makes a tool for file decryption.

For the security researchers and enthusiasts, I’ve developed an open source ransomware with secure key generation and strong cryptography scheme.

Source code can be found on: https://github.com/tarcisio-marinho/GonnaCry