Not long ago, ransomware was a problem for consumers. Early versions hit unsuspecting users as early as 2005 but, while alarming, weren’t especially difficult to defeat. Even 10 years ago, the enterprise was a very different place than it is today, with BYOD in its infancy and far greater separation between work and personal environments. Ransomware authors also had not really begun to leverage the social engineering tactics that made infection much more likely, even for relatively savvy users.
Fast-forward to 2015 and attackers have upped the ante in a big way with the latest incarnations of ransomware:
- The use of exploit kits like Angler makes it much easier for attackers to inject malware onto vulnerable devices
- Phishing has gone way beyond Nigerian money scams – social engineering is sophisticated, effective, and pervasive
- Savvy money-laundering techniques using Bitcoin enable scale and anonymity
- The ransomware itself has become dramatically more sophisticated, particularly in its ability to identify critical files and encrypt them beyond the reach of available decryption technology, while leaving the computer functional so users are more likely to pay the ransom
The FBI drove home this last point in no uncertain terms this week at a cyber security conference in Boston:
“…if [an attack] involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.‘The ransomware is that good,’ said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. ‘To be honest, we often advise people just to pay the ransom.’”
As they say, an ounce of prevention is worth a pound of cure, and this is particularly true with modern ransomware. The “cure”, in this case is often not as simple as just formatting a hard drive, restoring a backup, and/or losing some work. CryptoWall Version 3, for example, can also encrypt files on accessible network drives, making what used to be an isolated problem on an individual computer a much larger issue for an organization.
Prevention then comes down to three things:
- Appropriate, layered security that can identify and block ransomware at the endpoint, as it attempts to contact command and control servers, via email gateways, and with content filtering that can block compromised sites distributing the malware
- User education, designed to make rampant social engineering less effective
- Regular backups that serve as a last resort in case of infection
The Cyber Threat Alliance (CTA), a coalition of top security vendors founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec, was formed to proactively address just this type of threat through deep research and information sharing. The group released its inaugural report today on CryptoWall Version 3 as part of its first project. The real question was whether a group of fierce competitors could collaborate not just in the sharing of malware samples as has been the practice for years, but on the development of indicators of compromise that contributed directly to security solutions for a problem like CryptoWall 3.
It turns out that they could and, in fact, developed a comprehensive report, real-time tracker, and open sourced 49 indicators of compromise. So why does this matter to the average business?
- CryptoWall Version 3 has cost businesses and consumers alike hundreds of millions of dollars
- Preventing infection with the sorts of threat intelligence generated by the CTA is the only effective means of stopping CryptoWall 3 and the losses associated with it
- CryptoWall 3, though highly sophisticated, is just the beginning. According to Derek Manky, Global Security Strategist for Fortinet, we can expect even more in the way of ransomware in the months and years to come:
“Bootkits are going to take ransomware to the next level…attacking the whole operating system and becoming more aggressive in the ransoms they are requesting as attackers examine the business value of the intellectual property they have encrypted.”
Bootkits, by the way, are persistent bits of malware that can’t be addressed by simply restoring a backup or wiping a hard drive. Again, prevention is the only real solution and organizations like the CTA will be at the forefront of protection, detection, and mitigation efforts going forward.