Ransomware detection and recovery tools and techniques are getting better. Unfortunately, so are ransomware developers. They are making ransomware harder to find and encrypted files harder to recover.
One advantage that security operations have had over ransomware is that it’s predictable. It works in a linear fashion, which gives security tools and teams an opportunity to limit damage once ransomware is detected. Now we’re seeing signs that ransomware creators are making their craft less predictable.
“At the end of the day, ransomware has to do one thing, and that’s overwrite or lock the file system,” says Brian Bartholomew, senior security researcher, Global Research and Analysis Team (GReAT) at Kaspersky Lab. The linear activity associated with overwriting or locking up data makes ransomware easy to detect, he notes. “If you think of all the files on a system as a list, ransomware just goes right down the list and starts encrypting them,” says Bartholomew.
Hackers are wising up and trying to change the predictable nature of ransomware to avoid detection. These are some of the new tricks they are using.
Slowing down the encryption process : Some ransomware creators have spread out that routine a little bit so it doesn’t happen all at once. It happens over a longer period of time,” says Bartholomew. The goal is to get below the threshold of any detection tool. “Say the AV is looking for 1,000 files being accessed in 10 seconds. Maybe they spread that timeframe over 10 minutes so the detection doesn’t happen,” says Bartholomew. “We’ve been seeing more and more of that.” He adds that a big danger of spreading out the encryption over a long period of time is that the back-up files might become encrypted, too.
Randomizing the encryption process : Ransomware creators have also been randomizing their approach to encrypting or overwriting files rather than going through them linearly. This helps avoid detection by anti-ransomware tools that look for a more linear pattern.
Delivering ransomware through files rather than email : Malicious links in email is still by far the most common method to deliver ransomware. As organizations do a better job of educating users not to click on questionable email links, some ransomware perpetrators are shifting tactics. Instead of a link, they use a document attachment that might be a PDF, Microsoft Word, or other common file type. That document contains a script that launches the ransomware.
We’re seeing what used to be benign PDF files or JPEG photos now carrying malicious processes that can be introduced into your environment,” says Hyder Rabbani, COO CyberSight, which sells an anti-ransomware product. “You get a message that says, ‘here’s your invoice,’ or ‘here’s your photo. People always click on those things.
Encrypting the hard drive code : Perhaps more diabolical, some hackers are bypassing the files and going for the hard drive code. “We’ve seen folks that target the guts of the hard drive, the master boot record. It’s the very beginning of the hard drive,” says Bartholomew. “If they can corrupt that, then they can hold the rest of your hard drive for ransom without having to encrypt every file.”
Using polymorphic code : The use of polymorphic code also complicates ransomware detection. “For each instance that the malware is installed on a different victim, it will slightly change its code before it spreads again,” says Bartholomew. “It makes it difficult to statically detect the ransomware files.”
Rabbani notes that the frequency at which polymorphic code changes—as quickly as every 15 or 20 seconds—is what creates the challenge for detection efforts. “Once you figure out the signature of that ransomware, it becomes easier to stop,” he says. "However, as the code keeps changing it appears to be new ransomware, making it very difficult to stop."
Using multi-threaded attacks : The typical ransomware attack launches a single process to perform the encryption. In a multi-threaded ransomware attack, the main ransomware code launches multiple child processes to accelerate the encryption process and make it more difficult to stop. “Maybe you can stop one or two, but the others execute and continue to cause damage,” says Rabbani. “It becomes exponentially more difficult [to stop the parallel attacks.”
One horror scenario that Rabbani sees is multi-threaded attacks combined with polymorphic ransomware code. “You can just quickly overwhelm the processor and memory, and everything declines rapidly,” he says.
Improving their ransomware code-writing skills : Decryption is getting harder as ransomware developers improve their craft. “Getting a decryption tool relies on a couple of things,” says Bartholomew. “The ransomware author makes a mistake in how they implement the encryption process. They don’t do proper key management, for example, or they use a predicable number generator for a key.” Those mistakes allow researchers to determine the ransomware decryption keys.
“That happens more times than not,” says Bartholomew. “Usually the guys writing this stuff are not encryption experts.” He sees that changing, noting that he’s helping with a case that involves a new version of the Crysis ransomware. “With earlier versions of Crysis, the author made mistakes with the encryption, so we were able to write decrypters. Now they fixed it and there’s no way to decrypt it, and we’ve gone through it with a fine-toothed comb.”
Ransomware as a foil : Another trend that Bartholomew has seen rise sharply in the last year is cyber criminals using ransomware as a distraction to hide another type of attack or to simply destroy and disrupt. “They are using ransomware as a plain old destructive attack to maybe further some political agenda or wreak havoc on the internet, or they use it as a cover-up that allows them to install malware somewhere else.”
Using ransomware for financial gain is still the most common motive for criminals. According to a recent survey by SentinelOne, 62 percent of all ransomware attacks are for financial gain, while 38 percent are to disrupt the business. Only 24 percent are politically motivated. Bartholomew worries that this could change. “We’ve got a couple of actors that have really crossed that line now, and once it’s been crossed, it’s just going to get worse. More actors will adopt this technique.” He cites one wave of the WannaCry ransomware that left files with no way to decrypt them.
The two groups often talked about in the news most likely to launch destructive ransomware attacks are state-sponsored actors on behalf of places like Iran or North Korea and hacktivists. “This is not something a high-schooler can do. To launch a successful destructive campaign, you need an exploit, says Bartholomew. He cites WannaCry using an exploit for which no one had a patch. “There was no way you could stop that thing from spreading at first.”
The only way for an organization to protect itself against these types of ransomware attacks to maintain good security hygiene, make sure your users get proper ransomware training, and that you have solid backup and recovery processes in place. Bartholomew notes that some companies use thin clients where there’s no hard drive on users’ systems where they log into a virtual system. “Those are easy to revert back to because they are virtual systems,” he says.
Targeting modern operating systems less : The latest versions of Microsoft Windows 10 and Apple MacOS are harder nuts for ransomware attackers to crack than earlier iterations. The good news for ransomware is that there are millions of poorly patched and updated systems running older operating systems still in use.
“Attacks targeting newer operating systems are a little less popular, only because it’s easier to hit known vulnerabilities,” says Rabbani. He notes that CyberSight has “massive customer demand” to provide ransomware protection on Windows XP systems. “We hear almost daily of customers who are [for example] running XP on all their POS [point of sale] systems, and there’s a vulnerability that’s exploited,” he says.
Finding new ways to move laterally across a network : Rabbani expects incidents of lateral movement of ransomware to “go up significantly.” A user might use a mobile device at a Starbucks or hotel, for example, and someone might be able to load malware on the device through a compromised communications port. “From there they can traverse the network and get into the company servers,” he says. “That has a very high likelihood of increasing.
Delaying ransomware attacks : One tactic that Rabbani expects to see more of in the near future is what he calls “laying of Easter eggs,” where ransomware infects a system but lies dormant for a period of time before activating. “Someone could use compromised credentials to plant ransomware Easter eggs that go off down the road,” he says. In the meantime, they’ve had an opportunity to spread the malware.
How researchers adapt to evolving ransomware threats
None of these adaptations make ransomware undetectable. “You have to take each one as known and write detections for it. Analyze it, see how it behaves, and then change your detections,” says Bartholomew talking about how Kaspersky adapts to new ransomware tactics. “It’s a constant cat-and-mouse game.”
Some ransomware tools are taking a more data-driven approach to combat its evolving nature. The developers of ShieldFS, for example, calls it “a self-healing, ransomware-aware filesystem.” Announced at Black Hat USA last summer, ShieldFS creates detection models based on a publicly available dataset that allow it to tell the difference between ransomware behavior and normal processes. If it detects ransomware, ShieldFS can automatically revert corrupted files back to their pre-ransomware state.
ShieldFS is currently a research project from the NECSTLab.DEIB in Milano Italy. You can find a technical description here. A demo of ShieldFS taking on WannaCry at Black Hat is here.
Better collaboration and communication are also important weapons against ransomware. Bartholomew cites a project that Kaspersky Lab assisted in launching called No More Ransom! This project collects and makes available ransomware decryption tools, offers prevention advice, and provides a way to report ransomware crimes to the community.
Cooperating with law enforcement is an important aspect of No More Ransom! “We can get keys by having law enforcement help us by seizing a server being used by the attacker,” says Bartholomew. If the private keys are on the server, project members can make them available through the website and write decryption tools.
To defeat efforts to avoid detection by disguising or changing the ransomware’s digital signature, some vendors focus on behavioral analysis, sometimes using machine learning, to identify it. The approach is effective with known threats, but not so much with new ransomware since it doesn’t have the data needed to recognize it.
The challenge is to identify new threats, build the datasets that the behavioral analytics need to detect them, and then distribute those datasets to everyone who needs them as quickly as possible. That’s what CyberSight is doing with its RansomStopper product. “We curate the latest and greatest ransomware strains and then run them through our software to see their behavior,” says Rabbani.
They then use machine learning to create a machine-based solution for each strain. Rabbani says that those solutions are then pushed out through a federated cloud environment that updates the algorithms on every system running the CyberSight software.
Machine learning might play a bigger role in identifying new ransomware variations. Some have suggested using it to predict how a particular strain will change with the next iteration based on earlier versions. This work is still largely theoretical, but it shows how machine learning might eventually be able to anticipate new ransomware threats and be ready for them when they hit.