The attackers – who are they?
One of the first questions that may be asked is, “Who is doing this?”. Analysis within the malicious code provides various clues, but there is evidence that the North Korea may have some involvement. The WannaCry attack that hit our NHS came from there, as did the attack on the Bank of Bangladesh, netting a cool $80M.
Other clues include an instruction in the code that stops the malware from infecting any computer where the system language is set to Russian, Belorussian, or Ukrainian. This gives a clue as to the origin of some threat actors, who may be attempting to avoid prosecution by local law enforcement.
However, John Douglas of First Response points out that the software is often available on an ‘affiliate’ model, whereby the malware is made available as a pre-packaged product on the dark web, and a share of any profits is passed from the actual threat actor to the supplier of the software. The attack may therefore have been launched from a variety of places, including former Soviet and Eastern European republics, but also from countries such as Turkey and Nigeria. This model is becoming known as RAAS, or Ransomware-as-a-Service.
The use of Bitcoin may prevent discovery of the recipients’ identity when a ransom has been paid, but a form of ‘traffic analysis’ can be performed on the Bitcoin transaction detail held in the blockchain, identifying transactions to other wallets, and thereby determining the flow of funds.
While previously, Douglas reports, the criminals tended to be unrealistic in their demands and their methods of operation, now they are far more amenable to reason. Though some attacks are launched at specific cash-rich targets, a large number find their way to smaller enterprises with little experience of dealing with these matters.
While initially many of these attackers demanded impossibly large sums of money from their victims, somewhat in the manner of Dr Evil in the Austin Powers series of films (where he goes back in time to 1969 and demands $100 billion as a ransom), this has now changed. Douglas reports negotiations with one attacker where the victim company truthfully informed the threat actor that the amount demanded was unrealistic, to which a lower figure was proposed and accepted.
In addition, while the ransom notes provide some data on paying by Bitcoin, the vast majority of SMEs have no experience with crypto-currency accounts, which can take some time to set up. Again, unrealistic timescales for the payment of the ransom in this way have become more relaxed, and can be negotiated.
As to the good faith of the attackers, it would seem that this may increasingly be taken as given. After all, it makes little sense for a ransom to be paid without the “service” (decryption process) being delivered, as word will spread, and future victims will feel disinclined to follow the instructions given by the attackers. It’s true too that law enforcement has grudgingly accepted that in some cases paying the ransom may be the only way out for a poorly prepared victim company.
“The attackers are running this as a business” says Douglas. “A dirty and crooked business, to be sure, but they have to establish a level of trust, or the business will cease to be profitable.”
As mentioned earlier, there is no magic wand that can be waved to undo or break the encryption. Cryptography has reached a state where it is impossible to pick the avocado back out of the guacamole.
However, if your organisation has off-line backups, it may be possible to go back in time. The important thing is that these backups should be offline at the time that the ransomware attack occurred. If disk-based backups were online at the time (that is, connected to the computer and readable) then they, too, will likely be encrypted by the attacker.
However, simply making backups is no guarantee of security. John Douglas of First Response quotes a real-life case where a company had been contracting the backup responsibilities to a third party for almost fifteen years. These backups were regularly and conscientiously made to a set of backup tapes, which were stored securely offsite. The problem was that the actual tapes used had not been replaced for nearly 15 years. The result? The oxide on which the data should have been recorded had been worn away to the point where the tapes were nearly transparent. There was no way that these backups could ever have been used to restore the data.
On the other hand, there may be some surprising treasures hidden in a company’s vaults. Douglas recounts how when one company moved from individual physical servers to virtual machines, the contents of the servers were imaged as part of the migration process. When the ransomware struck, all the online backups were encrypted along with the live data, but these older data images were still available. As a result, key applications and data more than a year old could be restored. Clearly there was work to be done in restoring the system completely, but the task was made much easier by the use of these half-forgotten archives.
In today’s climate where ransomware can strike at any time through a variety of vectors, it makes sense when designing a backup strategy to disconnect backup disks when they are not actually being used for backups or restores, meaning that if disaster strikes, the backed-up data will not be affected. It is critical to verify the integrity of backups at regular intervals. Companies must do test restores of data to ensure that backups are reliable.
But, if the worst comes to the worst, follow the advice on the front of the Hitchhiker’s Guide to the Galaxy: DON’T PANIC!
Easy to say, more difficult to do, but it becomes easier if you seek the help of specialists who have been there before and can guide you through the processes of containing the damage, dealing with the threat actor’s demands, and restoring normality to the system.
View part 1 of this article here: https://first-response.co.uk/ransomware-how-does-it-work-part-1/
How we can help
If you are the victim of a ransomware attack, give us a call on 02071934905 or send us an email to [email protected], and one of our specialist Incident Responders will help you through the process of dealing with this extraordinary and stressful event.
Also, if you feel that your enterprise may be at risk, feel free to call us for an assessment of your situation, and for recommendations to make your system more secure and resilient.
Further information on our managed cybersecurity services is available here.
Other articles of interest
This article looks at problems encountered when responding to a ransomware attack, the types of organisations that are targeted, the disruption of services that you can expect and regulatory implications you may face.