Ransomware – How does it work? (part 1)
Every day, many businesses and organisations find their operations grinding to a painful halt as a result of an attack by threat actors deploying ransomware on their IT systems. John Douglas, Technical Director at First Response, now believes that “ransomware is the new normal, and represents the ambient level of malware”.
In a ransomware attack, an organisation awakes to find that all their data has been encrypted and is now useless. The current state of cryptography is such that it is literally impossible – with current technology – to brute-force the encryption keys to restore the files within the lifetime of the universe.
The mechanism by which the encryption is performed is multi-layered, and to complicate matters still further, each hijacked file is encrypted with a different key, meaning that even if a solution to one file is found, this will have no effect on all the other files.
The malware has sophisticated methods for keeping itself alive, even when an experienced system administrator stamps out attacking processes, and attempts recovery. Of course, the ransomware leaves certain parts of the system untouched, for example the basic operating system and a Web browser, thereby allowing the victim to negotiate with the attacker and pay the ransom.
A message appears on victims’ screens, informing them that a ransomware attack has taken place, and requesting money to be sent to a Bitcoin account. Bitcoin, the original and largest cryptocurrency, works through blockchain technology, and provides a certain level of anonymity for the attacker.
Upon receipt of the requested sum in the attacker’s account, the encrypted files are restored to clear text, and all is well.
But how did all this occur? From his experience, Douglas claims that RDP (Remote Desktop Protocol) is often the culprit. Having scanned and discovered an open RDP entry to a company’s network, a brute-force password attack used to force entry into the administrator account on a server allowing remote logins. This can be a physical server or a virtual machine on a cloud service. If the Account Lockout Threshold for the Admin account is set to 0, the attacker can make as many attempts as they like to crack the password. If the RDP server also acts as a domain controller, the end result is catastrophic.
Once safely inside the server, the attacker plants a “land mine”, to be triggered by the next authorised person who logs onto the server. Not only will this start an almost unstoppable chain of processes on the server, but the infection will also spread to any network shares that are available by the system, and from those network shares to any that have user data present.
A cursory look at the log files may appear to show that a particular user was responsible for introducing the malware into the network, and the blame will therefore be apportioned unjustly – the user merely happened to trip the boobytrap.
Of course, this is not the only vector by which ransomware can attack. Poisoned files, such as PDFs, can also carry a destructive payload, and ransomware carried in this way is just as hard to stop, and is as irreversible as that delivered by any other method.
If you need help with a ransomware attack please contact First Response at the earliest opportunity.