Scrutinising the new phase of ransomware

Each year there are some predictions on the future of cyber threats and what we expect to see. Last year we saw big growth in ransomware, from less than 5,000 new samples in Q1 2014 to more than 25,000 new samples by Q4 of 2015. Most of these were random and noisy; typically using broad phishing campaigns as their attack vector. We had two specific predictions for ransomware in 2016: that they would become stealthier in their execution, and more focused in their targeting.

Unfortunately, this prediction came true very quickly. By February 2016 we had several examples of a quiet ransomware campaign, targeted at critical processes of specific industries, such as healthcare and local government, that would quickly pay the ransom to restore their business operations. Following the financial trail of this campaign points to an experienced ransomware group that appears to have already collected a significant amount in bitcoin ransoms.

These attacks differ substantially from the previous, random approach. Skipping the uncertainty of phishing emails to get their malware onto a computer, this group targeted a specific web-server vulnerability to gain a foothold, going after interesting targets in multiple countries that had not patched the vulnerability. They crafted their malware into separate functions to avoid getting caught by scanners, utilising scripts, batch files, and Microsoft Sysinternals tools. The goal is quiet and persistent access, not a quick snatch and grab.

Once on the exploited web server, they used Active Directory to get a list of hosts, and then pinged each one to determine if it was live or not. After generating a 2048bit public key for each system, the ransomware was distributed to the assembled list of live hosts. On each host they worked methodically, identifying files locked by a running process, paying particular attention to potential local backups. These processes are killed, unlocking the files so that they can encrypted, followed by deletion of the original.

With access to the entire system and all of the guards disabled or dead, the kidnappers begin the actual encryption. Once again demonstrating their intent of gaining the most ransom, they skip the quick win of Office files, and avoid the Windows and Recycle bin directories. Using an asymmetric encryption algorithm, the malware goes after the smaller files first, ensuring that they maximise the number of encrypted files in case the process is terminated prematurely.

With cold patience they move throughout the compromised network, encrypting system after system. As each encryption completes, the original files are deleted. Local backups are deleted, and then the ransomware itself is deleted, leaving nothing to analyse or attempt to reverse engineer. Secure delete functions are used for removing both the original files and the ransomware, to ensure that they cannot be recovered from the disc.

The goal of this group is money, so they have to keep the ransom within an affordable range. Cracking the encryption with a 2048bit key would take years with multiple CPUs for each encrypted system, making recovery virtually impossible. With an opening request of one bitcoin, or about US$400, per system, the cost of recovery seems cheap for one system, but quickly multiplies to prohibitive amounts. We have been told of kidnappers demanding millions in ransom, but since money is their ultimate goal, they are being "reasonable" and open to negotiation. Analysing the bitcoin wallets and related transactions, it appears that many victims have paid up.

This new phase of ransomware is cold and heartless. The best defence is ensuring that system patches and security software is up to date, and that backups are stored offline. And check those backups regularly, because another emerging threat quietly encrypts the backups before ransoming the primary system.

The research of this article resulted from a joint discovery made by McAfee Labs' Christiaan Beek and Andrew Furtauk.