With the rise in popularity of cryptocurrency, we have seen a drastic increase in ransomware attacks. Where the PC Cyborg trojan (1989) asked victims to purchase a decryption tool from a shell company, modern ransomware viruses demand payment in the form of cryptocurrency. Simply put, it has become a lot easier to get paid without being caught.
Types of Ransomware
As is often the case in cybersecurity, the categories we use in classification of malware are constantly shifting based on new attack methods and characteristics. With regards to ransomware, the most important characteristic is if its Cryptoware, does it encrypt something, or not.
- Exfiltrates sensitive files and process to blackmail target for ransom
- Lock screens: access restriction but not encryption
- File Encrypting: encrypts files to compromise the availability
- Master Boot Record Encryption: encrypts the master boot record and prevents the machine from booting up.
Response to Ransomware
Responding to ransomware incidents is always tricky, knowing if the ransomware possesses virus-like characteristics (such as spreading through your network) will be important during your response. For the sake of simplicity, I’ll be focusing on what to do once you’ve already been hit.
I like to think of solutions as being either a hammer or a scalpel, the former being quick and easy but inconsiderate of collateral damage, the latter being more precise but requires more specialized people and tools.
In this situation, the hammer approach would be to wipe all the systems and restore the backups. This does require the availability of appropriate backups and goes to emphasize the importance of having strong backup and recovery procedures. Assuming you also fix the vulnerability exploited in the first place, this will resolve the incident. (remember to store your backups somewhere out of reach before they to get encrypted)
Now a scalpel solution is going to be tailor-made to your situation, but to give a cool generic solution; decryption key recovery.
In the past, Anti-virus vendors have established repositories of recovered decryption keys for ransomware such as CoinVault and Bitcryptor (Kaspersky, EMSISOFT).
Now the recovery of these keys can be done by forensic investigators, but it relies on there being 1 of 3 flaws in the ransomware;
1- The ransomware uses symmetric encryption (meaning the same key is used to encrypt and decrypt)
2- The ransomware uses the same decryption key for all its victims
3- The decryption key is stored in the victim’s device.
These flaws exist because of the simple fact that the attacker has limited resources. To be able to correctly use asymmetric encryption (meaning there is a key for encryption and a key for decryption) and maintain the infrastructure to store every single decryption key is no small feat. This is also the reasons why you can never assume paying the ransom will resolve the incident, often times the attack never had the decryption key in the first place.
- paying the ransom is a bad idea, but you knew that already
- Have backups (and make sure they work!)
- Forensic investigators might be able to find the key