In today's heightened threat environment, it is a constant battle for IT security departments to stay on top of all possible attacks and vulnerabilities they could encounter.
With insider threats on the rise and the continuous danger posed by external hackers, coupled with the alarmingly quick development of stronger and new forms of attack, it has never been more important for organizations to make sure that they have water-tight security systems and policies.
Hackers and in particular organized crime groups, are now of the firm realization that rather than just causing disruption, there is a great deal of money to be made from cybercrime.
As a result these groups seem to be pulling out all the stops to infiltrate organizations, develop more targeted attacks and further close ever-shrinking vulnerability windows (the time between the discovery of a vulnerability and an exploit being written). And, the most recent addition to the arsenal of the cyber-criminal is a process we usually associate with security and protection - encryption.
Held to ransom
The latest attack to make the news is Ransomware. Ransomware is yet another form of malware that is in effect cyber-kidnapping, as it encrypts information on a target machine then extorts payment from the victim. It isn’t a new form of attack, but with more attacks being geared towards financial gain, it has recently received a boost in popularity.
A user will be tricked into executing malicious code that encrypts files, then a message left by the code instructs the user to send money to a specific location in exchange for a key to unlock their information.
This is also known as a DOR, or denial of resources attack and as with distributed denial of service (DDOS) attacks for profit and other types of cyberextortion, victims are often worried that if they do pay, they will just become a greater target with an increase in the number and severity of future attacks.
Some organizations feel that they have to pay because of the damage that could be done if they do not. This damage may include diminished brand image, poor shareholder faith, loss of customers, regulatory fines, legal expenses, public relations costs, and lost revenue.
These people are often embarrassed by the situation, which is why attacks like ransomware often go unreported. As a result, it is difficult to pinpoint exactly how pervasive ransomware actually is.
Those criminals that request small amounts of money or have the victims make small online purchases at predetermined sites tend to have greater success than those requesting thousands of pounds.
These criminals typically use online currency such as Webmoney and eGold for payments thus flying under the radar of law enforcement agencies because they are not dealing in sovereign currency. They may also use traditional payment methods such as wire transfers.
Attacking evolution
Currently, most ransomware attacks are geared to random systems and typically attack home users with high-speed internet connections. For the victim of the attack, like being infected by any type of malware, it is a stressful situation, but it doesn't have the ramifications of a targeted encryption-based attack against a business or government entity, demanding thousands of pounds.
The real concern is that these type of attacks will become the norm – evolved ransomware attacks with a targeted nature that propagate rapidly to hit hundreds of thousands of targets in minutes. Attacking discriminately, these are undetectable by current security safeguards, and utilize more complex encryption functionality.
The first piece of ransomware to use a sophisticated encryption algorithm was Gpcode.ac. This malware was detected in January 2006 and used the RSA algorithm to create a 56-bit key. Later, the author of Gpcode.ac released several more complex variants of the virus and in June of 2006 released Gpcode.ag, which used a 660-bit key.
With continued criminal focus on using encryption as a vehicle for attack rather than defence, it is likely that we'll see a substantial increase in these exploits and their complexity in the years to come.
Targeted scenarios
For example, a cryptoworm (a form of ransomware) could be targeted against a specific retailer. It follows the logic of a blended threat by spreading through multiple avenues such as copies of the worm being emailed as attachments to employees or other employees are tricked into going to websites and downloading the worm through targeted email and instant messenger phishing.
These side door attacks allow the worm to more easily bypass the retailer's preventative safeguards such as firewalls. Once inside, the worm spreads by scanning for and exploiting vulnerable targets; this is similar to how Zotob operated.
This progression ensures that the nature of the attack, even within the organization will be more exacting. Further, the worm won't waste time trying to spread to systems that are not potentially vulnerable nor will it create such excessive network load and alarms
Furthermore, if the attack is launched just days before the most profitable shopping days of the year and some of the assets infected include systems responsible for running point of sale applications then the retailer may suffer failures in fundamental business operations. A message is then displayed telling the retailer to pay a very large sum of money in exchange for the key.
Instead of launching an attack against a retailer that would simply cause havoc and financial distress, the criminals launched a ransomware attack through the cryptoworm, forcing the organization to make a decision while under an increased sense of urgency therefore increasing their chances of being paid.
Protection from encryption
Unfortunately there is no anti-crypto-malware technology that will make you safe from ransomware and other encryption-based attacks. However, by simply following security best practices you will be taking many of the essential steps needed to safeguard your organization.
Regularly updated and communicated acceptable usage policies are important, as is a solid awareness plan like those outlined in NIST 800-50. This will help ensure that employees understand the risks associated with downloading content, opening up email attachments, and general computer security best practices.
As far as technology is concerned, organizations should run multiple layers of anti-malware solutions, disable unneeded services and keep operating system and application patches up to date. They must also make sure that anti-virus updates and browser updates are current.
Defence-in-depth (layered security) should also be run to ensure that attacks that start from inside the perimeter, or are able to pass through perimeter safeguards, are detectable and can be quickly responded to at a network and system level.
With the decreasing vulnerability window, it has become even more important to have effective and efficient incident detection and response capabilities. These should include receiving and correlating real-time logs from external and internal network devices, security products, operating systems, applications, anti-malware solutions and so on.
In addition to correlation, these solutions should provide robust anomaly detection and pattern discovery capabilities that can detect known and unknown malicious activity. Finally, regularly scheduled data backups are a must when attempting to stop encryption from being turned into an attack against the organization.