Author: Nop Srinara, Director, Datto Asia
It’s been less than a month since what was touted as the biggest ransomware attack in history took place, impacting over 230,000 organisations across 150 countries worldwide. Known as WannaCry, the attack saw cyber criminals using a particularly nasty malicious form of malware to rapidly infect systems, disable files and demand ransom in the form of bitcoins, which resulted in hundreds of businesses paying up in attempts to stop the attacks spreading any further.
But this week all anyone can talk about is GoldenEye, a variant, and arguably a more sophisticated and dangerous version of the ransomware known as Petya, which first appeared last year. GoldenEye made headlines on Tuesday following its attack on a number of high profile targets based in Kiev, Ukraine, including the Chernobyl radiation testing nuclear disaster site, the country’s power grid, government offices and airport. Since then, it has affected more than 12,000 machines across 65 countries across the globe, and the numbers are rising. Worst thing is, unlike its predecessor, GoldenEye offers no real way for its victims to retrieve their data following attack.
Despite the media attention around these attacks – which has been largely due to their geographical spread, combined with high profile targets, please don’t be fooled that ransomware is a new threat. It’s not, in fact, attacks happen every day, and has been on the rise for a number of years now, with the increasing availability of ransomware for sale on the dark web.
For this reason, ransomware has been a major focus for us here at Datto, with our researchers working tirelessly on testing designed to quickly detect ransomware in backup data sets.
We know that ransomware has become a major threat to individuals and businesses in Singapore and the wider Asia-Pacific region over the past few years, and the cyber extortionists behind these attacks operate with increasing sophistication. We also know that no business is safe from this kind of exploitation, and that SMBs can be particularly vulnerable to attacks, being more likely to pay a ransom to get their data back than large businesses.
In many cases, these attacks are conducted by large criminal organisations using wide-reaching botnets to spread malware via phishing campaigns. Victims are tricked into downloading an e-mail attachment or clicking a link using some form of social engineering. Fake email messages might appear to be a note from a friend or colleague asking a user to check out an attached file. Or, email might come from a trusted institution (such as a bank) asking you to perform a routine task. Sometimes, ransomware uses scare tactics such as claiming that the computer has been used for illegal activities to coerce victims. When the malware is executed, it encrypts files and demands a ransom to unlock them.
Antivirus software is obviously essential, but on its own it isn’t enough. Many attacks still get through. So, a proper ransomware protection strategy also requires employee education and backup. It’s also critical to keep applications patched and up to date to minimise vulnerabilities. Education, antivirus, and patch management can help you avoid attacks to begin with. Backup allows you to recover if those measures fail.
Also, many people assume that ransomware only locks the files on a single device. While this was the case in the early days, today’s ransomware is designed to spread itself out across entire networks. So, the sooner that you can detect the attacks that do slip by security measures the better. Recovering files for a single machine is obviously much easier than recovering files for infected machines across an entire network—stopping the infection at Patient Zero, if you will.
Backup presents an opportunity for early detection, because each time a backup is performed, it can be compared against previous backups to look for changes. Not all ransomware operates the same way, but there are a number of common themes. For example, ransomware always encrypts user documents and directories (e.g., photos, files stored in “My Documents” folder, etc. It also encrypts “work” related files (e.g., docx, xlsx, etc). Also, ransomware is constantly changing to avoid detection, which is why antivirus software is not always capable of blocking the malware. Antivirus software relies on a virus signature database that must be constantly updated. Since Datto is not an antivirus provider and does not maintain such a database, testing focused on detecting known ransomware characteristics.
Our team devised two types of tests to identify these characteristics. Both were designed to run fast enough to keep up with frequent backups, rely only on information captured in snapshots, and not boot the box or risk further infection. The first, known as file upheaval testing, looks for whether files have changed between backups. For example, about 80 percent of the ransomware tested changed file names when encrypting files. Upheaval testing designed to look for batches of changes to files that could indicate that ransomware is present. The remaining 20 percent of ransomware tested did not change file names when encrypting data. The second type of test, known as entropy testing, looks for specific conditions that indicate that files have been encrypted. All files, including images, have some degree of organisation and structure. Encrypted data, however, is completely randomised. High levels of entropy in backup data can also indicate the presence of ransomware.
Based on the information gathered during the months of ransomware testing, we were able to develop a new ransomware detection feature. When ransomware is detected, an alert is sent allowing businesses and other users to diagnose the issue and restore data quickly to a point in time before the infection. There is a growing trend to develop similar technologies that are capable of combating the ransomware epidemic via backups. This is vital for those occasions when ransomware gets through firewalls and antivirus protections.
Unfortunately, the popularity of ransomware among cyber criminals does not appear to be waning. Recently, Datto surveyed more than 1,000 IT service providers located across the world about the current state of ransomware and found that a staggering 97 percent of respondents said ransomware attacks on small businesses are becoming more frequent, a trend that will continue over the next two years. The survey found that 91 percent of respondents reported their clients were victimised by ransomware; 40 percent of whom had experienced six or more attacks in the last year. Nine out of ten IT service providers reported ransomware attacks among their small business customers. The number one cause of ransomware infection? Almost half, 46 percent of respondents said that phishing emails were to blame. The survey found that the average ransom requested was typically between £400 and £1,600 but ten percent of respondents reported the ransom average to be greater than £4,000.
However, the ransom is just a fraction of the losses businesses can incur from a ransomware attack. The downtime following the attack can be crippling. According to the survey, 63 percent of respondents mentioned that a ransomware attack led to business-threatening downtime. Finally, there is a disconnect between IT service providers and their small business customers when it comes how they perceive the threat of ransomware. The majority of IT service providers are “highly concerned” about ransomware but indicated that their customers are generally not, likely due to lack of awareness.
The most important lesson we learned from infecting ourselves with ransomware is that early detection matters. This allows IT professionals to remotely diagnose the extent of damage, contain and minimise infection, identify last good backup quickly, and differentially update production machines to restore known good versions of compromised files
If an infection is addressed before it spreads to other systems, recovery is considerably faster. For IT service providers, early detection reduces the time and effort required to perform complex recoveries of data and applications and allows them to better serve their customers.