Post by Nick Palmer, Sales Engineer and Moshe Ben-Simon, Vice President and Co-founder
After a certain amount of time in the security industry, you realize you’re starting to take it personally. I used to think that the exploits (pun intended) of cyber criminals were to be approached with pragmatic acceptance and as just ways that undesirables make money. But with each new attack and each novel vector, I grow more amazed at the versatility and tenacity of these groups. I also grow increasingly appalled at the depth cybercriminals will go to achieve their goals.
Ransomware goes back to 1989 with the ‘AIDS’ Trojan (also known as “PC Cyborg”). But when I first heard about ransomware, it was from the mother of a friend. A case of an elderly woman embracing technology and enjoying her new found online freedom. She’d been coached on the dangers of online attachments, but this was a good phish, and like many unsuspecting users, she ran the macro. I was struck by the bare-faced criminality of the campaign. Blackmail, in plain sight, via an onscreen prompt about how to decrypt and what it would cost. She had photographs of her grandchildren, a collection of amusing cat videos as well as numerous documents relating to her various community engagements. She also had a son that was fastidious about backing up her computer. As a result, a bootable USB key and a swift restore and normality was restored, but not without considerable stress and worry for the lady concerned.
Consumer-grade stories like this are one thing, but cryptographic ransomware is the single threat that all my corporate customers are talking about. FBI figures suggest that they are right to be concerned, estimating a cost to victims of $209m in the first quarter of 2016, with the producers of CryptoWall generating over $300m in income in 2015 alone. The costs aren’t about the ransoms themselves – although Hollywood Presbyterian Medical Centre (HPMC) reportedly paid $17,000. The costs are about downtime. The hospital was losing $100,000 a day just on its inability to perform CT scans. In the wider community, 72% of business users lost access to data for at least two days, and 32% lost access for five days or more.
The challenge now, is that cybercriminals are realizing just how lucrative this new attack method is. As a result, the threats are changing. The more systems and data that can be encrypted, the bigger the potential payoff – HPMC actually got a real bargain paying $17,000 for a problem that was going to cost them half a million a week. But the increasing stakes mean that cryptographic ransomware is developing rapidly, with attack types varying in their approach to encryption. To increase the chances of a crippling attack, ransomware is using shared network drives to propagate. If you’re running an infrastructure that uses network-based storage (shares), then you’re at risk. One ill-informed user clicking to run the embedded content and its game over. Ransomware behaves in many different ways, but it may start at low drives and encrypt in ascending order, but it can also bypass drive A or B to start encrypting from the C drive. It can even start at the last letter and work back or it will encrypt all network drives in parallel. Whichever the situation you find yourself in, the end result is the same; potentially mission critical systems offline and mission critical data unavailable until you hand over the ransom in bitcoins.
Imagine a solution that had the ability to deceive ransomware. A solution that sent the ransomware off to a fake network share to begin encrypting fake data, while immediately notifying security teams and your SIEM. Now imagine a solution that kept feeding ransomware occupied with large volumes of fake files and folders to encrypt, effectively keeping it busy encrypting fake data to ensure your real data is kept out of its. Finally, if you choose, think of a solution that takes the compromised machine off the network as soon as encryption starts.
Here at TrapX, we committed a huge amount of resources to studying and classifying cryptographic ransomware, and we have just such a solution. It’s called CryptoTrap.
Using our own technology – known as Deception Tokens – you can leave a trail of breadcrumbs that lead ransomware seeking network storage back to an SMB decoy, effectively luring the ransomware into a trap. Without needing ANY third party quarantine solutions, the source machine is also taken off the network, and alerts are raised. Only a tiny fraction of the files that would have been lost are encrypted. However, if you choose NOT to disconnect the compromised machine, the ransomware can be kept in a cycle where it has a large number of files to encrypt, effectively keeping it from spreading to other network shares, so no more valuable data is scrambled.
At TrapX we are the leader in a technology known as deception, and unlike other detection based solution, we never needed to rely on anomaly detection or signature based approaches to cyber security, because we focus on “knowing” when cybercriminals are active in a network. If a device is talking on the network to a “fake device”, and your whitelists are up to date, then it’s either misconfigured, or malicious. Similarly, if a process is spun up from a remote machine that wants to serially encrypt all the data on a hard drive, it’s almost certainly bad. Automatic alerts, quarantine of the original infection and a limitless supply of fake data for the malware to encrypt is a fast, safe and effective way to ensure that YOUR business isn’t blackmailed. Ransomware doesn’t need to be terrifying, but you absolutely have to take it extremely seriously. Just like TrapX do.