The advent of COVID – 19 has created fertile ground for the multiplication of ransomware incidences by expanding the list of possible attack vectors that can help external actors create or find an opening through which they can orchestrate their plan. In a bid to preserve business continuity a large segment of companies shifted to remote working.
As the office has moved to the living room, employers implemented a series of new protocols that facilitated this transition. The issue is that many of these protocols can be manipulated, security measures can be bypassed, and as the majority of employees work from home, there are more openings for social engineering attempts that target high profile individuals from an organization to steal their credentials.
Take a look at the evolving ransomware sector, in a bid to explore and understand why ransomware attacks are stronger than ever in 2020 and how blockchain technology can be used to enhance existing data storage mechanisms or set a foundation for new types of data infrastructures! Find how the Modex BCDB solution has an answer for the ransomware threat, because Modex Blockchain Database represents a new take on traditional technology that levels the playing field by combining database systems with a blockchain backend to create a structure that closes any openings that can be exploited by ransomware groups.
Ransomware has become deeply ingrained in our collective business and enterprise consciousness as one of the most pernicious evils that companies need to safeguard against. Evolving from seemingly humble beginnings, ransomware attacks have become as widespread as the common cold, a fitting analogy that implies how companies and businesses are permanently required to be on guard and implement smart preemptive strategies as well as the latest cybersecurity tools and solutions to prevent infection. If early ransomware iterations were backed by a few individuals that acted as digital highwaymen that tried to make use of their technical abilities to extort various sums of money from businesses and everyday users, the phenomenon has reached alarming new grounds that can only be described as a veritable digital mafia that operates with clear strategic objectives in mind that can range from data hijacking to putting a stop to an enterprise’s operational flow. The proposition to uncover new profit from “alternative” means has reshaped the mentality of the people behind such operations, as they now don the businessman’s suit to sell the data of uncooperative victims or the means of acquiring such data to individuals that are seeking a quick profit.
The birth of ransomware
The year 1989 marks a pivotal chapter in the history of mankind during which the world witnessed a series of events that forever changed the geopolitical landscape and the balance of power. But did you know that the year 1989 also marks the creation of the first ransomware software?
Developed by Harvard trained evolutionary biologist Joseph L. Popp, also known as “the father of ransomware”, the software was called the AIDS Trojan, also known as the PC Cyborg. Popp used this software to perpetrate the first documented ransomware attack in December 1989. Of course, during that period, the internet was still in its early stages, so Popp distributed his software by sending 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to the attendees of the World Health Organization’s international AIDS conference in Stockholm.
Besides the questionnaire to help users determine their risk of contracting AIDS, the diskettes also contained the Trojan software that was designed to take action after 90 reboots, after which it encrypted through simple symmetric cryptography the user’s data. After the data was encrypted, the victim was presented with a ransom demand of USD 189 and the address of Popp’s post office box in Panama.
Little did Popp know that he set the foundation to what will develop in the past 3 decades in the main digital extortion method that targets individuals, small businesses, enterprises, and even governments.
Ransomware, a cat and mouse game between hackers and companies
Now that we have observed the first iteration of a ransomware software, and understand the logic and reasoning behind this type of software, we can construct a broad definition. Ransomware or ransom malware is a type of malicious software that prevents users from accessing their system or personal files and demands a ransom payment to regain access. Over the past decades, ransomware has become one of the most prolific criminal business models in the world, due to the fact that cybercriminals usually target high profile individuals, corporations, and even governmental institutions. Ransomware works by locking a victim’s computer through encryption and demanding a substantial sum of money, usually in cryptocurrency form, most notably Bitcoin for the decryption key necessary to decrypt the data. Depending on the group behind the ransomware, failure to comply with the demands may initially lead to an increase in the ransom and eventually to a permanent loss of the data, or new attacks based on the user base stolen from the previous attack.
A new milestone was reached in the evolution of ransomware in November 2019 when the group behind Maze, a new generation of ransomware, followed through on its threats and published the data stolen from its victim, Allied Universal after the company did not comply with the ransom demands. This is the first time a ransomware group publishes a large portion of the data stolen from a victim’s database. If this bold strategy proves to be more profitable than the traditional encryption focused approach, it is highly probable that newer versions of ransomware will soon change their approach from locking companies from their data, to publicly distributing the information of their victims, as well as the information concerning their clients, business partners and user base, a move that can prove disastrous to any business or enterprise.
Not long ago, ransomware groups had somewhat of a wild card approach, in the sense that they were indiscriminately and haphazardly spreading their malware, focusing on quantity in lieu of accuracy. This quantity over quality approach meant that not much thought was put in investigating victims’ network and security measures before deploying the ransomware.
Over the past decade, there has been a shift in the modus operandi of the actors that perpetrate ransomware attacks, as they now operate more like well-coordinated special operations groups. This is best reflected by the meticulous way in which they choose their next target, the time they allocate for gathering intel, how they examine targeted networks, and the increased levels of complexity and sophistication of the ransomware software. Furthermore, most ransomware groups no longer employ a hit and run approach, as they can infect a system and avoid detection for months, during which they slowly spread throughout the system in search of vulnerabilities and valuable data. According to a report conducted by cybersecurity company, Fire Eye, the median malware dwell time (a metric that measures the length of time between compromise and detection) is 56 days.
What are the attackers doing in this time frame:
- examine the victim’s network to determine what servers and workstations they need to hit to maximize their impact;
- manipulate or disable security systems;
- install additional malware that gives them further control over the compromised machines;
- obtain high-level privileges/steal credentials to gain access to additional systems;
- whitelist ransomware executables, basically enabling them to leave with corporate data;
- exfiltrate company data through various communication channels;
- tamper with the backup mechanisms set in place to destroy existing system backups to disable a victim’s ability to recover their data through other means;
Infection and Distribution Vectors
For the past couple of months, companies and organizations across every sector have been required to cope with the sudden set of restrictions imposed by the global pandemic. The most obvious and difficult to manage is of course, the new rules concerning social distancing. In a bid to maintain business continuity while respecting the conditions imposed by social distancing, a large segment of companies has come to rely heavily on Remote Desktop Protocol (RDP) which can be seen as an opportunity for ransomware groups to take action.
The reasoning behind this assumption is that during the mass migration to remote working at the beginning of the year, a considerable number of companies were caught off guard and didn’t have the time or resources to properly implement RDP, leaving a number of potential vulnerabilities. A report conducted by global computer security software company, McAfee supports this claim, as the number of exposed RDP ports grew from approximately 3 million in January 2020 to over 4.5 million in March, positioning exposed RDP ports as one of the biggest attack vectors for ransomware.
What is RDP?
Remote Desktop Protocol is a network communications protocol developed by Microsoft which is available on most Windows operating systems. RDP provides a graphical interface through which users can connect remotely to another computer over a network connection. After the connection has been established, the protocol transmits the display of the remote computer or server and the input of the peripherals (mouse and keyboard) from the client to the remote machine, basically granting the user the ability to control a remote computer. RDP has numerous applications including remote file and application access, remote system diagnosis, and troubleshooting.
Insecure or exposed RDP ports pose a real threat to companies because if left unchecked, they represent an open door for basically anyone that has an internet connection and sufficient technical skill to access the remote server. If an external actor manages to hack an account and gain access to the remote server, he will be able to do anything within the hacked account’s privilege range.
Although securing RDP ports should be a priority for every company, the global shift towards remote working has highlighted the fact that many companies, regardless of their sphere of activity, do a poor job in securing their RDP ports. Kaspersky Lab, a multinational cybersecurity and anti-virus provider, underlined in a report earlier this year that at the beginning of March the number of RDP attacks in the United States hovered around 200,000 per day, which by mid-April saw an exponential increase, reaching 1,4 million.
The x-ray of server penetration via exposed RDP port:
- Scanning the internet for exposed RDP ports: virtually anybody can download free port scanning software to search the internet for exposed RDP ports;
- Server penetration: attackers employ various strategies such as social engineering to steal the credentials of a user (preferably an administrator because they have higher permission levels). Attackers may also use brute force methods which randomly try every possible combination until it guesses the right username and password;
- Dismantling security systems: depending on the privileges of the hijacked account, the attacker attempts to systematically deactivate security measures, tampers with system backups and configurations to make the network as insecure as possible;
- Installing the ransomware malware: after the security of the network has been compromised, attackers proceed to install ransomware software, exfiltrate corporate data, and create new back doors for future incursions.
Other ransomware attack vectors
- Software vulnerabilities: as much as we would like to believe, there is no such thing as a perfect software product. In the real world, every software will eventually encounter a bug, crash, or have a hidden vulnerability that was undiscovered during the testing phases of the development life cycle. This is where attackers come into play. They carefully and minutely examine software products or infrastructures to uncover any potential vulnerabilities that can be exploited.
- Weak credentials: more often than not, a weak password makes the life of cybercriminals easier. Brute force tools employed by attackers are quite effective against systems protected by weak passwords. To make it more difficult for hackers and to increase the chance of detecting a brute force attempt before it succeeds, it is highly recommended to use a combination of alphanumeric characters in upper and lower case in tandem with special symbols to create a strong password. Even so, cybersecurity experts still recommend periodically changing passwords.
- Phishing: malicious actors often employ social engineering methods to trick unsuspecting victims into giving them their credentials. This can be as simple as impersonating other people over the phone or email, sending infected attachments with macros-embedded within them that trigger or install hidden software when opened such as keyloggers. Spear phishing is very similar to phishing, the main difference is that phishing campaigns don’t target victims individually, they’re sent to hundreds, sometimes thousands, of recipients. In contrast, spear phishing is a highly targeted operation in which attackers focus only on one individual. The term whaling is also used to describe spear phishing operations that target only high profile individuals within a company.
Maze and Netwalker, two ransomware to watch out for in 2020
Netwalker, also known as the Mailto ransomwareis a type of file locking malware that was first discovered in August 2019 and has slowly built itself as a major player in the ransomware scene, by systematically attacking high profile companies, healthcare providers, and even local governments. The data that was pieced together so far indicates that Netwalker was developed by a Russian speaking group of hackers that operate under the moniker Circus Spider.
Additional information reveals the fact that Netwalker is designed to operate as Ransomware as a Service (RaaS) offering, which implies that Circus Spider is more than eager to provide to other interested parties the tools and infrastructure required to perform ransomware attacks if they are willing to pay the right price. Joining the group does come with its set of rules, as affiliates are prohibited from attacking organizations from Russia, including the Commonwealth of Independent States (Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan). Furthermore, their rule book seems to stipulate that once a ransom has been paid, data should always be restored to victims.
The group behind Netwalker seemed to operate with a standard approach by distributing malware through infected emails in mass phishing campaigns that targeted as many individuals as possible. In 2020 Circus Spider changed its approach and requested affiliates to follow the new direction and concentrate their attacks on large enterprises, hospitals, and governmental agencies. The main methods of gaining unauthorized access revolve around exploiting unpatched VPN appliances and bypassing weak RDP passwords. After successfully entering an organization’s network, Netwalker engages the data encryption process and deletes any backups. The data is then used to blackmail victims into paying the ransom under the threat that all their private files will be leaked online if they fail to comply. To put additional pressure, Netwalker has a public shaming website in which it posts the screenshots of the hijacked files with a timer that indicates how much time the company has at its disposal to pay the ransom.
The group behind Netwalker doesn’t seem to shy from profiting from the fear generated by the global pandemic, as it has already targeted several healthcare institutions. On March 10, 2020, it set its sights on the Champaign-Urbana Public Health District in Illinois, USA, managing to take the institution offline. Fortunately, the district had most of its services and files backed on the cloud, so the main force of the attack was taken only by their website. A more serious blow was given on March 14th, 2020 to the Brno University Hospital from the Czech Republic, the country’s second-largest medical institution. The attack caused computers across the hospital to shut down delaying surgeries and coronavirus test results. Undoubtedly the attack on the Brno University Hospital was carefully planned as it took place two days after the president of the Czech Republic issued a nationwide quarantine.
Although cybersecurity experts have been pointing for years that healthcare institutions rank among the most vulnerable segments to the cybercrime spectrum, no significant step was taken to increase their tolerance to external tampering, and the ones who suffer the most are the patients whose lives can be threatened by a cyberattack. This was the case mid-September 2020 when a woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, which may be the first death directly linked to a cyberattack on a hospital. Because all of the services were rendered offline by the attack, the hospital could no longer accept emergency patients, and the woman was sent to a healthcare facility around 20 miles away but didn’t survive the journey.
It seems that local governments aren’t safe from the threat posed by Netwalker, as the malware team launched a ransomware attack against the Austrian village of Weiz in May 2020, affecting the public service system and leaking stolen data from building applications and inspections. The village’s public network was penetrated by phishing emails that baited employees by masquerading as “information about coronavirus”. On a much larger scale, the group behind Netwalker forced Argentina’s immigration agency, Dirección Nacional de Migraciones (DNM), to suspend operations for over four hours on August 27th, 2020, basically putting a halt to all border crossings for that time frame.
Maze, previously known as the ChaCha ransomware, is a sophisticated strain of ransomware that has been targeting companies and organizations since 2019, demanding payment in the form of cryptocurrency for the safe recovery of data. Similar to many ransomware iterations that preceded it, Maze is designed to spread across corporate networks, infecting as many machines and servers as possible to encrypt data in an attempt to extract a ransom from the victim. What makes Maze more dangerous than traditional ransomware is the fact that it also acts as a data breach. Systems infected by the Maze strain showcased that their data was also exfiltrated to servers controlled by the group behind Maze, who threatens that if victims don’t comply with their demands, they will go public with their data. This new and aggressive approach raises important questions related to how companies should prepare for a ransomware attack because data backups will only be effective to a certain degree. Companies are dealt a tough hand as they can still rely on data backups to recover their lost data, but this doesn’t change the fact that hackers are now in possession of their commercial and private information.
The group behind Maze has shifted the ransomware paradigm and is promoting an alternative way of putting pressure on victims, which is slowly being incorporated into the new generation of ransomware. No longer content with just encrypting corporate data, hackers move it to their servers and threatens to:
- release public details and inform the media of a victim’s data breach;
- sell corporate data on the dark web to the highest bidder;
- inform the stock exchange where the company is listed that sensitive information has been exfiltrated;
- use the stolen data to target the company’s clients and business partners.
The first notable attack conducted by the group behind Maze took place in November 2019, when they attacked Allied Universal, a security staffing firm, managing to encrypt and exfiltrate some of the company’s data. After Allied Universal refused to cooperate and pay the ransom, the hackers published 700 megabytes worth of stolen data, claiming that it only represented 10% of the total files stolen and that the rest will soon be published if they fail to meet their demands.
The IT staff of Hammersmith Medicines Research (HMR), a London-based medical research company, discovered on March 14th, 2020 that it had been attacked by the cybercriminals behind Maze. At that time, HMR was carrying out trials for a possible vaccine for the coronavirus. HMR has previously worked on developing a vaccine for the Ebola virus and a treatment for Alzheimer’s disease. Similar to the Allied Universal case, HMR failed to meet the deadline forwarded by the Maze group which resulted in the publishing of personal details of thousands of former patients.
How to prevent ransomware attacks?
To follow up on the analogy with the common flu, cybersecurity guidelines recommend companies adopt strategies and incorporate practices that help prevent an attack. After a system has been compromised by a ransomware group there is a very small chance of successfully decrypting the information without paying the ransom for the decryption key. Losing corporate data can be a significant blow for any company and enterprise, but as the group behind Maze has demonstrated, data exfiltration is a more somber outcome as confidential corporate data will become available for anyone to disseminate.
To ensure a higher degree of resistance to ransomware attempts, companies should consider rethinking their cybersecurity strategy and implement a series of best practices that can help protect the network against compromise:
- Use a Virtual Private Network (VPN): as we have previously mentioned, exploiting exposed RDP ports ranks among the most common penetration methods employed by hackers. To circumvent this, companies should always rely on a VPN to enable remote users to securely access corporate private networks without exposing their system to prying eyes that are constantly searching for potential victims;
- Multi-factor authentication (MFA): MFA adds an additional layer of complexity to the login process by requiring users to provide more than one form of authentication (such as biometric notifications, one-time use codes) to prove their identity. Ideally, MFA should be implemented across every user account, if it is not possible, administrator accounts should be the top priority. Paired together with stronger passwords, MFA makes it much harder for malicious actors to compromise user credentials;
- Use a firewall to limit access: companies should employ a firewall to limit RDP access to specific IP addresses;
- Periodically reimaging devices: device reimaging is the process through which a device is wiped clean and brought back to its default configuration. Periodical device reimaging is recommended as it can remove hidden malware from the device;
- Block IPs that fail multiple logins: everybody tends to forget their passwords once in a while so it’s normal for users to sometimes fail their login. But a high number of failed logins in a short time frame may be a sign that indicates a brute force attack. As such, it’s a smart choice to limit the number of times a user can attempt to login to RDP or other systems;
- Keep your system up to date: hackers seem to be the best testers in the world as they are usually the first to uncover software vulnerabilities that they quickly exploit to compromise a network and execute malicious code. Software products will never be free of bugs and other vulnerabilities. Maintaining a software up and running often entails discovering and fixing vulnerabilities through patches and updates in an attempt to close any potential backdoors;
- System hardening: system hardening is the process through which a system is secured by reducing its surface of vulnerability. Each organization serves a different business logic that requires different tools and services that can be exploited by external actors such as RDP, PowerShell, Microsoft Office macros, Windows Script Host. By removing some of the tools that are redundant to your business, you are also blocking potential attack vectors;
- Implement the principle of least privilege: enterprises and companies should implement the principle of least privilege which stipulates that users and applications should only have the minimum privilege required to perform their attributions. Minimizing privilege levels and knowing exactly who has access to what data will significantly reduce the time required to detect the point of infection. More importantly, it reduces the volume and value of data that can be accessed by an attacker that manages to compromise a single endpoint. By making lateral movement more difficult for ransomware groups, the chance of an infection spreading through the whole system is reduced;
- Network segmentation: network segmentation enables better security and access control of network partitions. Besides providing better control and visibility over the overall network, segmentation prevents unauthorized users from accessing restricted corporate data. In case of a network breach, network segmentation prevents malware from propagating throughout the system.
Is blockchain an answer to the ransomware threat?
To some extent blockchain technology can be a viable mechanism for increasing a company’s tolerance to ransomware and other cybersecurity incursions. This is because blockchain has a set of inherent characteristics that provide an answer to some of the attack vectors employed by ransomware groups. Before we delve deeper into the matter, let’s formulate a brief definition for blockchain to better understand how it manages to deliver some of its key features.
A type of Distributed Ledger Technology (DLT), blockchain is a digital, distributed, and decentralized ledger of transactions that can be programmed to store any type of data that has value. By design, blockchain stores information in data containers named blocks that are linked together in a chain-like structure through a hashing algorithm (SHA-256 is the most popular). When a new block of transactions is added to the chain, it incorporates the hash of the previous block before calculating its own hash value that will be used by the next block.
This complex design is what gives blockchain technology two of its most valuable characteristics, immutability, and integrity. This state of dependency between the blocks makes it virtually impossible for a malicious actor to tamper with the data containers because it will modify the hash, rendering all the following blocks invalid as the hash values will no longer match. As such, blockchain is characterized as an append-only structure where users can add new data, but never alter past records.
Modex Blockchain Database (BCDB) is an innovative take on blockchain technology that fuses the benefits of traditional database systems with blockchain. By positioning itself as an additional layer between the application server and database engine of a company, Modex BCDB acts as a sort of data funnel that sends the information to the database, and the metadata of that information to a blockchain to create immutable references. Designed to be agnostic from both database and blockchain perspective, the BCDB solution enables companies and enterprises to create their own custom solution that falls in line with their business logic.
Distribution, decentralization, and immutability are a powerful combination against ransomware attacks. Decentralization means that the network does not rely on a central server to host all the data, but distributes it across every network participants, also known as nodes. There are many types of nodes in a blockchain network, full nodes for example store a copy of the entire blockchain. As a result, the network doesn’t have a single point of failure. If a node is compromised by Newalker for example, admins just have to address the vulnerability that permitted access to the network and restore the node to its previous version, or they can simply cut out the node from the network. In case of encryption by ransomware, the attacker would find it impossible to hold all the data hostage because the entire network is distributed among thousands of users (even more depending on the size of the blockchain). Even if they manage to encrypt a node, admins close the backdoor through which the attacker entered and restore the node to its previous version.
Immutability and integrity are self-explanatory. If company files are encrypted, the hash value of the block they are a part of will change, and in a domino effect, all the following hashes down the chain will be changed, signaling to the system that unlawful changes occurred. Due to its append-only nature, blockchain does not support alterations to blocks that have already been added to the chain. When a piece of data is updated, the system creates a new entry which includes the modified version, but all previous versions are kept down the chain. The ability to provide transparency, record versioning and data traceability are other valuable characteristics of blockchain technology.
The question remains if blockchain is capable of handling the new trend imposed by the Maze ransomware, where data is also exfiltrated. By itself, no! But the Modex BCDB solution has an answer, encryption. To supplement the security capabilities of a standard blockchain network, Modex BCDB comes with a data encryption mechanism that removes the need for programmers to write new code to encrypt the data. To enhance user experience and add a layer of flexibility to the BCDB environment, users have the option to enable automatic encryption at the field level. As such, any new data inserts are automatically stored in an encrypted format. In case of a data breach by ransomware or by any other cybersecurity threat, encryption will act as the last line of defense, as malicious actors will steal only ciphertext.
In the cybersecurity field, there are two opposing forces that are engaged in a constant race to outsmart each other, those who seek to compromise, steal and destroy for their personal gain and those who seek to preserve and protect. For the past decade, ransomware has evolved in complexity at an alarming rate, managing to outwit and elude cybersecurity experts. To even the playing field, businesses and enterprises implement preemptive measures and cybersecurity tools. But recent attacks have demonstrated that most of the time the traditional approach towards combating ransomware is no longer viable. Maybe its time for enterprises and companies to look towards blockchain technology to get the upper hand on the ransomware threat.