Discussion Points on Ransomware
Anyone entering the DFIR field will inevitably encounter ransomware. Ransomware can be utilized by malicious actors to effectively extort vulnerable individuals. Researchers at Armor security report that in 2019 alone they were notified of 54 victims in the education industry, subsequently affecting over 500 U.S. K-12 schools. (Armor, 2019) “Ransomware is a type of malware that blocks access to a system, device, or file until a ransom is paid.” (Center for Internet Security, 2019). (Center for Internet Security, 2019) The Center for Internet Security reports that, “Victims are at risk of losing their files, but may also experience financial loss due to paying the ransom, lost productivity, IT costs, legal fees, network modifications, and/or the purchase of credit monitoring services for employees/customers.” (Center for Internet Security, 2019) Ransomware authors typically demand their ransom to be paid in cryptocurrencies, the standard is bitcoin. In the event that the ransom is paid, and the decryption key is obtained, there is still no guarantee that the data is retrievable. Decryption tools may not functions as intended, and it is possibly to irreversibly damage the data.
While it may seem like ransomware is hopelessly wreaking havoc, ransomware authors have been tried and convicted within United States federal court. In 2018 Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted on six charges relating to the cybercrime facilitated by the SamSam variant of ransomware which they had authored. The Iranian nationals targeted 200 victims who were primarily comprised of hospitals, municipalities, and public institutions. ““The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Deputy Attorney General Rosenstein.” (United States Department of Justice, 2018)
The complexity of a malware's encryption algorithm often determines its effectiveness. For example, earlier strains of ransomware which utilize weaker encryption algorithms may eventually be cracked by a decryption program developed by a security professional. The website, nomoreransom.org, contains a few dozen ransomware decryption programs. Other variants of ransomware may prove to be far for difficult for cryptologist to break. Fortinet reports that the Sodinokibi ransomware uses an 8192-bit encryption key. “Using RSA encryption with 8192 bits of key size is very unusual. In fact, this may be the first time that we have seen a ransom malware use such strong – albeit overkill and inefficient for its purpose – encryption algorithm to protect information. In most cases, 2048 and 4096 key sizes are more than enough to secure any message.” (Salvo, 2019)
The possibility to automate extortion through the distribution of ransomware is a ground breaking innovation for criminals. Although some ransomware authors may be prosecuted for their crimes, numerous victims still find themselves helpless locked out of their most sensitive data. It is the responsibility of the security community to develop increased security measures to prevent ransomware. I believe it should be considered a high priority item as then victims of ransomware are often targeted due to the sensitivity of their data.
For Information regarding ransomware infections, and how to prevent them:
Armor. (2019, September 29). Armor Identifies 15 New Ransomware Victims in the Last 2 Weeks, All of them Educational Institutions. Retrieved from armor.com: https://www.armor.com/threat-intelligence/armor-identifies-10-new-ransomware-victims-in-the-past-9-days/
Center for Internet Security. (2019). Ransomware: Facts, Threats, and Countermeasures. Retrieved from cisecurity.org: https://www.cisecurity.org/blog/ransomware-facts-threats-and-countermeasures/
Center for Internet Security. (2019). Security Primer – Ransomware. Retrieved from cisecurity.org: https://www.cisecurity.org/white-papers/security-primer-ransomware/
Salvo, J. (2019, September 17). Nemty Ransomware 1.0: A Threat in its Early Stage. Retrieved from fortinet.com: https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html
United States Department of Justice. (2018, Novemeber 28th). Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses. Retrieved from justice.gov: https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public