Ransomware Repercussions: A Cautionary Tale
We wanted to share this blog, authored by our partners at Duo Security, that explains how a typical ransomware attack works.
The insidious nature of malicious software has not been lost on any of us. Computers and networks have been dealing with malware in one form or another for decades. Though in recent weeks ransomware has firmly been in the forefront of people’s minds, the first documented instance of what we now know as ransomware dates back to Dr. Joseph Popp in 1989. This raises the question, why is ransomware in such clear focus now?
Honestly? Because we’ve all had enough of it.
When Popp’s AIDS ransomware was released, it didn’t rely on an internet connection, nor did it have the benefit of Satoshi’s brain child (which was still years away). It would install from a CD onto the hard drive where it would overwrite the AUTOEXEC.BAT file and wait until the system rebooted 90 times. Next, it would encrypt files on the victim’s system and deny access until they sent a $189 payment to a post office box in Panama.
Bait CDs were then distributed at the World Health Organization’s AIDS conference. From there the malware found its way onto multiple systems. Now, extortion is nothing new. According to James Lindgren’s paper, “The Theory, History, and Practice of the Bribery-Extortion Distinction,” extortion has been used for manipulation and profit since the 1200s. But the act of doing so in a digital medium was indeed novel at this point in history.
Back in 1989, there was the maddening aspect of having to produce and send out CDs via the postal service. Apparently, Popp’s plans included a proposed further distribution to an additional 2 million potential targets. At that volume, the production and distribution costs alone would have been staggering, hence the (then) high cost of $189 to the victim.
Today, an attacker only needs to upload code to a file share and send out a link, and they’re off to the races. Costs for the criminal element have dropped. Ease of distribution has skyrocketed, and collecting extortion payments has become very simple.
So simple, in fact, that anyone can get in on the action. Sometimes this happens with extremely unfortunate consequences. For example, a hospital in Düsseldorf, Germany became infected with ransomware that managed to encrypt its systems. The attackers were able to gain access to the systems via a well known vulnerability in one of their systems. The hospital had in fact patched the system the day the patch was available, but it is a very real possibility that the damage had already been done.
The attackers actually intended to target the systems of an associated university of the same name as the hospital, ultimately hitting the hospital in error. However, this error proved to have tragic implications. A patient was being rushed to the hospital but couldn’t be admitted because the healthcare-related computer systems were offline. As a result, the patient’s ambulance was rerouted to another hospital miles away. She never made it.
This starkly illustrated how quickly the tables can (and have) turned. What was once merely an attempt to steal money led to, well, death.
What makes this possible? Well, attackers are leveraging today’s technology. No longer reliant on the postal service and PO boxes, they can use cloud computing platforms to build and sell their malicious software. Ransomware as a Service is here, allowing attackers to scale up their operations as easily as any growing startup.
Rather than throw our hands up in the air and accept defeat, we can take steps to counter the threat of ransomware. We need to ensure that systems, accounts and applications are all protected from direct attacks by the criminal element. As defenders of our systems, we have a responsibility to protect our assets, data, applications and people.
A strong strategy is essential for helping enterprise organizations accomplish their goals. Continuous trusted access or zero trust is a great approach to help reduce the risk of data breaches and malicious attacks. While it’s an incremental process, we can address some of the low hanging fruit. Multi-factor authentication (MFA) and DNS monitoring can drastically reduce the chances for an attacker to gain access to your systems.
Attackers often rely on unpatched vulnerabilities or purloined passwords. What if you could remove their access? Attackers often reuse tactics, techniques and procedures (TTP). What if you could use the fingerprints of those prior attempts to uncover attacks before they launch?
We’ve seen far too many stories about enterprises and organizations falling victim to ransomware. There is a need to have a strong strategy to protect the organization from these attacks.