Ransomware is a dangerous malware which causes high financial loses for organizations. It is usually installed using a type of privilage esclation attack and then it encrypts data, asking for a ransom. In this paper, we will analyze ransomware life cycle and answer the question how to arrange your information security defences to combat ransomware outbreak.
Information is an important asset for individuals, organisations, and governments. Stealing confidential information such as credit card numbers or Intellectual properties can cause financial loss or reputation damage. For example, Organisations invest in research creating intellectual property to secure their future earnings and pursue innovation. Because of that, Rao & Nayak (2014) state that intellectual property is valuable assets that need to be protected from theft or unauthorised access as it will cost mainly a severe financial loss. Chai, et al. (2016) state that individuals might be subjected to electronic bullying and harassments through internet social media like Facebook and Twitter. Most of the cases, protecting customer’s information is protected by law which means that the theft of customer’s sensitive information such as personal identifiable information (PII) and protected health information (PHI) will cause organisations to pay fines that consider also as a financial loss and reputation damage. In Healthcare industry, unauthorised modification on medical records can cause human life losses.
Hammondl (2013) states that effective information security addresses the security triad (Confidentiality, Integrity & Availability). Confidentiality grantees that sensitive information (e.g. PHI, PII, Credit card, etc.) accessed by those who have the authority to access them. On the other hand, Integrity is making sure that data is protected against unauthorised malicious or non-intention modifications (Hammondl, 2013). Finally, availability grantees that information is available for the right person when it's needed and access granted.
BBC (2017) reported in 12th of May an example that shows how important information security is to our life. Information security was violated by a massive cyber-attack hit NHS services across England and Scotland resulting hospital operation disruption and GP appointments that make staff uses pen and papers.
Table of Contents
Table of Contents
List of Figure
List of Tables
Part 1:
A. The Importance of Information Security
B.What is Ransomware, its history and how does it works?
C.In-depth discussion of the vulnerability of the system which led to the wanacry ransomware attack
D.The impacz of this type of attack on confidentiality, integrity and availability of data and resources being attacked
Part 2:
Discussion of basic guidelines and security safeguard measures that can be applied to this scenario to mitigate the chances of future attack
Reference list
List of Figure
Figure 1 - Anatomy of a Ransomware Attack (Liska & Gallo, 2016).
Figure 2 - Defense In-depth architecture
Figure 3 - Fully Integrated anti-malware solution.
List of Tables
Table 1- Defending against ransomware
Part 1:
A. The Importance of Information Security
Information is an important asset for individuals, organisations, and governments. Stealing confidential information such as credit card numbers or Intellectual properties can cause financial loss or reputation damage. For example, Organisations invest in research creating intellectual property to secure their future earnings and pursue innovation (Casey, 2012). Because of that, Rao & Nayak (2014) state that intellectual property is valuable assets that need to be protected from theft or unauthorised access as it will cost mainly a severe financial loss. Chai, et al. (2016) state that individuals might be subjected to electronic bullying and harassments through internet social media like Facebook and Twitter. Most of the cases, protecting customer’s information is protected by law which means that the theft of customer’s sensitive information such as personal identifiable information (PII) and protected health information (PHI) will cause organisations to pay fines that consider also as a financial loss and reputation damage. In Healthcare industry, unauthorised modification on medical records can cause human life losses.
Hammondl (2013) states that effective information security addresses the security triad (Confidentiality, Integrity & Availability). Confidentiality grantees that sensitive information (e.g. PHI, PII, Credit card, etc.) accessed by those who have the authority to access them (Barham, 2010). On the other hand, Integrity is making sure that data is protected against unauthorised malicious or non-intention modifications (Hammondl, 2013). Finally, availability grantees that information is available for the right person when it's needed and access granted (Barham, 2010).
BBC (2017) reported in 12th of May an example that shows how important information security is to our life. Information security was violated by a massive cyber-attack hit NHS services across England and Scotland resulting hospital operation disruption and GP appointments that make staff uses pen and papers.
B. What is Ransomware, its history and how does it works?
A Ransomware attack is a malware outbreak whereby a type of malware is used to extort victims by taking their data as a hostage until their owners pay a certain amount of fee (Liska & Gallo, 2016). Mansfield-Devine (2016) states that it is a technological type of blackmailing by which malware on victim’s mobiles or personal’s computers encrypt or deny access to files and ask for money in exchange of the decryption key or allowing access, besides, payments are made by cyber-criminal currency Bitcoin that is hard to be tracked. It caused a monetary loss for enterprises by a total US$209 million in only the first three months last year (Trend Micro, 2016). Liska & Gallo (2016) state that the first Ransomware ever created known as AIDS that was written by Joseph Popp in 1984. In fact, its malicious code designed to replace the AUTOEXEC.BAT on the infected machines allowing only for 40 reboots before hiding all directories calming that it's encrypted. In 2005, the first modern ransomware that used symmetric encryption technique is released and it was known as GPCoder, its encryption was weak and easy to overcome (Richardson & North, 2017). In 2013, CryptoLocker was released by which it was encrypting files by the use of public and private keys and it was spreading when the victim click on a link appears to be from UPS (McDermott, 2015).
Liska & Gallo (2016) states that ransomware operation has several phases (See Figure 1, page 7) starting the deployment or installation phase. This installation is driven by convincing the victim to download malicious software by clicking a link in phishing emails or it uses unknown system vulnerability or in another name zero-day vulnerability for remote execution of the malware. Following that, it will start to establish connections (e.g. HTTP TOR), with its command servers as it collects information about the victim and its network, besides, identifying what to encrypt and where and exchange the encryption keys (Liska & Gallo, 2016). Afterwards, it encrypts the files and then payment is asked for decryption.
Abbildung in dieser Leseprobe nicht enthalten
Figure 1 - Anatomy of a Ransomware Attack (Liska & Gallo, 2016).
C. In-depth discussion of the vulnerability of the system which led to the wanacry ransomware attack
In April 2017, gigabytes of software exploits tools have been leaked from National Security Agency (NSA) by Shadow Broker, among these tools one tool called Eternal Blue was used to exploit a vulnerability found in Sever Message Block version 1 (SMB) which enable uploading code to a writable share and then load it into the memory and execute it (Goodin, 2017). The Eternal blue toolkit was used by Wannacry ransomware authors to exploit this vulnerability to replicate itself in the network (Sophos KB, 2017) like a worm. The Eternal Blue runs along with Eternal Rocks in a multistage process starting by a communication to command and control server through TOR browsing service to download and install additional exploit pack, following that, it starts to scan the local area network and the internet about opened port 445, then, it tries to repeat this process to other machines that have been found during the scan (Heller, 2017). In fact, Microsoft announced this vulnerability on March 14, 2017 by number MS17-010 and it released security critical update that will patch Microsoft different versions of windows against it by changing how SMBv1 handles specially crafted requests. (Microsoft , 2017). As per as this announcement, this vulnerability allows remote code execution and information disclosure and they have recommended disabling SMBv1 and relay on SMBv2 & SMBv3. Samani et al. (2017) state that by using MS17-010 vulnerability an attacker can gain access and escalate the privileges on a remote system in one step which mean that ransomware can control over the entire local area network who have not been updated by MS17-010 patch through infecting only one machine. Microsoft (2017) states that these vulnerabilities have been recorded in the Common Vulnerabilities and Exposures database by numbers CVE-2017-0148. All legacy operating systems (e.g. Windows XP, Windows 2003, etc.) are in lack of Windows security patches to be hardened from SMBv1 vulnerability as it is announced to be End of life (Microsoft, 2016). Furthermore, Linux is not a way of from this threats. Linux SMB vulnerability has been recorded in the Common Vulnerabilities and Exposures database by numbers from CVE-2017-7494 that have the same impact as CVE-2017-0148 of privileged remote code execution (CVE, 2017). Intrusion detection and preventions vendors were actively working to develop signatures for SMBv1 vulnerability to have better detection and prevention controls. For example, McAfee (2017a) state that they have developed urgent signature UDS detecting Eternal Blue remote code execution attack and it can prevent it.
Misconfigurations of the security controls are crucial. According to Malwarebytes Labs, Clark (2017) state that as a part of anti-sandbox technique the malware tries to connect to a website (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com), if it doesn’t connect, it will not execute, so if the sandboxing technology is not configured to grant malware internet access, it will not detect the malware. In this case, sandboxing solution should grant malware execution process internet access or it will not detect it.
In conclusion, Wannacry ransomware attack makes use of leaked exploit toolkit to compromise platforms that are not patched against SMBv1 vulnerability (e.g. MS17-010), gain a privileged access and start to replicate itself with platforms that have similar circumstances. In addition, the Proper configuration for the security controls is crucial for detections and prevention against ransomware attacks.
D. The impacz of this type of attack on confidentiality, integrity and availability of data and resources being attacked
Stoneburner (2001) states in the National Institute of Standards and Technology special publication (NIST SP 800-33) clear definitions for the concepts of the security triad, he mentioned that Confidentiality of data and system information is to prevent disclosure or access of information from unauthorised individuals. However, integrity is the prevention of any unauthorised modifications. On the other hand, Availability is the assurance that systems and data work immediately and service has no denied to the authorised users. According to Mansfield-Devine (2016), Ransomware, in general, can completely bring down business operations (Wrights, 2016) which are considered a direct impact on the availability of service and information. For example in hospitals or healthcare providers, the ransomware on victim device (e.g. a server hold patients medical records) encrypt files on the hard drives and makes files not available or inaccessible and put human life in danger (Ayala, 2016). According to Malwarebytes (2017), wanncry malware will start privilege escalated scanning the network for vulnerable systems for SMBv1 with very law scanning profile to avoid scanning detection in a spreading attempt to convert the entire network hosts into zombies to C & C server before starting identifying files to encrypt and encryption of these files which means that the confidentiality of the network and its topology is violated and leaked. After the files have been identified, it encrypts a copy of these files in the destruction phase, while the original file is deleted or access denied which is a direct violation of availability (Clark, 2017). Furthermore, Liska & Gallo (2016) state that some ransomware makes files not accessible by making the applications that run unusable, for example, the ransomware display a full-screen window that covers the entire desktop that doesn't make it usable.
In addition, ransomware will gain full privileged access to choose and encrypt (Samani, et al., 2017) whatever is valuable to the victim that is considered an unauthorised access which led to the disclosure of the information. In fact, the ransomware after deployment and installation phase will try to establish a connection with a command and control server (C & C). Liska & Gallo (2016) states that it will wait for instructions (e.g. download exploit tools, execute commands, etc.) and sometimes report to its server with a huge amount of information the local systems (e.g. IP addresses range, domain name, file types, files locations, etc.). Indeed, Ionita & Patriciu (2016) state that once the victim is connected to C & C servers that can do either the rest of the wanncry ransomware anatomy or any other thing even a DDOS attack as it becomes a zombie. In 2013, a dangerous exploit tool, PassFreely, has been leaked by shadow broker (same who leaked eternal blue) and used to bypass Oracle database authentication in memory permitting unauthenticated sessions to Oracle instance with version 11.2.0.1 on windows server 2008 R2 (Rashid, 2017). So, If we consider that both tools have been leaked by shadow brokers the same mysterious online group that leaked Eternal blue that are the main components in the Wanncry ransomware and the fact that Wanncry ransomware receives instructions from C & C server, PassFreely could be downloaded and executed. Rashid (2017) states that if the compromised machine is a Windows server platforms that carry out Oracle database which is unpatched against PassFreely exploit, wanncry authors might have access to Oracle database that is a direct violation of integrity and confidentiality.
[...]