If there was any doubt ransomware is booming, these stats from Symantec's 2016 ISTR seem to settle it:
That represents a 35% increase from 2014. As the ISTR charts below show, the upward trend in both new ransomware variants and new ransomware families is accelerating.
What these increases represent is the rapid productization of a very profitable attack method. Criminals have realized ransomware is where the money is. Successful attacks, along with a collective ¯\_(ツ)_/¯ from law enforcement, are enbolding them to ramp up their campaigns, diversify their techniques, go after a wider range of targets (including hospitals, schools, and even police departments), and increase their demands.
Just how long do users and their IT admins have to react between unwittingly executing infected files and being alerted their data has been encrypted? To find out, I conducted a test timing the speed of encryption of various ransomware samples.
Before we dive into the results, a few notes about the test:
Test machine: 2 Core, 2.9Ghz Intel i5 Windows VM with 4GB of RAM and an SSD. Along with a standard install, I put 1,000 word documents on the computer that were approximately 70MBs total size.
Starting at execution, here are the times it took for the following ransomware samples to encrypt the files and notify me with a ransom screen:
Five out of the seven samples finished the encryption process in under a minute.
Thanks to research from Invincea, we can see Locky is also a member of this club, having been clocked at taking just 54 seconds between execution and notification:
To help put these times into perspective, here's a video that shows TeslaCrypt in action:
To be effective, ransomware needs to avoid detection until encryption is complete.¹ Many security solutions monitor for indicators the ransomware emits (e.g. new unique processes, execution in unusual directories like TEMP/Recycling Bin, strange DNS/Network Flows, deletion of Volume Shadow Copies) and alert security teams monitoring a log aggregator/SIEM.
In ideal conditions, an analyst is available to catch the alerts, correlate them as a malware incident, and remediate it. But in even the most well-tuned security organizations, response can take tens of minutes after the event is detected.
We recently surveyed IT pros at small and medium-sized businesses who had been hit with ransomware and asked them how quickly they were notified of an attack. Their responses weren't encouraging.
As our encryption time trial numbers above show, ransomware doesn’t need anywhere close to that much of a head start to do its damage.
With the explosion of new ransomware families, we are seeing malware execute within a matter of seconds, not hours or even minutes. For many of the survey respondents and other victims like them, notification came too late.
To make matters worse, ransomware is also evolving from using inefficient, easily recoverable custom encryption schemes to fast and cryptographically-sound techniques. Not only has ransomware encryption gotten faster, it’s also become nearly impossible to break.
Speed also becomes an important factor when you consider encryption isn’t always confined to files on a single user’s machine. Many ransomware families we tested including the samples of Virlock, TeslaCrypt, and CTB-Locker also enumerate and encrypt network file shares. Ransomware campaigns like Samsam have shown an entire network can be compromised, with potentially catestrophic effects on an organization.
That makes realizing just how fast ransomware encrypts files even more scary.
Photo by nicolas will
Traditional incident response has generally been broken down into non-targeted commodity malware remediation and advanced threat response. In the past, AVs generally performed well at stopping commodity malware attacks, leaving human-driven incident response to tackle the challenges of insider and advanced persistent threats.
Security vendors responded by focusing on giving their customers more data, a requirement for most well-staffed incident response groups for post-mortem analysis. That kind of reactive treatment may make sense for rooting out advanced and insider threats, but it isn't effective against ransomware.
Once it's on a system, ransomware doesn't doesn't settle in and lay low. Forget being stealthy and establishing persistence. It grabs all it can, makes a break for it, then hurls a ransom-note-wrapped-rock smashing back through your window.
That leaves the heavy lifting of stopping ransomware before it can do its encrypting damage to more proactive, preventitive tools like A/V. Unfortunately, confidence in A/V has been steadily eroding since the infamous Symantec 2014 Wall Street Journal interview where then SVP, Information Security Brian Dye declared “antivirus is dead,” pointing out it only detected 45% of malware.
In the two years since, things have not gotten better for companies relying on A/V and other signature-based security. As this year's Verizon DBIR indicates, 99% of malware is seen only once before hackers modify the code and ship it back out as a slightly modified version that continues to evade detection.
That's bad news for signature defense like anti-virus and traditional network sandboxes. See my previous post, "The Problem with Signature-Based Security" for more on why.
With such little time to react before it's too late and encryption has taken place, perhaps the best way to address ransomware is to encourage safe behaviors to avoid it in the first place.
Efforts like better user education and phishing awareness are a great way to reduce the ransomware risk, but unfortunately they don't completely eliminate it. That's because in addition to email, ransomware is also using ad-networks for distribution. Recently, MSN.com, the default homepage for most Windows machines, was found serving TeslaCrypt via the Angler Exploit Kit.
Ransomware will find its way onto user machines, and when it does, it's the protective "safety nets" we have in place (like backup and behavioral-based endpoint protection) that can make the difference.
With the proliferation of SSDs and hardware assisted acceleration like Intel’s AES-NI, we can only expect ransomware speeds to get faster. Additionally, ransomware authors are reaping the financial benefits of successful campaigns, and we can expect better-funded future campaigns to continue to push advanced capabilities. It is not hard to imagine ransomware evolving to stealing credentials to other resources like common cloud services like Dropbox and holding those services as ransom, as well.
This security gap is only widening. To close it, we need to neutralize ransomware's speed as an advantage. That means developing ways of responding to ransomware from the onset — through protections that prevent infection and automatically remediate.
¹ To avoid detection, some samples operate in the process space of other processes to hide from the task manager, while others like recent versions of TeslaCrypt prevent the user from opening the taskbar. The few seconds of confusion are enough to allow it to encrypt and hold a user’s contents hostage.
Rick is a Principal Malware Researcher at Barkly. He has over 13 years experience working in computer security research and development including malware analysis, embedded systems, and wired/wireless networking.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.