Hackers will set extortion demands based on a victim’s ability to pay. Some will give users a countdown before the key to unlock their files is deleted and a Web address they can send payment to.
Security-software providers are in a constant cat-and-mouse game with ransomware makers who can find ways to penetrate even well-guarded systems. The following is an account of a real attack that happened in February of this year, as described by Chris Whidden, a security engineer based out of New York who works for Canadian security consultancy eSentire Inc.
Thursday, Feb. 25, 7:43 a.m.:
Employees at an unnamed registered investment adviser begin receiving invoices in their e-mail inboxes that suggest they have racked up huge fees on a well-known car service. Within seconds, dozens of employees get these messages, which are very convincing fakes of a real invoice e-mail, at the New York and London offices. One employee in New York opens the e-mail and clicks the link that says "download this invoice."
This is a security-conscious company that has had employee training to avoid doing this very thing, and also employs the real-time monitoring of eSentire – not to mention that the company has next-generation anti-virus firewalls. Still, the so-called "phishing" e-mail attack works because humans are naturally curious; clicking bad links and opening Microsoft Office docs remains the top vector for phishing ransomware attacks.
Clicking the link in this case downloads Javascript software that tries to download a file called 87.exe, which is actually a version of ransomware called TeslaCrypt first discovered in February, 2015, from several different IP addresses that are blacklisted by eSentire's Asset Manager Protect software as known hacker nodes, and so the download is blocked. A second later, 87.exe is successfully downloaded from an IP address that is not yet on the hacker blacklist.
7:44 a.m.:
The ransomware begins to install on the user's PC. Because it is a new variant of TeslaCrypt, the firewalls do not recognize it as malware as it installs itself; it bears no signatures of previous hacker products. What it is doing, Mr. Whidden says, is "introducing anomalous signals on the network." Twenty seconds after installation, it "beacons" or sends a message back to the IP address it came from, blasting a message that says in essence: "Hey, I got into the victim, give me a key so I can start encrypting files." This communication triggers an alert in eSentire's operations centre where, for the first time, a human will look at what's going on.
As this is happening, TeslaCrypt is looking for files to encrypt, avoiding recently used files so as not to tip off the user. It rewrites data it finds with the Advanced Encryption Standard (AES) developed in 2001 by the U.S. National Institute of Standards and Technology (NIST), which features a 128-bit block (which means it takes any 128-bit block of data and replaces it with a same-sized block of garbled text). This version has a 256-bit key, which means it cycles that same 128-bit block 14 times, so the encrypted data is many generations removed from the original. Given time, a supercomputer might be able to untangle that garbling in what's called a "brute force" attack: In the case of AES-256 standard crypto, it would take a supercomputer roughly 13 billion years. Effectively, that encryption is unbreakable unless you buy the decryption key from the hacker who possesses it.
Where once TeslaCrypt would ask for the equivalent of a few hundred dollars in mostly anonymous bitcoin, nowadays hackers will means-test extortion demands based on a victim's ability to pay. Ransomware will sometimes pretend to be a police agency demanding that a user pay fines for cybercrimes. TeslaCrypt is more direct, giving the users a countdown before the key to unlock their files is deleted and a Web address they can send payment to. There are only two options: Pay or lose your files. Turning off your computer, unplugging it from the Internet, praying over it – none of that will work.
7:54 a.m.:
An analyst has evaluated the attack in eSentire's Security Operations Centre in Cambridge, Ont., and calls the client directly with the warning: You've got ransomware in your building. The company remotely deactivates the phishing victim's connection to the internal network and to the Internet before staff set off to find the physical machine. The files on the PC are continuing to be encrypted.
The company catches a lucky break, because TeslaCrypt is designed to immediately look for shared folders, connected servers and any data-backup systems that the PC might connect to. In this case, the infection stayed on a single PC.
Mr. Whidden relates a similar incident, weeks earlier, at a similar-sized financial company where the infection was not detected. In the just more than five hours between infection and discovery, more than 700 gigabytes of data were encrypted, locking away an active project for 15 billable workers. The company restored the data from backups and believed it had removed the malicious software across its 20 office locations. The company was wrong. A week later, a dormant version of the same ransomware kicked into life in another office. A week after that, it happened again.
Some individuals and companies will pay to get files back. Data on how many is hard to collect, though the U.S. Federal Bureau of Investigation believes one variant called CryptoWall cost U.S. businesses $18-million between 2014 and 2015. But paying does not guarantee file recovery: Ransomware is not developed by the world's great software designers – sometimes there are bugs in the code that can destroy files forever. In 2015, some 1,641 ransomware attacks a day were reported in Canada, compared with almost 25,000 a day in the United States, according to security-software firm Symantec's Internet Security Threat report.
8:30 a.m.:
Client notifies eSentire that the machine has been located, physically separated from the network (or air-gapped) and that they are wiping the device and restoring it from a fresh "master" rather than a backup. Any files that local user had stored on the PC are now gone.
In some cases, that is not the end of the story. Some variants of ransomware encrypt and then send the files to a remote server controlled by the hackers, to be used for potential blackmail. The data can be decrypted by hackers and the plain text read for possible intelligence on future attacks. Increasingly, Mr. Whidden says, hackers are targeting companies that hold onto sensitive documents: Law firms, insurance companies and hospitals are increasingly targeted by actors who once focused mainly on quick, low-dollar blackmail from individuals or large-dollar extortion of financial institutions.
In a bizarre post-script, On May 18, security researchers released a new tool that can decrypt machines infected by the TeslaCrypt ransomware, with some unexpected help from the creators of the malevolent software. As the company wrote in a blog post: "One of ESET's analysts contacted the group anonymously, using the official support channel offered to the ransomware victims by the TeslaCrypt's operators, and requested the universal master decryption key. Surprisingly, they made it public."
You can download that free tool here.
Shane Dingman