2017 has been the year that the cyber attack has finally become mainstream news and discussed in the public… with 6 in 10 attacks being RANSOMWARE
This year, one of the largest and most publicised ransomware outbreaks ever was seen, affecting nearly 200,000 individual accounts and changing the public’s view on how vulnerable their own systems are and, most importantly, how to prevent future attacks. However, only a few weeks later, a second worldwide attack happened.
First responders and secondary investigators are increasingly being called to assist with such attacks. Our clients have informed us that there is little in terms of support and began to request from us some simple, concise and current guidance on what to do on scene and what to tell victims in terms of target hardening and awareness.
Here is our guide on responding to ransomware offences…
1) What is Ransomware?
Rather than attacking the system or network to cause damage, ransomware seeks to restrict access to your files and applications. It is a malicious program that infects a device through encryption, preventing the user access to the device or their data unless a ransom is paid to the creator.
Ransomware is not a new phenomenon, despite the sudden wave of media attention. In fact, it has been around since around 2005, but at a very basic level where a single device’s keyboard or monitor would simply be locked. The development of ransom cryptware (which encrypts your files using a private key that only the attacker has access to) has grown exponentially, and now has the power to shut down huge numbers of major worldwide and high-profile systems.
Ransomware can come in a range of complexities, which is why finding solutions like Zonealarm ransomware protection can make all the difference when it comes to protecting your digital life,
Whilst some use advanced methods to encrypt files on a system’s hard drive, others may lock the system and then display a message simply implying a higher level of seriousness.
2) Do attackers actually make money?
In a 2012 attack, 5,700 computers were infected in one day and about 3% percent of victims paid the ransom. At an average of $200 per victim, it is estimated that the attackers earned over $34,000 THAT DAY.
Extrapolating from that, this would be earnings of roughly $394,000 per month.
These figures were pulled by Symantec who gathered the data from just one command server and two Bitcoin addresses. To put that in perspective, attackers often use multiple servers and Bitcoin addresses for one attack.
3) How can I spot a genuine attack?
Ransomware attacks have unfortunately become both common place and also high-profile. This means that an attack’s key identifiers can be easily spotted by the public and its organisations. Some identifiers may seem obvious, but it is imperative to keep aware of them.
There are a number of key areas that are common across most ransomware attacks:
A user is informed that their files have/will be encrypted UNLESS they undertake a specific task.
This could be a number of different things, but is often a request for payment to decrypt their files.
The user is reassured that their files could only be recovered IF the action demanded is followed through, within the explicit terms.
How to complete the task. If payment is requested, this will often be via a crypto-currency address or link.
Some ransomware attacks will include deadlines. The user is told to complete the action in an allotted timeframe, or they could permanently lose their data. This encourages victims to be swift in making payment, without thinking and rather than seeking assistance from law enforcement agencies.
4) Should the victim pay the ransom?
At Blue Lights Digital, it is the policy of our team of digital investigators that the victim is advised against complying with the demand. This is merely advice as we understand that some victims may still choose to comply when they realise that all their most important files have been encrypted.
Here’s why we advise against complying:
- Even upon payment, there is no guarantee a successful decryption key will be provided, meaning a victims files may still not come back to them.
- Once a victim has been identified as willing to pay, the attacker may choose to increase the ransom amount without the files being decrypted.
- Those who pay are often recorded as vulnerable targets, and are therefore likely to be victims again in the future.
5) What if the ransom has already been paid?
If the ransom has already been paid by the victim prior to your interaction with the victim, then we recommend that the following steps should be taken;
- Have the files been decrypted? Establish whether or not the payment (or other action) resulted in ALL of the files that were previously unaccessible becoming accessible again (decrypted).
- Capture full details of the action undertaken. If a payment has been made, note down as much detail as possible – including: specific time, value of payment, means of payment made, relevant identifiers (e.g. Bitcoin address), and any unique reference numbers provided.
- Capture full details of the decryption key. If a decryption key was provided, whether successful or not, note full details of how this key was distributed to the victim and identify any investigative opportunities within that communication.
- Prevent future attacks for the victim. Even in the outcome of a successful decryption, the full protocols (below) must be followed so the victim is provided with target hardening advice. This can help to prevent a future reoccurrence of the event.
6) Responding to a ransomware attack
When cyber attacks are handled correctly from first point of contact, there are a number of digital evidence and intelligence opportunities that can be used to assist investigations. This data can potentially be used later as significant evidence.
The following steps should be taken when responding to a ransomware attack:
1. Capture the Evidence
Before any other action is taken, ensure that all details that are present on the ransomware screen are captured, secured and preserved. If there are multiple screens, repeat this process for each one.
2. Consider Immediate Opportunities
Identify any immediate lines of enquiry available from the ransomware screen that could support an investigation. This includes: usernames, websites, email addresses and locations of crypto-currency details.
3. Identify the Source
With the victim, reverse engineer the steps and interactions that were taken on the device immediately prior to the attack. This can help to identify a potential source of attack. Whilst there are other possibilities, it is likely that the source will be one of the following:
- Email received or email attachment opened
- Website visited
- External device inserted
- File downloaded
4. Identify the Ransomware
There are a number of solutions available on the internet that can assist in identifying the type of ransomware that has been used.
No More Ransom is the current leading solution. It provides a rich source of information about specific strains of ransomware and recommended activities once they have been identified. The site may be able to decrypt some of the most prominent forms of ransomware in circulation – without the need for any other action to be completed by the victim.
5. Isolate the Device
The infected machine must be removed from any of its connected networks. This prevents further spread of the ransomware.
If it is a mobile device, then disconnect any internet access to prevent the encryption of additional externally hosted files.
If the victim is using a corporate device then seek advice and support from their company’s IT department first. They may have response plans already in place with specialist support for such incidents.
6. Consider Back-Up Solutions
Identify any local or cloud-based back-up of the device’s files or even entire system. If the back-up can be used to restore a previous version of the files or system prior to the attack, it could render the ransomware useless.
PLEASE NOTE: Now it has been isolated from the network, the device must not be reconnected to access any available back-ups until it has been reset or cleansed of malware. Doing so can compromise other devices on the network, or even result in the back-up also becoming encrypted by the ransomware.
7. Seek support from a Subject Matter Expert
A subject matter expert may be able to extract further evidence from the device or support the decryption of files.
7) Victim Target Hardening
By educating yourselves, your colleagues and members of the public about these types of cyber attacks you can identify them, stop them from spreading and also begin to prevent them altogether.
In addition to this blog post, we have taken the time to build very detailed guidance on protecting persons against ransomware and other types of cyber offences. This is available for FREE through downloading our Cyber Threats module in Blue Lights Discovery.
Need more support?
If you need immediate support in relation to a ransomware attack then speak now with a member of our dedicated investigations team. Whether you are concerned about preventing ransomware, are a victim who needs immediate assistance or are a first responder seeking assistance, we are here to help!
We have recently launched a number of cyber crime response and prevention modules, exclusively available to our Blue Lights Discovery enterprise clients. To access more information about how Blue Lights Discovery can support your organisation, click here.
We also include a dedicated input and scenario based ransomware training on a number of our leading Digital Investigation and Intelligence Training Courses. To discuss your individual or organisations training requirements then please contact us and we would be delighted to hear from you.