By Avinash Singh and Hein Venter, Department of Computer Science at the University of Pretoria
Ransomware is one of the most destructive forms of malware which targets the most important asset of any organisation or system, their data. Ransomware targets your data by encrypting it using strong encryption algorithms to render your data useless unless you have the decryption key.
This decryption key is held by the attackers for large amounts of money with no real guarantee of getting your data back. Often security researchers urge organisations not to pay the ransom, as it encourages more attacks to occur. Although the decryption of your data is not guaranteed, sometimes it might be successful after a ransom payment.
According to Sophos 2020 Report, about 51% of organisations across 26 countries were hit with ransomware in the last year, and 73% of ransomware attacks have resulted in the encryption of organisations data. This means only 27% of organisations have in place relevant security and preventative measures to avoid possible ransomware encryption.
The most common method of ransomware infection happens through targeted emails with malicious links or file attachments where over-trustworthy users get lured into opening/downloading these files. Other ways of infection occur through unpatched vulnerabilities or security flaws due to misconfigurations.
For instance, the most devastating ransomware family, WannaCry caused a huge storm over the internet contributing almost 20% of all ransomware infections. There are many strains of WannaCry parading over the internet exploiting systems through vulnerabilities in the SMB protocol and spreading over organisations’ networks like a computer worm. Even though cloud backup is being used for personal use such as OneDrive, DropBox or Google Drive that uses real-time sync, if your PC gets infected, your cloud backup could also become encrypted. With the COVID19 pandemic, however, cyber crime is on the rise, with employees working from home with potentially unprotected systems.
How to protect yourself from infection?
- Ensure you have anti-virus software that will protect your files from malware.
- Keep your Operating System (OS) and applications up to date.
- Use reliable disjoint backup methods (the backup should not be on the same network)
- Do not click on suspicious links and open files from domains or senders you do not recognise.
- Beef up security policies and restrict unprecedented access to essential systems.
- Keep up to date with cutting edge security research and vulnerabilities.
- Utilise AI techniques to detect or prepare for future attacks.
How does ransomware work on a technical level?
Ransomware relies on encryption libraries that are available in the Windows OS, which is difficult to detect, however, ransomware adds metadata into an encrypted file making it extremely difficult and almost impossible to brute-force the decryption process.
Ransomware also makes use of different encryption keys for each file, making it unique so a decryption tool cannot be easily created. For instance, WannaCry makes use of AES (Advanced Encryption Standard) and RSA ((Rivest–Shamir–Adleman) encryption where each encrypted file has a different AES encryption key, which is stored in the file itself, and is then encrypted with RSA encryption between the ransomware victim and the Command and Control (C2) server.
This further cements the decryption process that can only happen once the RSA decryption happens, also only allowing the C2 server to perform the decryption process, which hackers use, to manage the ransomware attacks. It is also quite difficult to detect ransomware as the behaviour it exhibits is not malicious in nature, as encrypting files is a security feature. However, it is possible to check if the encrypted file is abnormal (does not have normal encryption headers/signatures).
To contain a ransomware attack, you should isolate (cut network access to) the infected PCs reducing the risk of propagation over the network. Stop all sharing services like Samba, and shared disk. If ransomware has managed to spread over the network, rather turn off network switches to save the computers that are not infected. This will help reduce the effect of the ransomware attack. Stop print services, as they can be exploited by ransomware as well. Acting when a first incident is reported is vital, as the infection rate is based on network speed and the number of vulnerable and online machines.
Carrying out incremental backups has its benefits, however, ransomware targets these backups as well, truly holding your data at ransom. The best method to mitigate ransomware targeting backups is to either have disjoint backups which are not connected to the source machine(s) or network. The alternate and most effective solution is to make use of immutable backups. This form of backups is write-protected, which means once they are made, the write privileges are removed so that ransomware cannot encrypt them.
Research at the Intelligent Cyber Forensics Lab (ICFL) at the University of Pretoria aims to take traditional digital forensics and make it smarter with the adoption of AI. This gives way to cutting edge future-proof solutions that will minimise the effectiveness of such attacks and potentially finding and punishing perpetrators for their crimes.
As a key-point takeaway, always ensure your system and servers are up to date and maintain regular off-network backups or employ immutable backup solutions.
About the authors
Mr Avinash Singh is an emerging researcher in the Digital Forensic space focussing on Ransomware and Malware Forensics as well as Digital Forensic Readiness.
He obtained his degrees from the University of Pretoria in Computer Science and is currently pursuing a PhD. He was employed as an Assistant Lecturer since July 2017 and since May 2020 he has been appointed as a Lecturer at the Department of Computer Science, University of Pretoria. He is a member of the Golden Key Society and the IITPSA. He is also member of the Digital Forensic Science (DigiForS) Research Group and is the head of the recently established Intelligent Cyber Forensic Lab (ICFL) at the University of Pretoria.
Mr Singh published several international conferences and journals. He is also member of the review committee for the Information Security South Africa (ISSA) conference. His research interests encompass intelligent ransomware detection, ransomware prevention, ransomware recovery, and digital forensics.
Prof Venter has established an international research reputation in cyber security and cyber forensics. Over the past 13 years, Prof Venter has been focussing mainly on cyber forensics research.
Prof Venter is the research group leader for the Digital Forensic Science (DigiForS) research group at the University of Pretoria where he collectively supervises more than 40 Computer Science postgraduate students. He authored and co-authored more than 260 publications. He is also general chair of the Information Security for South Africa (ISSA) conference Prof Venter recently served on a panel that was tasked by the DST to come up with a national cyber security research agenda. The main topics identified for this research agenda include cyber security and digital forensics.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020