Advanced SOC Operations / CSOC , Governance & Risk Management , Incident & Breach Response
Ransomware: Are We in Denial?Despite the Silence, Ransomware Attacks are Rampant in Region
Recently in conversation, an industry thought-leader candidly mentioned that India has a big ransomware problem. Surprised, I asked him why we haven't heard more about this from research reports, news media and the community.
See Also: Webinar | How the SASE Architecture Enables Remote Work
Ransomware is malware that prevents accessing to critical systems and data, usually by encryption, and forces victims to pay a 'ransom' in order to receive the decryption key. Payment is usually through online methods and cryptocurrency is preferred.
A successful ransomware attacks means an adversary was able to compromise your infrastructure, go hunting for valuable data in your network, commandeer control of those critical assets, make them unavailable to you, and then try to extort money from you - right under your nose.
From what I hear, it seems people have been keeping the ransomware problem on the down-low and prefer to not disclose being victims of such attacks. Because, here's the thing: A successful ransomware attacks means an adversary was able to compromise your infrastructure, go hunting for valuable data in your network, commandeer control of those critical assets, make them unavailable to you, and then try to extort money from you - right under your nose. No self-respecting security practitioner wants to say as much. Indians are traditionally image conscious, anyway.
Morever, the traditional approach to physical security - whether being centered on bluster and a certain amount of intimidation - may have found its way into the InfoSec psyche as well. But these reactions are out of place in information security, and no amount of chest thumping and certifications can prevent you from getting pwned. Only a well thought-out strategy and up-to-speed competence can. Now, this may not be the rule certainly, but it is a common trend, I think - feel free to disagree.
How Big is the Problem?
Ransomware has been steadily registering its presence globally over the past few years, and despite best of technologies on premise, companies are falling prey and often paying off their attackers. Symantec's Internet Security Threat Report last year said India ranked third highest in Asia for ransomware, and a google news search reveals more such cases coming to light in the mainstream media.
However, this may be just the tip of the iceberg. "In the last six months, we are seeing many instances of ransomware [attacks] in India," Says Jagdish Mahapatra, MD India & SAARC for Intel Security. "In fact, the first quarter of 2015, McAfee Labs registered a 165 percent increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor."
Security thought-leader Dinesh Bareja, who is also founder of India Watch and the OpenSecurity Alliance, agrees. He says that a number of Cryptowall clones have come up, and they are very similar, making it more difficult for the investigators/responders. (Also read: Refined Ransomware Streamlines Extortion)
Mahapatra adds that, according to McAfee Labs figures, only one year in, the CryptoWall ransomware has already claimed $18 million from computer users, and it's only likely that this will continue in what he calls "a rapidly growing threat" in 2016. (Also read: FBI Alert: $18 Million in Ransomware Losses)
"2015 saw ransomware-as-a-service hosted on the Tor network, using virtual currencies for payments," he says. "With upcoming new variants and the success of the 'ransomware-as-a-service' business model, this will continue, as inexperienced cybercriminals will gain access to this service while staying relatively anonymous."
What's the Fix?
Mahapatra says that ransomware is not a product issue, but it is more about architecting and fine-tunings solutions rather than just buying new technologies to preempt security issues. Despite the best skills in organizations, it is proving difficult to catch up with, he says.
The Indian industry seems to be struggling with an effective fix, according to Bareja. Right now, most people have only been able to restore from backups or make payments. "Negotiation is possible, and you might get a discount if you plead nicely," he informs. But there have also been instances of organizations that have paid, after which the attacker did not honor the agreement, and the victims lost both money and data. A trend where there have been quiet inquiries into how to purchase cryptocurrencies like BitCoin, is also something sources are speculating about - what's the purpose? (also read: Police Raid Suspected Bitcoin Founder's House)
And the plot thickens here, because there are some in the industry that claim that Indian ransomware attackers have started recruiting moles in organizations, in order to identify critical assets and who has access to what, so that a target attack can be crafted - bizarre, but feasible?
However, a CISO at a leading bank that I spoke to shrugs that ransomware is just another kind of malware, and recommends strong gateway-level controls and proxy-level security as the first line of defense. The second and crucial line of defense, he says, is to identify and back up critical servers and assets.
He says that because banking is regulated and has appreciably more mature security than other verticals in India, banks haven't yet borne the brunt of this kind of attack, and he appears confident that they won't. Overall, he has only heard of a couple of such incidents in the past seven months - mostly in manufacturing and telecom - but agrees that this may be because such incidents are kept under wraps.
Bareja concurs that the only practical solution right now is to back up and test regularly.
Is it, though? Because ransomware families seem to be evolving stealth functionalities. For instance, says Intel Security's Mahapatra, there are new variants that may start to silently encrypt data. These encrypted files will also be backed up by the victim, and eventually the attacker will pull the key, resulting in encrypted files both on the system and in the backup.
Other new variants might use kernel components to hook the file system and encrypt files on the fly, as the user accesses them. The groups behind most current ransomware campaigns are going for "fast cash," by using spam campaigns and exploit kits such as Angler, and targeting wealthy countries in which people can afford to pay the ransom, Mahapatra says. The trend, it seems, is to be to focus on industry sectors, including financial and local government, which will quickly pay ransoms to restore their critical operations. (Also Read: Angler Ransomware Campaign Disrupted)
The last bit of this whole pie is cyber insurance. It's going to be interesting to see if the financial loss from ransomware attacks will be covered under cyber insurance policies - particularly, how such claims are settled, based on what criteria - if we get to hear about it that is. But in the meantime, you would do well to buckle up. And back up.