The Real Cracks in the Foundation of Ransomware
The rise of ransomware has been striking over the past two years, rapidly dominating headlines with its frequency, its wide range of victims, and its profitability. So when news hit that two of the largest and most notorious delivery systems for ransomware — the Necurs botnet and the Angler exploit kit — had gone dark, that was obviously good news. Unfortunately, in the world of cybersecurity, respites like these never seem to last very long. And, sure enough, after nearly a month of silence, Necurs came back online with a vengeance.
The sudden disappearance and sudden resurgence of Necurs is a perfect reminder of how fighting cyber crime can be like trying to rid a garden of weeds. We can rip up weeds one by one, but it’s only a matter of time before they come back or get replaced by a new variety.
Rather than take a break and enjoy our good fortune any time a malware delivery network goes down, a better exercise is to see how much we can accomplish while criminals shuffle to find new distribution.
Cutting ransomware off at the knees
To understand why botnets and exploit kits matter, it’s important to understand how cyber attacks — and particularly ransomware attacks — work. In order to be successful, a ransomware attack requires more than just the specific piece of malware that runs on a victim’s system, encrypting their files or locking them out. That particular functionality (the scrambly/locky bits) may be the most visible element of a ransomware attack, but getting that malware onto the machine in the first place takes work. So does accepting ransom payments and supporting decryption transactions.
Deploying and monetizing ransomware takes infrastructure. And infrastructure doesn’t pop up overnight.
Case in point: In early June, Necurs, one of the world’s largest botnets (a network of infected computers often used to deliver spam and phishing e-mails), suddenly went offline. It was a devastating loss to criminals who relied on the botnet as the primary distribution channel for their malware, and the ramifications were noticeable almost immediately. In particular, security researchers reported significant drop-offs in infections from both Locky (ransomware) and Dridex (a banking trojan) — two notorious strains of malware that, up to that point, had been on the rise.
As if that wasn’t enough good news, shortly thereafter, reports surfaced that the infamous Angler exploit kit had gone belly-up, too. Exploit kits provide attackers with their second primary way of delivering ransomware and other malware payloads — taking advantage of software vulnerabilities to infect victims who visit malicious websites. What makes Angler’s demise so surprising is that since its emergence in late 2013 it had grown in notoriety to become the most popular exploit kit available, accounting for over 80 percent of drive-by attack traffic as late as this April.
Unfortunately, even with the downfall of these two major delivery vehicles, however, the resulting drop in ransomware infections was short-lived.
It’s hard to keep a profitable idea down
As this chart from researchers at F-Secure Labs indicates, following Angler’s rapid decline, criminals wasted little time hopping over to a competing exploit kit called Neutrino.
The criminals behind Neutrino quickly responded to the influx of demand by raising their prices 2x. The entire situation bears a strong similarity to the rise of Angler in the first place. Angler had itself replaced another exploit kit called Blackhole when Blackhole’s alleged author was arrested in October 2013. It was only a month later, in November, when Angler arrived to fill the vacuum.
This is a pattern we see regularly in cybersecurity. Malware families rise and fall, and new variants rise to take their place. CryptoWall was built on the bones of CryptoLocker, CryptXXX on those of Reveton. Both were delivered in volume by Angler. Now that Angler is gone, they and other new ransomware variants are simply finding distribution through Neutrino or other channels.
Ransomware is as ransomware does
Disruptions like these are merely periods of retooling for the ransomware community. Sometimes actors get arrested, hosts are blocked, or tools are engineered around, but eventually, they rise again. So long as the methods behind these attacks work, and so long as the returns are relatively safe, unattributable, and consistent, the individual tools criminals use to perpetrate them will be repainted, redeployed, and revived.
That means that blocking or disrupting these tools individually, one by one, isn’t a sustainable or effective approach. Unfortunately, it is a neat assessment of the signature-based strategy that has driven most endpoint security approaches to date. Security administrators are stuck in a perpetual game of whack-a-mole, content with modest, temporary gains that evaporate as soon as criminals make the smallest of adjustments and new attacks spring up onto the scene.
To gain real traction against ransomware we need to identify and block the underlying malicious behaviors that are found across multiple ransomware campaigns. All campaigns have three common needs: 1) Attackers need to get access to the system; 2) they need to create a process with proper rights to open and encrypt data; 3) they need to present their demands to the victims.
As researchers analyze the thousands and thousands of ransomware samples that show up every day, we see how these building blocks are created in the execution of each and every one. The malware signatures are designed to change, and the delivery channels evolve to overcome discovery and disruption. These fundamental behaviors do not. They’re what make ransomware what it is. By stopping them, we stop ransomware. It’s that simple.
That’s why, as organizations invest to repel ransomware, they need to find protection that will block its unchanging and malicious activities. Whether the attacks are ransomware, botnets, or exploit kits, our best strategy is to simply stop the actions we know will harm us.