Europol, Intel, Kaspersky, join forces to contain ransomware

Europol, Intel Security, Kaspersky Lab and Dutch National Police, have joined forces to launch an initiative called No More Ransom, a new step in the cooperation between law enforcement and the private sector to fight ransomware together. No More Ransom is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to the cybercriminals.

Ransomware is a type of malware that locks the victims’ computer or encrypts their data, demanding them to pay a ransom in order to regain control over the affected device or files. Ransomware is a top threat for EU law enforcement: almost two-thirds of EU Member States are conducting investigations into this form of malware attack. While the target is often individual user devices, corporate and even government networks are affected as well. The number of victims is growing at an alarming rate: according to Kaspersky Lab, the number of users attacked by crypto-ransomware rose by 550%, from 131,000 in 2014 to 2015 to 718,000 in 2015 to 2016.

The aim of the online portal is to provide a helpful online resource for victims of ransomware. Users can find information on what ransomware is, how it works and, most importantly, how to protect themselves. Awareness is key as there are no decryption tools for all existing types of malware available to this day. If you are infected, the chances are high that the data will be lost forever. Exercising a conscious internet use following a set of simple cyber security tips can help avoid the infection in the first place.

The project provides users with tools that may help them recover their data once it has been locked by criminals. In its initial stage, the portal contains four decryption tools for different types of malware, the latest developed in June 2016 for the Shade variant.

Shade is a ransomware-type Trojan that emerged in late 2014. The malware is spread via malicious websites and infected email attachments. After getting into the user’s system, Shade encrypts files stored on the machine and creates a .txt file containing the ransom note and instructions from cybercriminals on what to do to get user’s personal files back. Shade use strong decryption algorithm for each encrypted file, with two random 256-bit AES keys generated: one is used to encrypt the file’s contents, while the other is used to encrypt the file name.

Ransomware is a type of malware that locks the victims’ computer or encrypts their data, demanding them to pay a ransom in order to regain control over the affected device or files. Since 2014, Kaspersky Lab and Intel Security prevented more than 27,000 attempts to attack users with Shade Trojan. Most of the infections occurred in Russia, Ukraine, Germany, Austria and Kazakhstan. Shade activity was also registered in France, Czech Republic, Italy, and the US.

By working closely together and sharing information between different parties, the Shade command and control server used by criminals to store keys for decryption was seized, and the keys were shared with Kaspersky Lab and Intel Security. That helped to create a special tool which victims can download from the No More Ransom portal to retrieve their data without paying the criminals. The tool contains more than 160,000 keys.

The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.

Wilbert Paulissen, Director of the National Criminal Investigation Division of National Police of the Netherlands: “We, the Dutch police, cannot fight against cybercrime and ransomware in particular, alone. This is a joint responsibility of the police, the justice department, Europol, and ICT companies, and requires a joint effort. This is why I am very happy about the police’s collaboration with Intel Security and Kaspersky Lab. Together we will do everything in our power to disturb criminals’ money making schemes and return files to their rightful owners without the latter having to pay loads of money.”

“The biggest problem with crypto-ransomware today is that when users have precious data locked down, they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result. We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road. We expect this project to be extended, and soon there will be many more companies and law enforcement agencies from other countries and regions fighting ransomware together”, says Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab.

“This initiative shows the value of public-private cooperation in taking serious action in the fight against cybercrime,” says Raj Samani, EMEA CTO for Intel Security. “This collaboration goes beyond intelligence sharing, consumer education, and takedowns to actually help repair the damage inflicted upon victims. By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”

Wil van Gemert, Europol Deputy Director Operations: “For a few years now ransomware has become a dominant concern for EU law enforcement. It is a problem affecting citizens and business alike, computers and mobile devices, with criminals developing more sophisticated techniques to cause the highest impact on the victim’s data. Initiatives like the No More Ransom project shows that linking expertise and joining forces is the way to go in the successful fight against cybercrime. We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware.”

Reporting ransomware to law enforcement is very important to help authorities get an overall clearer picture and thereby a greater capacity to mitigate the threat. The No More Ransom website offers to the victims the possibility to report a crime, directly connecting with Europol’s overview of national reporting mechanisms.

If you have somehow become a victim of ransomware, we advise you not to pay the ransom. By making the payment you will be supporting the cybercriminals’ business. Plus, there is no guarantee that paying the fine will give you back the access to the encrypted data.

Recent analysis of malware shows that 50% of all malware is now focused on crypto ransomware. This is a number that is up from 10% a year ago. Furthermore, Kaspersky Labs released numbers that they have seen an increase in ransomware attacks of 20% year over year. There have also been instances of ransomwares which are accessing files on network shares and cloud drives.

Why have ransomware become so successful? First of all, there is the issue of the users and technology not deployed well enough, but secondly crypto currencies have enabled the attackers with a payment channel which is anonymous. Meaning they can now run a business where they extort the user and get the user to transmit money in the form of crypto currency and they never need to worry about being caught. They have now started to introduce the intelligence of bitcoin tumblers, which is a white-washing mechanism in the already very anonymous crypto currency environment.

Also interesting is how attackers have created a business model around the distribution of ransomware. With CTB Locker for example, instead of infecting victims themselves, the attackers have chosen to sell the code itself to distributors who can then carry out the attacks.

“I think a basic precaution against ransomware and a good practice in general is to maintain a backup of your sensitive data,” explains  Nicolai Solling, Director of Technology Services at Help AG. This could be periodically to an external drive or even a cloud service. There are plenty of solutions that manage this and most large business do maintain disaster recovery centres.

With the type of encryption that modern ransomware now uses, it can be very difficult to recover your data without receiving the key from the attacker. While there is no guarantee that once you have made the payment, usually a Bitcoin transaction, the attacker will actually provide you the encryption key, they have done so in most cases so as to establish their reputation since they are approaching ransomware as a business.

Other steps are in line with general security best practices and serve a precaution rather than cure. These include being vigilant about the kind of emails and attachments you open, and downloads from questionable sources. With ransomware having successfully added mobile devices to the list of targets, users should also be mindful of the apps they download and take precautions such as avoiding third party app stores.

How Intel combats global threat actors

• Criminals and malicious actors have been working together for years
• Only way to fight back is to collaborate and work together
• Intel Security amongst first companies to sign MoU with Europol
• Intel Security provides remediation tools free of charge
• Intel Security does not focus on attribution which is job of law enforcement
• Intel Security does not provide personally identifiable data to law enforcement
• Focus on developing tools to protect, detect, correct
• Focus on how to manage the threat defense lifecycle

According to Raj Samani, EMEA CTO, Intel Security, one of the active global roles of Intel Security is to build and provide remediation tools for end users, free of cost, to recover from a Cyberattacks. However the awareness levels of the availability of these tools is still low, and the download rate was 3% in early 2016. Another responsibility that Intel accepts globally, is to provide threat intelligence to law enforcement. However this information does not include personally identifiable data. “We do not provide personally identifiable data that identifies specific individuals, because personally identifiable data is governed by data protection regulations all across the world. Equally we are not asked to do that by law enforcement.”

However one of its most important roles according to Intel Security is to build global partnerships to tackle Cybercrime. Intel Security was amongst the first to sign an MoU with Europol and the National Crime Agency, UK. “Criminals and malicious actors have been working together for years now. The only way we are able to really address this issue and fight back is, if we collaborate and work together. We have got examples whereby collaboration really does help and win things.”

While Intel Security works closely with law enforcement, Samani stresses that Intel Security does not take on the responsibility of law enforcement or criminal attribution. He explains that making arrests and attribution is the job of law enforcement. However, attribution needs to be managed carefully because cyber threat actors use false flags during attacks. What Intel Security does best is to invest in improving and managing the threat defence life cycle. “As a company, we provide technologies that protect, detect and correct.”

How to build your defence against ransomware

Cybercrime operatives are targeting both individuals and businesses to take charge of their assets and demand a ransom. A hands-on appreciation of how the malware works can help avoid some common pitfalls.   

The basic operational approach for ransomware was developed as early as the middle nineties using public key cryptography. Since then the various forms of ransomware have become more advanced with Bitcoin being the common source of receiving the ransom payments.

During the progress of the malware the screen of the client device gets locked announcing the progress of the ransomware attack and the required payment amount to halt the attack and to reverse the process. On receipt of the ransom payment by the threat actor the private decryption key is released to the attack victim and their data is restored to their control. If the attack victim refuses to pay the ransom amount, the malwares have been known to cause irreparable damage to both individual users and large businesses alike.

A huge spurt in ransomware activity across 2015 into 2016 has been attributed to at least three reasons. The first driver is the syndication of the activity into ransom as a service with offers of revenue sharing to operatives facing the target recipients. The second driver is the development of polymorphism in ransomware generating a unique threat signature for each attack. And the third driver is the increasing sophistication within the malware widening the scope of damages.

A good understanding of how to reduce the attack surface to ransomware starts with understanding how it works. The ransomware attack usually goes through six stages as below.

#1 Distribution stage

This is done either through phishing emails or compromised web sites. One out of four recipients still open phishing emails and one out of ten recipients click on phishing attachments.

#2 Infection stage

A number of sophisticated operations need to be performed. These include identifying the computer uniquely; creating a restart survival programme; deactivating start-up repair, Windows error recovery, shadow copy; stopping Windows Update, Windows Security Center, Windows Defender; compromising Windows Explorer, and retrieving the external IP address.

#3 Communication stage

The ransomware compromised client device will reach out to encryption key servers to generate the public key to initiate the malicious encryption and save the private key for decryption later.

#4 Search stage

The ransomware searches for files important for the user such as DOC, JPG, XLSX, PPTX, PDF, others.

#5 Encryption stage

The identified user files are moved, renamed and encrypted cyclically.

#6 Ransom demand stage

The screen of the attack recipient is taken over and the demand value is presented

Bases on the six stages of the ransomware attack, a number of remediation and prevention techniques can be recommended. These are as follows:

Protection against the distribution stage

• Consider how to build the human firewall since people are the weakest link letting ransomware into their endpoints sometimes through phishing emails
• Use measures to prevent ransomware from reaching end points in the first place by web and spam filtering, web gateway tools
• Regularly apply patches to operating system and applications since ransomware exploit kits look for such vulnerabilities
• Use central application control to allow only whitelisted items to execute and limit privileges for unauthorised executables

Protection against the infection stage

• Do not enable macros for documents received via email even if it asks them to be enabled
• Use minimum number of rights you may need as an administrator especially when opening documents or browsing the internet
• Limit access rights to external processes especially when installing software and applications
• Use a sandboxing appliance to verify integrity of any suspicious process
• Protection against the communications stage
• Write rules for network firewalls to block ransomware domains
• Block access to Tor and other anonymous communication sites used to shield ransomware control servers interrupting the public key generation process
• Proxy and gateway appliances can be configured to scan and block ransomware control server traffic interrupting the public key generation process

Protection against the encryption stage

• Create a storage volume either externally or through a partition and run routine archival backups
• Create an air gapped, offsite data backup, that is not connected to the network or computer
• Limit access rights across shared storage volumes to prevent ransomware encryption across the network

Protection against the ransom demand stage

• Restore data from the offsite, air gapped backup site that has not been detected by the ransomware
• Use a bare metal utility to retrieve and restore a complete computer system reducing the ransomware impact

Looking at how CryptoWall ransomware works, the Cyber Threat Alliance recommends the following step for IT administrators:

• Ensure employees are trained in common best practices to avoid phishing and other malware infecting their end points
• Ensure that operating systems, devices, applications, browsers, antivirus are updated for threat signatures
• Users should monitor sender names and emails and file types of attachments
• Administrators should review their security policies limiting user access to critical data and infrastructure
• Intrusion Prevention Systems, antivirus, sandboxing, web filtering, IP reputation scoring, anti-spam, SSL Inspection, reduce vulnerability to ransomware

By adopting a planned approach involving both end users and IT administrators, businesses can avoid the unplanned downtimes and losses associated with such malware attacks.