Ransomware a Digital Era weapon, a high Revenue business!!!

The world today is full of unlimited business opportunities. We all operate in the digital era to perform business operations (by Connecting people, enterprises, Smart Cities, systems, LOT, Utilities, Smart Grids/Meters, Big Data and Analytics and SMAC across the globe). We follow standard operating procedure defined during Stone Age without giving due diligence to the upcoming threat landscape.

This post is informative in nature and will help people who think cyber-attacks are not meant for them or they will never get affected due to either nature of their business or scale of their business. Be prepared, you can be the easy Target!!!

I would like to share a true incident happened in a Non-IT organization which resulted in big havoc and made complete operation at a stand still for few days. Million dollar loss!!!

It was a normal day when I received a call from my friend requesting some help since I understand security operations. I casually inquired the reason behind; however, I felt he was little hesitating. During the conversation, he mentioned that his customer is facing major issue due to malware attack and he requested my help to rescue. On his request, I agreed to socialize with the customer. Let me narrate the complete conversation-

During the conversation, I came to know that he is heading the IT operation and seems to be in a deep problem. Initially, he was hesitating in sharing the issue due to company reputation and market share. However, based on my assurance he stated to me that the complete IT operation is stopped due to malware attack. With a deep breath, I asked him more detail on the behavior of malware and the issue so that I can suggest mitigation plan. According to him……

• The organization is Touching lives of millions across India, Asia, the Middle East, Europe, Africa and America. Huge Network!!!
• The malware has encrypted all the business operation devices and asking for money to decrypt the file system.
• The files are encrypted with.AAA extension.
• Not sure how many systems are infected and will infect
• Antivirus solution is not protecting… Antivirus claim to be zero-day exploits
• A local vendor who is supporting the operation is not a commitment to handle security incident.Technical competency issue with local vendor
• We can’t align with CERT-In (Indian - Computer Emergency Response Team) to report and to take their concurrence and advice due to company reputation.  

With a deep breath, I understood the complete issue. It was an “Encrypted Ransomware” attack. A Highly-Profitable Evolving Threat!!!

Okay, let me brief you exactly how it functions.

Ransomware, as terms, says it’s related to ransom; however in the current circumstance, it’s related to “Digital Ransom”. In the current context, the attacker has encrypted the digital information and asking Ransom money to rescue/decrypt the data so that it can be used for the business operation. It’s a big call which customer has to make, considering

• How to make business operational with no impact on business and Market Share
• The impact of the encrypted file. Data Restoration, if we plan to delete everything and restore from backup. Which day backup to refer, since no clarity if the backup itself is infected. 
• How many systems affected due to self-replicating behavior
• Do we have any controls to identify the Source of the attack  
• When it was infected since much malicious code remains undetected due to APT behaviors.
• What would be the impact on company reputation, if the Ransom is paid
• How we can safeguard considering attacker might have key to our network
• How to mitigate the same incident again 

Before Business takes a call on the above alarming question, let’s understand little more on how it works and how it’s impacting the users across the Globe.

  

Ransomware can exhibit worm-like behavior and can remain undetected. The ransom leverages removable and network drives to propagate itself and affect more users. There are many forms of Ransomware someone of which has destructive nature i.e. they are designed with automated counter, once reached the threshold it will start deleting the files. If you restart the computer or try to stop its services, it becomes more disruptive and may delete 1000 of files. Ransomware Boss (In IT Terms, can be referred as a Program Head) will establish the complete program like a project J.The leader (In IT Terms can be referred as a Technical lead) is recruited from 10 to 15 affiliates that supported him in spreading the ransomware via:

1. Botnet installs
2. Email and social media phishing campaigns
3. Compromised dedicated servers
4. File-sharing websites

Let’s understand the market analysis so that we can Say “No to Digital Threat in cross connected ecosystem”  

Facts

Revenue Business from Ransomware

Half of the users can’t accurately identify ransomware  Half of the victims are willing to pay up to $500 to recover encrypted data. This means according to the graph; there are nearly 200K infected users. If half of them pay 500 USD, it makes a total of 50,000,000 USD! Personal documents rank first among user priorities. UK consumers would pay most to retrieve files. US users are the main target for ransomware.  Indian Users are also targeted; however never reported. One of the most interesting aspects of ransomware campaigns is that they could also be very profitable for small gangs without specific skills. A ransomware-as-a-service campaign operated by a Russian gang since December 2015 The gang requested the victims a payment of a $300 fee to rescue to encrypted files, the communications with the victims are handled directly by the boss. 93% of phishing emails are now ransomware

Growth of Encrypted Ransomware Q1 2016

The best preparation for tomorrow is doing your best today. In my next post, I will be guiding on developing a holistic approach on how to battle with ransomware proactively to avoid massive destruction along with Mitigation approach. Till then stay safe!!!