The Year In Ransomware

A Q&A with ExtraHop in-house ransomware expert Tom Roeh.

ExtraHop ransomware expert Tom Roeh

ExtraHop systems engineering manager Tom Roeh was instrumental in building our ransomware protection capabilities, which won Best of Citrix Synergy this year. As 2016 comes to a close, we caught up with him to get his thoughts on what went down this year, and what organizations and consumers should prepare for in 2017 and beyond.

Q: Ransomware is not a new concern, but it seems like 2016 was the first year that the media, the information security industry, enterprises, and government agencies were finally all in alignment that this needed to be stopped. What was different about this year?

Yes, it's safe to say that ransomware—at least from an information security perspective—has been the topic of 2016. I'd be surprised if it doesn't end up as the number one concern on every tech publication's year-end list. I think there were a couple different reasons for this. I read a statistic that said 93% of all phishing emails are ransomware. Why? Because it's proven to be very lucrative. The financial gains for the purveyors speak to that. I know there were reports that $209 million in ransoms were paid to attackers in Q1 2016, and the FBI estimated it would be over $1 billion by the end of the year. So, this isn't just a series of really good hacks, it's organized crime, plain and simple.

Previous malware was mostly just bad guys trying to steal your data, which they would then have to re-sell. With ransomware, the barrier to entry is so low that it's democratized malware and made it really easy for anyone to profit from these vulnerabilities. Pair that with the emergence of Bitcoin as a payment solution and you've got a fairly solid model for exploitation. They've even got online help available to make the process easier for victims, so this is big business. Even if they're only getting 10-20% of their victims to pay the ransom, that's still a big profit. If you infect a million PCs, maybe only 100,000 of them will pay the ransom. But if you multiply that by $800 or whatever a Bitcoin costs these days, that's a lot of money.

The stats on the volume of attacks this year have been staggering. As someone who works on the ground-level to help organizations protect against ransomware, do those stats sound accurate?

Yes and no. I saw the stat that said there was an attack every 40 seconds in the month of September. At the beginning of the year, that statistic was more like one every 2 minutes. To me, this is mostly interesting because those are just the attacks that have been reported. In my experience, I would say that for every one of those attacks, there are at least another 5 or 10 that have gone unreported or under-reported.

In fact, we're working on a proof-of-concept right now for a large healthcare system, and just in the past few weeks, we found 5 ransomware infections. These were infections that occurred earlier in the year but were not well publicized, even within that particular organization. As our engagement with this organization progresses, I'm sure we'll discover even more.

What about the methods? Are the purveyors getting more targeted in their attacks?

The majority of ransomware is still being delivered via email, through spearphishing attacks. Those attacks often come in the form of very legitimate-looking emails, maybe with a slight degree of vagueness to them. They may look like a message from Amazon or an invoice from your lawn care service. They're doing a really good job of disguising emails to look like something you, personally, would expect to see in your Inbox on any given day. In the corporate world, they may use data exfiltration from your environment, or even social engineering. For example, there's a hospital system near where I live in Houston, TX. If they wanted to target that organization, they could incorporate some base-level understanding of the region and just email blast people to make it look like something legitimate to that organization. It can be really tricky to spot those. I've even had to do a double-take on some that I've received.

How does traditional, signature-based detection hold up in the face of these sophisticated threats?

There's no email filtering platform that's 100-percent foolproof. Most companies have some sort of protection in place, whether it's a Barracuda email firewall or just Google's spam filtering. But still, something like 77% of attacks manage to bypass those. So that's obviously not a perfect science by any means and, unfortunately, I find a lot of enterprises rely too much on that. In those environments, you're already lured in by the false sense of security, and that's when you end up clicking on the wrong thing.

What about emerging variants? What have you seen this year, and what should we look out for in 2017?

A lot of attacks now are originating from websites, so-called "drive-by attacks." You end up clicking on a weblink in an email that takes you off to a site with an exploit kit of some kind. So just by going to the wrong website, you've now infected your PC. Even semi-sophisticated users might not realize these types of attacks are happening.

I also heard of a new one just last weekend. It remains to be seen how successful it will be, but it works like other ransomware attacks by encrypting your files. However, this new one offers you free encryption keys, but only if you go off and infect your friends. If your friends agree to pay, the attackers will give you the encryption keys.

The vast majority of ransomware making headlines is what I call "crypto-ransomware." Going into 2017, I think we're still going to see a proliferation of that type of attack, but we're also starting to see increasing reports of mobile device and Internet of Things variants. There has been some good security research on things like smart refrigerators getting hacked and consumers effectively becoming locked out of their own appliance. Basically, they'll turn off your smart refrigerator and spoil all your food until you pay the ransom. That's a different approach from encrypting files, but it's still effective and as IoT becomes more ubiquitous, it is absolutely logical that we will see more and more ransomware targeting our homes.

And what about mobile devices?

With mobile devices, at least from an IT perspective, that's an area that's ripe for exploitation. Bring-Your-Own-Device has made it so corporate data exists outside of corporate networks. For example, you've got a doctor and he has patient electronic medical records on an iPad, which is connecting out through a service provider. If I'm in a typical corporate IT shop, I lose a lot of control there. So, BYOD and mobility in general pose a lot of challenges because it decentralizes the data center effectively.

If the variants are evolving this rapidly and traditional models are no longer sufficient, what's next for organizations? Obviously, something needs to change.

If you look at traditional antivirus solutions, agent-based endpoint security or whatever, they typically look for very specific files to show up on PCs, MacBooks, desktop computers, etc. For example, they look for a file named xyzabc123.exe or, technically speaking, a hash of that file. It's got a very specific dictionary or signature, if you will, of the different types of known attacks that are out there. As we already talked about, in 2016, there are starting to be exponentially more and more different variants of ransomware out there. This puts the antivirus vendors into a tough position because it's really hard to keep those signature dictionaries up to date.

So, within information security as a whole, there's a lot of emphasis being put on observing behaviors, as opposed to statically doing file-based signature matching. If you think about ransomware as a whole or crypto-ransomware, files are being encrypted. As a behavior, you can quantify that down into a fairly small set of behaviors as opposed to the thousands upon thousands of ransomware variants that are out there. So if you focus on detecting some of the tell-tale signs or behaviors. And there are different ones in terms of the type of file operations being used or files being written and deleted and naming patterns of files. With threats evolving as rapidly as they are today, you're always going to be playing catch-up if you only target signatures. A behavioral based approach, however, will put you in front of emerging threats.

Even outside of ExtraHop, that's sort of a big, underlying theme in the antivirus world. A lot of the traditional solutions are now competing with younger players that are doing more behavior-based anti-virus detection. I think we're going to see this approach grow as the information security marketplace matures and evolves.

You were instrumental in building ExtraHop's ransomware detection capabilities. What have you been hearing from customers so far?

It's been a good 10 months or more since we published that. I would say close to two-thirds of our customers have installed the ransomware detection bundle in some capacity, and the response has been very positive. We are getting a lot more questions on how to automate the process of ransomware detection and remediation. This is a great thing for ExtraHop to be able to deliver greater value to IT environments. ExtraHop is not a firewall, it's not an agent-based anti-virus, we are a passive detection appliance. You plug us in and we analyze network traffic—a copy of that traffic—but we're going to do much more in-depth analysis than your traditional firewall, or even your next-gen firewall.

From a remediation perspective, we're able to integrate with the platforms that take action to remediate the issue. There are several different ways this could look, but basically, we detect ransomware, then we send the automated event or trigger out to an external orchestration platform or external network access control solution, all with the end goal of quarantining the infected device. For example, someone has a Windows 7 PC in their environment, they click on the wrong website or attachment and get infected. Literally within seconds, ExtraHop can detect it. We've been doing it all year. But once we've detected it, we can send out an automated notification to an external system and quarantine that machine; or put it in some sort of firewall black hole so they can't talk to anything and can't encrypt files out of the corporate file share. More and more, we're seeing our customers setting up that sort of automation.

What other threats are we seeing on the horizon in 2017 and beyond?

Personally, one of the things that scares me the most—and this is even outside of ransomware—is the Internet of Things. A lot of people are aware of the attacks this year on Dyn, one of the major DNS service providers, and the attack on Brian Krebs' Krebs On Security website. In both cases, these outages originated from poorly secured IoT devices, which were comprised and then used to instantiate massive, never-before-seen DDoS attacks. From what I know about network security, that's one of my biggest worry points moving into 2017. How will that be addressed? There are thousands—and the number grows every day—of Internet of Things devices that are out there. Right now, however, there is not a standard certification that's been laid forth to assure the security of those types of devices. When I think about the number of connected devices that I have in my home outside of my computers and phone—DVR players, Nest thermostats, even our smart utility meters outside the house—it's scary to think about, and it's also a keen area of interest for us at ExtraHop because we can help enterprises to get a handle on their IoT devices.

For more ransomware-related information from our in-house experts, be sure to explore our ransomware hub page.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.