Ransomware: How A Security Inconvenience Became The Industry's Most-Feared Vulnerability

There are all sorts of ways to curb ransomware, so why has it spread so successfully?

Gur Shatz, CTO and co-founder, Cato Networks

January 16, 2017

7 Min Read
Figure 1: The string "vqnpxl" is the obfuscation function. Source: Cato Networks

The word "ransomware" conjures up images of dark cloaks and even darker alleys, and not surprisingly, the level of media attention has been unprecedented. The fact that news stories measure the affect of ransomware in terms of cash helps grab the public's attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016).

The most frightening thing about ransomware is that its success is built on trust. Ransomware often gains access by way of a clever email designed with the sole intention of winning the victim's confidence. "My skill is in my ability to get a bunch of people to click on the attachment," explains a malicious actor in a YouTube primer.

Ransomware perpetrators have even started copying incentive tactics from legal industries. There's the Christmas discount for victims who pay up, and a pyramid scheme offer, described in the press as "innovative": "If you pass this link and two or more people pay, we will decrypt your files for free!"

This sophistication and business savvy speaks to ransomware's growth as an industry, and IT has had to take notice. A recent survey of IT professionals from around the globe found that more than 50% of IT staff and more than 70% of CIOs see defending against ransomware as their #1 priority for 2017.

What made ransomware into such a strong threat? Is it really a greater malice than traditional security threats or data theft? Or is it just more buzzworthy because the consequences are more dramatic? What's enabling the epidemic, and what produced the conditions for ransomware to flourish?

The Patching Conundrum
In a way, the rise of ransomware in 2016 was in the works for a long time. Vulnerability patching has been a significant IT challenge for several years — among industrial control systems, 516 of 1,552 vulnerabilities discovered between 2010 and 2015 didn't have a vendor fix at the time of disclosure. A full third of known "ways in" had to wait for a patch to be developed, providing ample time for criminals to do their worst.

Reliance on distributed security appliances has only exacerbated the problem. Even after patches become available, there's still a significant lag. A combination of staff shortages, the volume of devices deployed across today's business networks, and distance has dramatically lengthened patch rollout times. Varying reports put the gap between 100 days to 18 months.

Before ransomware even became a trend, the stage had been set for adversaries to gain access.

It Should Be Easy to Stop
From an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop. The file encryption — which actually does the damage — is the final stage of a multistep process. In fact, there are several opportunities to block the attack before it affects valuable data. First, if the attack is caught by URL filters or secure Web gateways, it will be averted.

The second step is where the initial malware "drop" downloads the ransomware program. To do this, it must connect back to the attacker's server from within the compromised network. It's only after the ransomware program itself deploys inside the victim's environment that it encrypts local and network server files. And still, before the process can launch, most ransomware must connect to a command-and-control server, to create the public-private key pair that encrypts the data.

At any point in the process, a network security stack has ample chance to block the malicious program from making these connections, and data lockdowns would never happen.

With all these opportunities to stop the attack, how has ransomware been so successful?

Complexity upon Complexity
In November, security researchers discovered a mutation to exploit Scalable Vector Graphics (SVG), and this may provide a clue. SVG is an XML-based vector image format supported by Web-based browsers and applications. Attackers were able to embed SVG files sent on Facebook Messenger with malicious JavaScript, ostensibly to take advantage of users' inclination to view interactive images.

The way these files were manipulated is of much greater concern than either the app that was targeted, or the breach of users' trust: The SVG file had been loaded with obfuscated JavaScript code (see Figure 1). These files automatically redirect users to malicious websites and open the door to eventual endpoint infection. The obfuscation tricks detection engines, and signature-based detection will always fall behind as code morphs to new signatures for the same threat.

The above attack spotlights an urgent need to simplify. Modern networks see their vulnerability go up thanks to a patchwork of point solutions. It's not sustainable to expect IT pros to update each point solution, and patch every existing firewall, when each new attack vector comes about. Skilled attackers will always build new threats faster than IT can defend against them. For ransomware, the critical test is, "how fast can you roll defenses out?"

Higher Stakes
When prevention is the only true cure, it's no wonder ransomware goes to the front of CIOs' agendas for 2017. But the predominant trend toward cloud-based security and the promise of a "patch once, fix all" model are starting to correct the problem. Cloud defenses promote quicker adaptation to ransomware mutations. The idea is to consolidate all traffic from physical locations and mobile users, and integrate a single firewall service as a permanent "line of sight" between any given user, any given device, and a potential threat source. In this respect, the cloud is not just about saving work, but also about improving speed to security.

2016 was the year that IT's reluctance to use the cloud backfired, and it played right into ransomware's hands. Familiarity, comfort, and experience with using the cloud to keep networks safe may improve outcomes in 2017.

Related Content:


About the Author(s)

Gur Shatz

CTO and co-founder, Cato Networks

Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based Web applications security and acceleration company. Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and Vice President of Products at Imperva, a Web application security and data security company. He holds a BSc in Computer Science from Tel Aviv College.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights