From the Blogosphere
Ransomware and the Cloud | @CloudExpo #InfoSec #DataCenter #Security
Is the cloud ready for new cyber threats?
By: David Balaban
Jun. 2, 2016 02:49 PM
It's been years since it became obvious that crypto isn't necessarily usable for benign purposes only. Back in the day, a variety of data encryption techniques were contrived to protect sensitive communication against MITM (man-in-the-middle) attacks and similar interception attempts. The creators of file-encrypting ransomware, however, have ventured to add a malicious component to the mix, using both symmetric and asymmetric algorithms to lock their victims' data and hold it for ransom.
The most common cryptosystems leveraged in these campaigns are RSA and AES. Although these two have fundamental differences, they are nearly equal as far as the reliability of encryption goes.
To top it off, ransom Trojans have evolved over time. The newer variants target files on a computer's local drives, network shares and cloud paths alike. The fact that cloud storage isn't safe either contradicts the main risk mitigation advice that security experts have been advocating, that is, to maintain data backups outside of the machine.
Anatomy of the Compromise
Even worse, the so-called DMA Locker extortion campaign that broke out in February 2016 demonstrated that drives don't even have to be mapped for the infection to hit them. Although this is still the exception rather than the rule, there are hardly any technical hurdles for it to become a trend anytime soon.
Over the course of the scan, the ransom Trojan compares files against a predefined range of formats in order to identify the most important user data and then encrypts it all. It will also attempt to disable VSS (Volume Shadow Copy Service) in order to thwart the easiest recovery technique.
So, is the offsite backup to the cloud really such an effective way of storing data? To its credit, this strategy does provide a great deal of protection of the one's sensitive files against straightforward locking by ransomware. But obviously, the cloud isn't bulletproof when it comes to the most sophisticated crypto assaults.
The "Children in Film" Incident
According to Toni Casala, the President of Children in Film, this strategy has numerous benefits for the company, because it poses an inexpensive way of managing their business without the necessity to hire more people on the IT department. Plus, the cloud provider is fairly responsive when it comes to tech support.
Unfortunately, the firm confronted ransomware at its worst just before last New Year's Eve. One of the employees received an email containing an attachment that looked like an invoice. This is a widespread social engineering technique that crypto ransomware operators use to spread their infections. Once the employee opened this eye-catching but booby-trapped email attachment, it took the ransom Trojan as little as half an hour to propagate across the firm's entire digital environment. As a result, more than 4000 files stored on the cloud drive were encrypted and could no longer be accessed.
This was an instance of TeslaCrypt, one of the most prolific ransomware programs at that point. It concatenated the .vvv extension to files and added ransom payment instructions into every path with locked data. Luckily, the provider of managed cloud services was able to restore the files from backup, which is done on a daily basis. It was a very time-consuming process, though. Furthermore, other clients on the same server were experiencing disruptions as well. Because TeslaCrypt features sophisticated code obfuscation techniques, it bypassed the antivirus defenses in the course of the attack.
The most likely reason why the infection reached the cloud storage in this case is that the hosting company's app mapped the cloud drive as a separate local drive on the HDD. The takeaway from this incident is that end users and companies need to make sure there is no such mapping in place.
The Cloud as the Entry Point
First off, it encrypts the master file table (MFT) rather than individual files, which prevents the operating system from knowing where files are and effectively renders the computer inoperable. Secondly, the circulation of Petya in the wild involves a ZIP archive hosted at Dropbox.
The would-be victims receive a phishing email masqueraded as a job application. This email contains a Dropbox link pointing to the aforementioned ZIP file. The archive holds two components: a photo of the purported applicant, and a malicious executable. When the latter is opened, the ransomware is loaded onto the target system, displays a request to gain administrator privileges, performs the MFT encryption routine, and generates a spooky BSOD with ASCII art skull and crossbones. To regain access to the OS, the victim needs to submit a ransom of about 1 Bitcoin or approximately 440 USD.
A common prerequisite for the worst-case scenario is the mapping of cloud storage as a letter drive in the system structure, although some ransom Trojans can affect unmapped repositories as well. Such an intricate tactic may result in compromising other users on the same server. Furthermore, even if the infection fails to spread over to an offsite storage directly, the mutilated local files may be auto-synced to the cloud.
Another facet of this issue has to do with the involvement of cloud services in ransomware distribution, where users are social-engineered into downloading malicious droppers from resources like Dropbox.
This twofold impact throws down the gauntlet to the security industry and cloud service providers alike. Meanwhile, relying on antivirus software alone is a lame preemptive technique, because most recent ransomware samples have smart AV evasion built in. It's hence preferable to adopt a diversified backup strategy, where at least one copy of the data resides on a device that's not permanently connected to the Internet.
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week