Sophos Issues Report on How Ransomware Attacks

On November 14, the British cybersecurity company Sophos issued a report, titled “How Ransomware Attacks,” that explains how ransomware variants attack and affect victims.  Because Sophos views ransomware’s behavior as “its Achilles’ heel,” the report describes “some of the behavioral patterns” of the 11 “most common, damaging, and persistent ransomware families.”

The report, by Sophos Director of Engineering Mark Loman, discusses a number of the most prevalent ransomware techniques and behavioral traits, including the following:

• Ransomware Categories: The report divided various prominent ransomware families into three categories, “distinguishing them by the method attackers use to spread the infection”:
  • Cryptoworm: Ransomware “that replicates itself to other computers for maximum reach and impact.”
  • Ransomware-as-a-Service (RaaS): Ransomware “sold on the dark web as a distribution kit to anyone who can afford it,” allowing people “with little technical skill to attack with relative ease.”
  • Automated Active Adversary: Ransomware that “is deployed by attackers who use tools to automatically scan the internet for IT systems with weak protection.”
• Cryptographically Signed Code: “Attackers may attempt to minimize detection by security software by signing their ransomware with an Authenticode certificate, which anyone can buy (or steal). . . . Unfortunately, some security tools conflate ‘digitally signed’ with ‘should be allowed to run’.”
• Privilege Escalation: “[T]oday’s ransomware uses exploits to elevate their own privileges and abuse stolen administrator credentials to make sure the attack is performed using a privileged account.”
• Attacking Network Drives First: Ransomware causes “the most immediate damage to an organization” when it encrypts mapped network drives first, “as it immediately affects most employees no matter where they are geographically located.”
• Multi-Threading Technology: “Some ransomware is specifically designed to make efficient use of modern CPU hardware and parallelizes individual tasks to ensure faster and, subsequently, more harmful impact before victims discover they’re under attack.”
• Cipher.exe Abuse: Certain ransomware abuses Microsoft’s CIPHER.EXE command-line tool “to make sure ransomware victims cannot recover deleted documents from their storage drives.”  Some ransomware also abuses CIPHER.EXE by exploiting its ability to permanently overwrite all of the deleted data on a storage drive.”

The report also provides a summary of 11 common ransomware families’ methods and characteristics.

The report notes that a key vulnerability of ransomware is that “[t]here are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious.” As The Register explained, “sooner or later, the malware has to access the file system and begin to encrypt the data. This is the point where the attacks have to expose themselves and the spot where security tools can stop them.”

N.B.: Because ransomware presents continuing threats to companies and governments around the world, this report warrants a closer reading by corporate information-security teams.  While there is no panacea for ransomware, the report offers information-security professionals a number of useful observations and insights for understanding core behaviors of ransomware and reducing the odds that ransomware can successfully infiltrate corporate networks and databases.