Ransomware: Real Life Battle Bots
by: Marci De Vries, Fraudsniffr

My husband and I watch a lot of robot movies, and we always start laughing when two giant robots stand up and start punching each other with their giant metal fists. It’s funny because a real robot war would look like two server boxes getting really hot. Maybe toss in melted router for added dramatic effect.

In real life, ransomware is a $3 billion industry, perpetrated by infinite testing and vulnerability detection. Because American company firewalls and intrusion detection systems are typically handled by software that does not detect macro trends, a bad actor can test and locate vulnerabilities without ever alerting a human. The bad actor simply uses an array of VPNs to sidestep the rudimentary pattern analysis included in most server security protocol while they look for paths into the data.

After an intrusion point is located, the bad actor can inject code that does not deploy as a ransomware attack for months. This quiet code completes a variety of tasks – first it copies data and delivers that data to the bad actor, then it tags data for deletion during the future ransomware attack. The code also flows into any machine that sends data to the affected device, and out to any device where the machine sends data. In this way the ransomware affects not only the machine that had the vulnerability, but also to all the data on all the devices connected to that machine. It is an elegant way to bypass any firewall system to infect an entire network, even reaching out to the laptops and flash drives of remote workers. Most ransomware code also has AI included to identify the most critical data, based on usage, frequency, and type. The bad actor assesses the relative value of the data and compares it against a sophisticated financial analysis of the victim to calculate the ransom demand.

This quiet ransomware code does its work for six months or more, just long enough to outlast a standard backup/restore process – most companies keep full backups for six months, and then only periodic (and not very useful) backups from earlier dates. This long quiet period makes it impossible for a company to restore their systems from any existing useful backups. Furthermore, if a company tries to restore from a backup that includes ransomware code, often the ransomware attack will become even more aggressive and delete additional data from the affected device(s).

Companies in the middle of an active ransomware attack are often incredibly surprised at the customer service and professionalism exhibited by the bad actor who has made the ransom demand. If the company representatives are willing to pay the ransom, the process of retrieving data is very straightforward. At the end of a successful ransomware transaction, the data is fully restored and a company can resume operations as if the attack had not happened. However, for companies that want to fight the ransomware actors, the data can be returned damaged, or not returned at all. 

The maddening part of ransomware attacks is that they are nearly random. Ransomware attacks that haven’t made the national news include my son’s school district, a local hospital system, a cardiac surgery unit within a medical system, a mid-sized document imaging company, and a municipality’s technical infrastructure. It could be as random as this: ransomware bots start with a vulnerable device, and then walk through not only a company’s infrastructure, but also the company’s hosting provider. Once a ransomware bot infects a hosting provider, the bots might even spread to the other companies hosted in the same facility. In reality, at this point there does not seem to be a pattern to the selection of ransomware victims.

So how can a risk manager address the ransomware threat? According to Swadesh Guchhait, president of Alliance Infosystems, a Baltimore-based IT company that specializes in network security, the biggest mistake enterprises make is focusing on the leading edge of their network security – while a robust firewall is important, it will not provide systemwide protection.

Companies interested in slowing down or stopping a ransomware attack need to segment their network, which would prevent a bad actor from moving horizontally through a network once it is behind the firewall. Segmenting means putting the HVAC computer system on a separate network from the production network, and segmenting Wi-Fi from the main data network. Network design and hygiene is the most effective way to limit the extent of a ransomware attack.

Guchhait also indicates that end point security (computers used by humans on a network) is the primary intrusion point for ransomware. Training employees device usage is important, especially as bad actors produce increasingly salacious content to entice clicks.

There are some standard practices to engage in as well, it is important to install network protection that scans for active and dormant viruses, with the understanding that this is a best practice, not a foolproof protection plan.

It’s a dangerous new war we’re fighting. The attacks are civilian companies, and the people at the front line are you and me. Stay safe out there, and don’t click on anything you don’t recognize.