Although we tend to think of ransomware, whereby data is encrypted via malware infection and a 'release fee' demanded to disclose the decryption key, as a consumer-facing threat the news from Kroll Ontrack would seem to suggest that it's something businesses might need to take increasingly seriously as well.
The mechanics of the threat have, it would appear, evolved somewhat though.
Kroll Ontrack engineers say they have seen a "significant spike" in the number of inquiries regarding data recovery following ransomware attacks on virtual drives, although the actual severity of this increase has not been disclosed to us.
Shane Denyer, a data recovery engineer at Kroll Ontrack, confirmed that the company is seeing "a definite move away from attacks that target large numbers of small business or home users" and a move towards "more of a spearphishing approach where individual, larger corporations come under fire."
In particular, our attention was drawn to attacks where hackers are said to be deleting virtual drives completely on corporate systems and replicating the data on their own servers. "The first time the companies know about the attack is when they find a note from the hacker where the virtual drives used to be, criticising their security arrangements and requesting payment for return of the data or threatening to sell it on the open market," Kroll Ontrack explains in an emailed statement.
In a recent case, SCMagazineUK.com understands that payment was demanded in Bitcoin with the threat that the stolen data would be auctioned off after two weeks if payment was not made. In this particular case, Kroll Ontrack informs us that it was successful in being able to recover the data without any ransom being paid.
Bitdefender's chief security strategist, Catalin Cosoi, points out that simply because hackers are targeting virtual drives doesn't mean the attacks are virtualised. He goes on, talking to SCMagazineUK.com, to argue that malware isn't even necessarily deployed during the attack process. "Infection methods aren't necessarily state-of-the-art," Cosoi said."They can range from classic social engineering schemes to steal employee login credentials to exploiting unpatched software vulnerabilities – it can be virtually anything." In a similar vein,
TK Keanini, CTO at Lancope points out that what is going on here is technically not ransomware but rather extortionware, something he predicted a while back as being the evolutionary path such attacks would follow.
"The difference is the fact that the attacker, instead of just keeping you from your data, has your data and threatens to publish (or delete) if the ransom is not paid," Keanini told SC. This evolutionary path isn't finished yet, Keanini reckons, warning that we will likely see more attacks where the threat actors don't care if you have a backup of your data as the payload isn't in holding access to that data to ransom but rather being paid off to mitigate the threat of publishing commercially sensitive or potentially embarrassing information to a public audience. "Here we are dealing with disclosure issues that can only be solved by well implemented data level encryption," Keanini said, adding:"The technology is available to solve this problem, the habits are not."
Just how serious a problem is it and is it on the rise as Kroll Ontrack has suggested? IT consultancy ECS's security practice leader David Calder and his team run security operations centres (SOCs) for a number of UK banks, and confirmed to SC that they too have seen increasing numbers of variants in ransomware attacks, including a move to target virtualised storage.
"Some of our clients have implemented best practice protection technologies such as host-based protection/detection and integrity monitoring solutions," Calder told SC, "which alert them to any key changes to the host." He went on to suggest that the specific attack variant highlighted by Kroll is, if anything, a less technically advanced version of the more commonly observed cryptographic methodologies but added, "It does provoke some thoughts on further evolution of ransomware attacks."
Of course, within the corporate as opposed to consumer realm, one would hope that upon discovering that files, virtualised or not, have been encrypted or deleted, the victim would simply revert to their latest backup position.
A good idea but even this precautionary step won't always work. "Attackers will therefore be considering methods by which they can extend the time period between their compromise and the point of discovery," Calder warns, "thus attempting to render backups useless."
Certainly these attack methodologies would seem to serve in highlighting the importance of good backup hygiene, and that includes reducing the exposure window by regular testing of restored data.
Organisations could also take advantage of SIEM technology to detect unexpectedly large numbers of files being changed or deleted within a given time window, a good indicator of suspicious behaviour, Calder advised.
The trouble is, especially at the smaller end of the SME spectrum, that this kind of attack exploits the weaknesses in the backup systems being used. Dr Jules Pagna Disso, head of research and development at Nettitude, said he and his colleagues have seen many examples of poor practice including users directly connected to backup systems, making it very easy for the attacker to search for, and find, all connected drives.
"This attack is likely to continue until people wake up to the fact that a response plan for cyber-attacks must be put in place," Dr Pagna Disso concluded, "not just a simple backup system."
So what else can organisations do to mitigate the threat of this kind of attack?
HEAT Software's Chris Merritt told us bluntly that they "need to rethink their security strategy" by implementing a layered defence-in-depth approach that pro-actively prevents infection. "In a world where employees are as likely to work outside the network as within," he continued, "the endpoint needs to be self-protecting."
Which means going beyond traditional set and forget tools and adding application white listing, device/port control, and a patching regime for base OS and 3rd party apps alike. In fact, Merritt suggests that the latter "might be the easiest and most cost-effective step organisations can take, effectively reducing the attack surface, reducing the ability of the chances of the exploit portion of the malcode from finding a target, and reducing the chances of the ransomware from gaining a foothold on the system in order to execute."