After working in incident response for several years, I have heard some of the same questions regarding ransomware, encryption, decryption, threat actor operations, and how it all works from all types of clients. Many of my clients, after the initial shock of coming in to their workplace and not able to access anything at all, have many questions concerning the ins and outs of ransomware events. Following is a list of frequently asked questions that I will need to update often.
What is Ransomware?
Ransomware is the criminal act of a person to prevent legitimate use of files, operating systems, and other types of data. These criminals are commonly referred to as threat actors. Ransomware effects the availability of information. Businesses are brought to a halt when enough of the information systems are encrypted and unusable. Ransomware typically changes the legitimate extension of files and replaces it with a custom extension of the threat actors choosing. As an example, a file called accounting.docx, a normal Microsoft Word document, becomes accounting.docx.encrypted after a ransomware executable runs on the system. Once systems are encrypted, threat actors will leave notes throughout the environment on how to contact them to decrypt your systems, threatening to leak data, or saying “your welcome” for their “services”.
Threat actors use a variety of tactics to gain access to a victim’s network. Threat actors will commonly use publicly available exploits and scan the internet for vulnerable devices. (This is why patch management is such an integral part of any cyber security policy.) Another common method is through phishing emails. These emails may look benign but upon careful inspection, users will notice certain red flags. These indicators may be an unrecognized sender or domain source address. It may be an odd request or a strong sense of urgency to take some action. These emails typically contain attachments or links. (User training and education can cut down on users falling victim to phishing emails.) Some threat actors will buy their access to a victim network through an initial access broker (IAB). These IABs gain the first initial foothold and then sell off that access to ransomware criminals or other criminal organizations. Finally, credential stuffing or credential spraying attacks are also common. With the number of people re-using passwords across multiple domains and the number of breaches that have username and/or passwords leaked to the public, threat actors will just try these username password combinations lists against any publicly facing host. (User education and password manager implementation can help prevent password reuse and help users pick strong passwords.)
This is not an exhaustive list or all-encompassing list. This is scratching the surface of common attack vectors bad guys use.
Different threat actors will have different tactics on deploying ransomware.
How can we trust these guys?
As ridiculous as it sounds, many threat groups are run like a business. Some have help desks to assist with decryptor issues. Reputation is a huge factor when dealing with some of the groups. They want to be seen as trustworthy so they can get paid by their victims. They only get paid if the victim needs a decryptor or data suppression. If the decryptor they provide doesn’t work, then that information will get out and they won’t get paid by future victims. If a victim pays for data suppression, and the threat actor then publishes that data anyway, they can expect to not get paid for data suppression again.
How do decryptors work?
Decryptors work in as many different ways as there are threat actor groups. From my experience, they are command line tools, some with a graphical interface, some without. Some have a progress bar, some don’t. They are 50/50 on whether they work, how good they work, and cannot be expected to work quickly.
How long does it take to encrypt/decrypt systems?
Encryption is much faster than decryption. This article from Splunk details encryption speeds and also refers to Mandiant’s 2021 M-Trends report.
Decryption and restoration is much slower. A decryptor can be expected to decrypt 1 terabyte of data an hour, give or take, based on my experience. Then, after a system is decrypted, it should be reviewed by a digital forensic team and multiple anti-virus solutions before being brought online and into the production network.
Why is there such a time difference in encrypting vs decrypting?
Some of the scripts used to encrypt the data only affects the first part of a file. That is enough to add the extension, and prevent the file from being used. Decryption must scan the entirety of the file, compare it with the key and decrypt the contents before moving on to the next encrypted file.
Where are these guys at?
All over the world. Many have been located to be in Eastern Europe and Russian, but there are also threat actors in Africa, Asia, and the Middle East.
Are my systems safe/secure so this doesn’t happen again? How can I prevent such things in the future from happening?
Any cyber security professional will tell you the only way to make something 100% safe is to disconnect it from the network, power it down, and then smash it with a hammer. Then you can ensure that bad guys will not be able to access it. Anything that is 100% safe is 0% usable.
With that being said, there are multiple avenues to reduce the risk to the organization. This is often referred to as a Defense in Depth strategy, with the idea that there are multiple layers that a bad guy would have to break through to get to the company’s crown jewels. This method should be coupled with zero-trust networking, which means that no device grants implicit trust with another device. For more information on zero trust, check out this NIST Publication.
A strong cyber security policy and risk analysis of your organization will reduce the impact a cyber security incident can have on the organization. This involves buy in and support from senior leadership and executives. This also means that each team within the organization should have an understanding and input into the plans.