Ransomware: Data or Principle
The cybercrimes are on the increase as the world quickly evolved to an interconnected web of different devices. The rising danger of cybercrimes is also faced with cyber security experts who detect vulnerabilities within different scopes of the field. That being said cybercriminals also have their ways to infiltrate systems and new ways to commit crimes. There are many types of cybercrimes but most of them have something in common which is money. From phishing and fraud to Identity theft almost always the aim is to gain illegal cash. One of the latest cybercrimes to hit the world by surprise is the infamous ransomware attacks. Basically a ransomware attack consist of taking your data as a hostage by encrypting it and asking for a ransom to decrypt it. These attacks started on individuals asking for a small ransom to major corporations and higher targets and risks. Ransomware attacks will be discussed in more details including its types, history, victims and technical aspects.
Ransomware is a malware to takes your computer or you data as a hostage until you pay a ransom. It does that by either locking your computer with a password or by encrypting your data that it can’t be readable unless you enter a decrypt key. There are two main types of ransomware, the most used type is called crypto ransomware, which encrypts you files and data. The other type is locker ransomware, which prevents you from accessing you data by locking your device. The data in this situation is untouched you just don’t have access to it which makes it easier to overcome. Even if the ransomware is removed your data is still there, that makes it less effective type of ransomware. On the other hand, the crypto type where you have access to your device but all your data is encrypted and cannot be read. In this case even if the malware is removed you still can’t read your data without the decrypt code. The decrypt code is usually the key to decrypt your files and that’s what the cyber criminals give to you when you pay the ransom. That’s why crypto ransomware is more common and effective than the locker ransomware.
The history of ransomware goes a while back however it haven’t been very effective until very recently. This is a quick flash back to how it all started, in 1989 the first ransomware virus was created by a Harvard biologist. It was distributed in a floppy disk during the World Health Organization Aids conference and that’s where it got its name “AIDS Trojan”. It was a simple crypto ransomware that encrypted files names and tools became available to decrypt it. Then in 2005 came the first modern ransomware called GPCoder, its encryption technique was weak so it was very easy to decrypt. It was spread by spam email attachment that claimed it to be a job application. In 2007 the first appearance of locker ransom was in the shape of a pornographic picture on a locked computer and demands to to text or call a premium number to remove it. Ransomware gained momentum and criminals got more it’s rewarding especially after the introduction of the cryptocurrency Bitcoin that gives you access to anonymous transactions. Ransomware took a revolutionary step in 2012 when different toolkits emerged that helped cybercriminals making their own ransomware viruses. Since then many ransomwares came to light with different technologies and capabilities to encrypt more file types. In 2016 during the first quarter, McAfee Labs measured 1.2 million ransomware attacks and the FBI estimated that $209,000,000 was generated by ransomware.(Richardson and North) in 2019 the estimated losses in the US due to the ransomware was around 7.5 billion dollars.
One of the most recent victims to ransomware attacks is the GPS and fitness giant Garmin. In July 23rd 2020 the connected app, all wearable technology, website, aviation database and even call centers were shut down due to the ransomware attack. According to BBC News, Garmin has said it was “the victim of a cyber-attack that encrypted some of our systems”(Tidy). However the company mentioned that no customer data including payment information from Garmin Pay were lost or stolen. The malware involved was identified as Wasted Locker – a program that scrambles the target’s data, and was first detected in the wild around April (Tidy). Some reports speculate that the company had been asked to pay 10 million dollars to get its systems back online. Service are back to normal as we speak however it took around a month for all the backlog data to be processed and all services to be online again. There are rumors that Garmin paid the multi million ransom and got a decryption key to resume their services. The hack was linked to a group called Evil Corp in Russia that the US government have indicted for similar crimes in 2019.
Technical aspects and analysis of the WastedLocker ransomware that have been used to attack Garmin is vital to minimize risks associated with ransomware in general. How the Trojan was deployed into the system is still unknown as Garmin have be very discreet with the details of the attack. However, once deployed the inner workings of a sample is created for technical analysis by security experts. “It’s worth noticing that WastedLocker has a command line interface allows it to process several arguments that control the way it operates.”(Sinitsyn) Those ways of controlling the Trojan helps the attacker to set priority processing making it encrypt a chosen directory first and adding it to an exclusion list, then the rest of the files on device will be encrypted, stopping it from encrypting the same files twice. Other aspects can be to encrypt a specific directory only and to encrypt network files using a certain authentication. The most important part is –r command which will start the sequence to create a service within the system that hijacks it and takes control. (Sinitsyn) –s will start the created service, it will lead to the encryption of any files the malware can find. Another powerful feature that WastedLocker has is UAC (user account control) bypass, the Trojan will check the integrity level it started on. If the privileges are low it will try to take higher privileges without displaying the UAC prompt. Basically it created a duplicate of the system files to take over the DDL (dynamic link library) and the NTFS (new Technology file system). It does so by creating new directory in %appdata% randomly by choosing from substrings in the list of registry key SYSTEM\CurrentControlSet\Control\.(Sinitsyn) Then a random EXE or DLL file from the system will be embodied by the Trojan into its NTFS stream “:bin” and moved to the new directory. Then create a temporary directory with mount point at “C:\Windows ” with a space at the end by using an API function. Then subdirectory of system32 will be created to resemble system files and a copy of legitimate winsat.exe and winmm.dll into that subdirectory. Then winmm.dll will be patched to replace the entry point code with a “short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created earlier”.(Sinitsyn) The launching the windows assessment file winsat.exe will trigger the loading of the patched file as a result of DDL Hijacking. “The above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.” (Sinitsyn) This explains command line interface of the Trojan, system infiltration, and how it takes control over the host DDL to gain privileges to encrypt files.
Now that the Trojan has high system privileges and gained access to all files, the encryption part will be discussed in details. WastedLocker uses a combination of the RSA and AES algorithms for encryption as it became the classic algorithms for most crypto-ransomware families. “For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC (Block cipher mode of operation) mode.” (Sinitsyn) Then each encrypted file will have a new additional extension “.garminwasted”. The Trojan checks the integrity of the decryption by using an MD5 hash of original content before encryption. This ensures that the data is back to its original form and correctness of the procedure. All the keys and the MD5 hash of original files are encrypted in RSA public key within the body of the Trojan. This could be a weakness for WastedLocker if it was mass-distributed as they will have the same RSA public key. That means one RSA private key could decrypt all victims encrypted files. However, this ransomware is used for specific targets and designed accordingly. Now that the data is encrypted it rises the dilemma of, “Data or Principle”, to pay or not to pay that is the question.
This incident makes a great case study for analysis, learning and future recommendations. The first and most important lesson is that no corporation is safe from ransomware, countermeasures have to be taken to ensure it doesn’t happen to you. It’s obviously noticed especially with WastedLocker that attacks are targeted and timed and highly organized by known crime syndicates. Also it’s worth noticing that ransomware is most powerful when it impacts customer operations. I work in a hospital which is the most favorite target and most targeted for ransomware attackers due to the high importance of patients data. Have no network safeguards can add fuel to the fire of the attack, as when you have products and services that are all connected without failsafe points. (Mello Jr.) Lastly, the human error is the biggest perpetrator in ransomware cases, even though it was not stated by Garmin but well known networks that the Trojan masqueraded itself as an update on a website until downloaded by a user. (Mello Jr.) Because of the lack of cyber security training and awareness this kind of attack was successful to use human ignorance and error to manifest itself within the network. All these lessons to be learned are vital to business as there are no reasons to believe the ransomware virus pandemic is going to decline in the future.
Ransomware is a devastating economical cybercrime that damages not only corporations but nations. I even was personally affected by this ransomware as I own various Garmin products which couldn’t function fully because app wasn’t working properly. Also I was waiting for a diving watch that was supposed to be available right when the attack happened. The cybercriminals only have one motive in this crime which is money, they don’t care if they encrypt a hospital database and cost people lives. They are picking their targets more carefully to ensure huge payments. It’s better to be safe than sorry so awareness of cyber security is very important in every corporation and establishment. This incident and many others should be a guideline for corporations to learn and implement changes that would stop the threat of ransomware. You should always think is it your data worth more than your principle when paying for a ransomware.
Mello Jr., John P. 8 Lessons from the Garmin Ransomware Attack. 11 Sept. 2020, techbeacon.com/security/8-lessons-garmin-ransomware-attack.
Sinitsyn, Fedor. “WastedLocker: Technical Analysis.” Securelist, Kaspersky Lab, 31 July 2020, securelist.com/wastedlocker-technical-analysis/97944/.
Richardson, Ronny, and Max M North. “Ransomware: Evolution, Mitigation and Prevention.” DigitalCommons, Kennesaw State University, 1 Jan. 2017, digitalcommons.kennesaw.edu/facpubs/4276/.
Tidy, Joe. “Garmin Begins Recovery from Ransomware Attack.” BBC News, BBC, 27 July 2020, www.bbc.com/news/technology-53553576.