Blog‎ > ‎

Threat Report - Ransomware

posted Oct 2, 2015, 12:26 PM by Christopher Furton   [ updated Dec 13, 2015, 10:33 AM ]
Written by:


Threat- Ransomware and Digital Extortion

Industry has experienced a 4,000 percent increase in crypto-ransomware attacks where generic ransomware grew at 113% in 2014 ( (Symantec Corporation, 2015, p. 7). Traditional ransomware attacks trick victims into paying a “fine” for accessing illegal or stolen content. This is typically done by a threat actor portraying to be a government official (i.e., FBI Agent) with official looking banners and websites (See figure 1). A victim can often escape this trap without paying any fees or fines. In contast, the crypto-ransomware attack holds a victim’s files and other digital media hostage by encrypting the contents and offering to sell the victim the decryption key. These ransoms can range from $300-$500 without any guarantee of successful decryption (Symantec Corporation, 2015, p. 7).

Windows environments are more typically affected by crypto-ransomware; however, Symantec reports seeing an increase in versions developed for other operating systems and mobile devices. Additionally, some crypto-ransomware is designed to attack network attached storage (NAS) devices and rack stations namely from Synology (McAfee Labs, 2015, p. 16).

A fairly new variant of crypto-ransomware named CTB-Locker is distributed through nested .zip files with a screen saver executable file. Transmission mediums include peer-to-peer networks, Internet Relay Chat, newsgroup postings, and email spam. Additional variants include CryptoWall, TorrentLocker, BandarChor, and Teslacrypt (McAfee Labs, 2015, p. 14).

Christopher Furton Ransomware Image

Figure 1 – Sample ransomware attempt

Risk Profile

Crypto-ransomware attacks increased dramatically up to 45 times more frequent in 2014 compared to the prior year (Symantec Corporation, 2015, p. 7). For organizations that run predominately Windows, this threat is in a higher risk category. The potential impact to the business of a successful crypto-ransomware attack is potentially devastating. Fortunately, the likelihood of a successful attack can be greatly reduced through mitigation techniques. Including ransomware into an organizations Enterprise Risk Management (ERM) program is advised as well as conducting a deep-dive into existing security controls to ensure proper mitigation efforts are in place.

Currently, there is no way to recover data encrypted in a crypto-ransomware attack. However, in some cases where law enforcement successfully shuts down a control server, recovery tools can be produced.

Information Security Controls 

Control: User Awareness Training

In Brief: Crypto-ransomware is often distributed through phishing attacks on users. According to McAfee Labs, at least one in every 10 is successful (p. 22).

NISP Special Publication 800-53 (rev 4) controls:

AT-1 – Security Awareness and Training Policy and Procedures
    This control outlines the higher governance for a Security Awareness Training program.
AT-2 – Security Awareness Training
    This control outlines training for new users and periodic re-training.

Council on Cyber Security – Critical Security Controls (V 5.1)

CSC 9-1 – Build training and awareness roadmap
    This control requires building a training awareness roadmap based off gap analysis of user behaviors.
CSC 9-2 – Deliver Training
    This control required delivery of training by internal staff or external teachers.
CSC 9-3 – Online Security Awareness Program
    This control outlines five steps to having a successful online awareness training program.

Contol: Data Backup

In Brief: Crypto-ransomware is ineffective if the organization can recover the data being held hostage with little impact to business productivity.

NISP Special Publication 800-53 (rev 4) controls:

CP-9 – Information System Backup
    This control outlines details of creating user-level, system-level, and security-related documentation back up.
CP-6 – Alternate Storage Site
    This control establishes a geographically distinct alternate storage site including necessary agreements to permit the storage and retrieval of backup information.
CP-10 – Information System Recovery and Reconstitution
    This control provides for recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

Council on Cyber Security – Critical Security Controls (V 5.1)

CSC 8-1 – Data Recovery Capability - Backup
    This control requires backup of data at least weekly but more often for sensitive information.
CSC 8-2 – Data Recovery Capability - Restoration
    This control requires testing restoration capability of backed up data.
CSC 8-3 – Data Recovery Capability – Protection of Backup Media
    This control requires proper protections of backup data commensurate with the sensitivity contained on the media.
CSC 8-4 – Data Recovery Capability – non-addressability
    This control ensures that at least one backup destination is not continuously addressable through operating system calls. **Very important for crypto-ransomware mitigation activity

Regulatory/Compliance and Best Practices

This information was compiled from the Unified Compliance Framework website at http://www.unifiedcompliance.com

User Awareness Training

Nearly all regulatory models require a level of User Awareness Training procedures including the following:
  • Local information security coordinators shall have a channel of communication with the information security function (e.g., via regular reporting of duties and results of activities). (CF.12.02.03f, The Standard of Good Practice for Information Security) 
  • Local information security coordinators should meet regularly with business owners (i.e., people in charge of particular business applications or processes) to review the status of Information Security in business applications and systems. (CF.12.02.07-1, The Standard of Good Practice for Information Security) 
  • Security-positive behavior should be encouraged by incorporating Information Security into regular day-to-day activities (e.g., by considering security requirements in planning decisions and budgeting activities, and including the consideration of information risk in business decisions, meetings, an… (CF.02.02.04d, The Standard of Good Practice for Information Security) 
  • Local information security coordinators shall have a channel of communication with the information security function (e.g., via regular reporting of duties and results of activities). (CF.12.02.03f, The Standard of Good Practice for Information Security, 2013) 
  • Local information security coordinators should meet regularly with business owners (i.e., people in charge of particular business applications or processes) to review the status of Information Security in business applications and systems. (CF.12.02.07-1, The Standard of Good Practice for Information Security, 2013) 
  • Security-positive behavior should be encouraged by incorporating Information Security into regular day-to-day activities (e.g., by considering security requirements in planning decisions and budgeting activities, and including the consideration of information risk in business decisions, meetings, an… (CF.02.02.05d, The Standard of Good Practice for Information Security, 2013) 
  • Top management shall demonstrate leadership and commitment by supporting other management roles. (§ 5.1 ¶ 1(h), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013) 
  • Verify that personnel assigned to the engagement are familiar with the applicable professional organizations, such as aicpa and the Financial Accounting Standards Board. (Ques. AT410, Reporting on Controls at a Service Organization Checklist, PRP §21,100) 
  • Decision-makers (including executive management; business unit heads; department heads; and owners of business applications, computer systems, networks, and systems under development) should be aware of the need to carry out information risk assessments for target environments within the organizatio… (SR.01.01.03, The Standard of Good Practice for Information Security) 
  • The security awareness program should be based on the results of one or more documented information risk assessments. (CF.02.02.01g, The Standard of Good Practice for Information Security) 
  • Decision-makers (including executive management; business unit heads; department heads; and owners of business applications, computer systems, networks, and systems under development) should be aware of the need to carry out information risk assessments for target environments within the organizatio… (SR.01.01.03, The Standard of Good Practice for Information Security, 2013) 
  • The security awareness program should be based on the results of one or more documented information risk assessments. (CF.02.02.01g, The Standard of Good Practice for Information Security, 2013) 
  • Managers are responsible for maintaining awareness of and complying with security policies, procedures and standards that are relevant to their area of responsibility. (IS-14, The Cloud Security Alliance Controls Matrix, Version 1.3) 
  • The organization should align the person's roles and responsibilities to the exact degree and content of the information security awareness and training. (Control: 0253, Australian Government Information Security Manual: Controls) 
  • Personnel in responsible positions should receive training for managing and using systems in their field of responsibility. (¶ 1, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009) 
  • Personnel shall be trained, as appropriate for their duties, in avoiding, detecting, mitigating, and disposing of suspect fraudulent and counterfeit parts. (§ 4.2.10.a, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors) 
  • Personnel directly handling electronic parts shall be trained in ways to detect suspect fraudulent or counterfeit parts. (§ 4.2.10.b, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors) 
  • Personnel who are responsible for detecting fraudulent or counterfeit parts with specialized technology and methods shall be trained to ensure their competence in its use. (§ 4.2.10.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors) 
  • Personnel who are responsible for detecting fraudulent or counterfeit parts with radiographic inspection shall be trained and certified to NAS-410 National Aerospace Standard or its equivalent. (§ 4.2.10.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors) 
  • Personnel are furnished specific training based on their roles and responsibilities. (Generally Accepted Privacy Principles and Criteria § 1.2.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria) 
  • The organization should provide specific training to personnel based on their roles and responsibilities. (Table Ref 1.2.10, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009) 
  • Is security training commensurate with levels of responsibilities and access? (§ E.4.4, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0) 
  • Do constituents responsible for Information Security undergo additional training? (§ E.4.5, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0) 
  • The training for System Administrators must include Public Key Infrastructure awareness. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3) 
  • The training for System Administrators must include how to configure the system for certificate-based logon. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3) 
  • The training for System Administrators must include how to configure the system for digital signatures. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3) 
  • The training for System Administrators must include how to configure the system to encrypt e-mail. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3) 
  • The training for System Administrators must include how to configure the system for web server certificates. (§ 3.4.2.2 ¶ AC34.100, DISA Access Control STIG, Version 2, Release 3) 
  • The information assurance officer must designate personnel who can override false rejections and ensure they have the proper training for implementing the fallback procedures and verifying a user's identity. (§ 4.5.2 ¶ BIO6040, DISA Access Control STIG, Version 2, Release 3) 
  • The Information Assurance training must include familiarizing users with their assigned responsibilities. (PRTN-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation) 
  • Have key employees received training on network controls, application controls, and security controls? (IT - WLANS Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A) 
  • Individuals who have been granted access to personally identifiable information should receive appropriate training and, where applicable, specific role-based training. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)) 
  • The organization should conduct training on how to interact with the media about security incidents. (§ 5.1 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)) 
  • The organization should determine what the content of the security training will be based on the roles and responsibilities and the organizational requirements. (SG.AT-3 Supplemental Guidance, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010) 
  • The security engineering principles must include the ongoing secure development training requirements for smart grid system developers. (SG.SA-8 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities. (AT-3, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. (AT-3a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4) 
  • The organization provides role-based security training to personnel with assigned security roles and responsibilities {organizationally documented frequency} thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4) 

Data Backup

Nearly all regulatory models require a level of data backup procedures including the following:
  • O29.2: To ensure the quality of programs and determine the time intervals for saving backup copies, the organization shall establish a generation management method by considering how much time it takes to recover damaged programs and the impact during that downtime. O34.2: The organization shall rou… (O29.2, O34.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition) 
  • Technical and organizational instructions will be issued to ensure data back-ups are conducted at least weekly. (Annex B.18, Italy Personal Data Protection Code) 
  • The frequency for storing the backup data at a safe storage location should be based on an analysis of the risk to the data. (¶ 19.6 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments) 
  • Business continuity plans should identify data back up frequency. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing) 
  • There should be documented standards / procedures for performing back-ups, which cover back-up cycles. (CF.07.05.02b, The Standard of Good Practice for Information Security) 
  • There should be documented standards / procedures for performing back-ups, which cover methods for performing back-ups (including validation, labelling and storage). (CF.07.05.02c, The Standard of Good Practice for Information Security) 
  • There should be documented standards / procedures for performing back-ups, which cover back-up cycles. (CF.07.05.02b, The Standard of Good Practice for Information Security, 2013) 
  • There should be documented standards / procedures for performing back-ups, which cover methods for performing back-ups (including validation, labelling and storage). (CF.07.05.02c, The Standard of Good Practice for Information Security, 2013) 
  • Backup arrangements should take into account legal, regulatory, and contractual requirements (e.g., the handling of personally identifiable information, document retention, and customer information). (CF.07.05.04, The Standard of Good Practice for Information Security, 2013) 
  • Backups should be created as soon there are indictors that a security-related incident has occurred. New (unused) media should be used to back up the system to prevent juries from being convinced that the "evidence is faulty" because it could have been present prior to the incident. Backing up the i… (Action 3.4.1, SANS Computer Security Incident Handling, Version 2.3.1) 
  • Business Continuity Planning. An organization should implement safeguards to protect business, especially critical business processes, from the effects of major failures or disasters and to minimize the damage caused by such events, an effective business continuity, including contingency planning/di… (¶ 8.1.6(4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000) 
  • The backup system should include a regular backup schedule, providing routine and urgent access to the backup tapes, multiple copies on different media, and dispersed storage locations. (§ 4.3.7.3 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines) 
  • The type and frequency of backups should be determined based on the business needs, the security requirements of the information, and the criticality of the information to the organization. (§ 10.5.1, ISO 27002 Code of practice for information security management, 2005) 
  • CSR 5.4.1: The contingency plan must specify what critical data is and how often it is backed up. CSR 5.4.5: The organization must create backup files on a prescribed basis and store enough off-site to avoid a disruption if the current files are damaged or lost. CSR 5.4.6: The organization must per… (CSR 5.4.1, CSR 5.4.5, CSR 5.4.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006) 
  • Government data backups must be performed by remote users on a regular basis. (§ 3.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2) 
  • The organization must conduct backups at least weekly. (CODB-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation) 
  • The organization must conduct backups daily. (CODB-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation) 
  • A redundant secondary system must be used to maintain the data backup. (CODB-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation) 
  • The frequency of the backups must be determined by the Information System Security Manager (ISSM). (§ 8-603.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006) 
  • The continuity plan should include the back-up schedule and method for all vital records. The frequency of backups should be adjusted based on the volume of data processed and the amount of data that may need to be recreated. (Pg 30, Pg G-7, Pg G-12, Pg G-15, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008) 
  • The organization should develop written standards documenting the methodology used to back up the system. (Pg 30, Exam Tier I Obj 6.1, Exam Tier I Obj 6.4, FFIEC IT Examination Handbook - Operations, July 2004) 
  • The service provider shall determine how to verify the Information System backup and how often to verify it. (Column F: CP-9, FedRAMP Baseline Security Controls) 
  • The joint authorization board must approve and accept the verification procedures and the time period for the Information System backups. (Column F: CP-9, FedRAMP Baseline Security Controls) 
  • Does management schedule the backup and retention of data? (IT - Business Continuity Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A) 
  • System data should be backed up on a regular basis, and a policy should be developed specifying the back-up frequency based on data criticality and the frequency new data is introduced into the system. The method used for backing up the data should be based on the system and data integrity and avail… (§ 3.4.2, § 5.1.2 ¶ 3 thru 5, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft)) 
  • Information Security should ensure that electronic mail data is periodically backed up and stored offsite. Information systems data or functions should be classified as critical data if the unavailability of the information would completely interrupt the business from functioning (i.e., the process … (ATCS-265, ATCS-826, Archer Control Table) 

Reference

  • McAfee Labs. (2015). Threats Report. Santa Clara: Intel Security. Retrieved from http://www.intelsecurity.com 
  • Symantec Corporation. (2015). Internet Security Threat Report. Mountain View: Symantec Corporation. Retrieved from http://www.symantec.com/threatreport 
  • Unified Compliance Framework. http://unifiedcompliance.com 

About the Author

Christopher Furton author bio picture
Christopher Furton

is an Information Technology Professional with over 12 years in the industry.  He attended The University of Michigan earning a B.S. in Computer Science and recently completed a M.S. in Information Management from Syracuse University.  His career includes managing small to medium size IT infrastructures, service desks, and IT operations.  Over the years, Christopher has specialized in Cyber Security while working within the Department of the Defense and the United States Marine Corps. His research topics include vulnerability management, cyber security governance, privacy, and cyber risk management.  He holds active IT Certifications including the CISSP, CEH, ITIL Foundations, Security+CE and Network+CE.  He can be found on , , and .  

Additional information available on Christopher Furton's website at
Comments