Mitigating ransomware attacks that use compromised websites

Register now

Ransomware has been getting a lot of press lately, and understandably so. In recent months, there has been a tidal wave of ransomware attacks targeting numerous well-known organizations, from the NHS to British advertising agency WPP, and the threat is expected to continue to wreak havoc across the world in the future.

The aim of a ransomware attacker is to infect users’ systems and deny them access to their most valuable assets. Typically, this is accomplished by encrypting the most important documents on the target machine and making them unreadable and inaccessible. Following the encryption of a victim’s files, ransomware will then demand that they transfer a payment (typically in the form of cryptocurrency such as Bitcoin) to the attacker in exchange for the decryption key.

Ransomware has been around for many years. However, recently attackers have made significant advancements that have made it even harder to protect against.

Initially ransomware attackers used the same key for encryption and decryption. Reverse engineers were able to develop decryption tools for each variant, so encrypted files were easily restored in a relatively short period of time. Ransomware authors quickly learned from their mistakes.

Most ransomware variants now use asymmetric key cryptography, where data is encrypted with one key but decryption requires a different key that is not so readily available to the victim. Alternatively, the data is encrypted using a symmetric key, but then that key is encrypted using an asymmetric key. Either way, it’s now much more difficult to restore files without paying for the decryption key.

There is no easy way for victims to get their data back and there are no standard one-size-fits-all decryption keys. Additionally, in cases where criminals are still using symmetric keys and security analysts are able to figure out the decryption key and release it, the attacker can quickly release an updated version that uses a different decryption key.

Despite the increased sophistication of ransomware scams, and the ease with which threat actors can create and launch a ransomware attack, there are a number of ways for security teams to protect their organizations against the threat.

Commonly Used Attack Vectors

Choosing the ransomware delivery mechanism is mostly a question of money. Spreading spam is cheaper than writing new malware exploits or leasing encryption keys, but there is greater uncertainty as to the effectiveness and ultimate success of the attack. Ransomware is proven successful, with available tools to launch an attack. Today the infection vectors most commonly used by ransomware actors are email attachments, links in emails, malvertising and compromised websites.

Emails attachments and links – The attacker sends an email to victims trying to trick them into opening a document attached to the email or click on a link embedded in the content of the email.

Malvertising – Threat actors use web advertisements–banner ads delivered via legitimate ad services–to spread malicious code and ransomware. The ad services try to block any malicious ads, but the criminals are very good at evading detection.

Compromised websites – Cybercriminals are able to compromise legitimate websites by embedding malicious code. When a user visits a compromised website, it redirects them to a landing page that installs the ransomware payload. Alternatively, criminals are now developing spoof websites that look almost identical to the legitimate one and are reached via a URL that is nearly indistinguishable from the original. When a victim mistakenly visits these sites, they too will install the ransomware.

Mitigating Ransomware Attacks That Use Compromised Websites

This ability to spoof websites incredibly well is a major problem. It is an increasingly easy mistake for a victim to make, which has greatly eased the distribution of the ransomware.

While mitigating email-based and malvertising attacks also warrant careful attention and techniques, I’m focusing this article on website-based attacks due to this ease of distribution.

When an attack is using a website that security products have already identified as having been compromised or hosting malicious behaviour, it can be blocked by looking at the domain or IP used in the link embedded in the email or the URL visited by a user. In practice, however, simple blacklisting approaches are not always effective, suffering from the relatively short lifespan of these drive-by landing pages.

To cope with this problem of blacklisting short-lived content, security solutions must find the attack “on the wire.” This means that the system either proactively probes for the content of a website or it waits until a real user is tricked into following the link to the exploit site and finds the attack in the live traffic.

A particularly effective way is finding suspicious modifications of web page content, such as the use of inline frames with hidden attributes or obfuscated JavaScript. When such an anomaly is found in a page in transit, a security product can block a user from accessing any additional content from this site. This prevents exploit kit code from reaching and exploiting a user’s browser.

However, not all attacks make use of exploit kits: often, victims are simply tricked into downloading and running the ransomware payload. Thus, security technologies need to intercept these downloads and evaluate if the file is safe to be opened by a user – typically by running the program inside a sandbox.

Ransomware is one of the most dangerous attack vectors around today and it is generating a healthy return for cybercriminals across the world. We can expect to see it continue to grow in numbers and in sophistication. However, despite this, there are a number of techniques organizations can depend on to detect ransomware attacks and protect their users from infection. It is also critical that the security industry takes aggressive steps to understand advancements in ransomware as only then can the threat be properly held at bay.

For reprint and licensing requests for this article, click here.