1. COMP.SEC.100
  2. 7. Malware & Attack Technologies
  3. 7.4 Responding to malware

Responding to malware

An infected workstation can be reinstalled and restored from backups. Firewall interfaces can be updated with firewall rules and IDS rules to prevent a similar attack from recurring. If the attack is widespread and the devices are unreachable (for example, individual users’ personal devices), broader measures are required. In such cases, blocking or disrupting the malware’s communications may be necessary. The internet service provider then plays an important role.

Ransomware

Financial gain or causing financial harm to others has been the motivation for many developers of widely spread malware. Keyloggers and remote-access Trojans are used to steal passwords, online banking credentials or trade secrets, while DDoS attacks are used, for example, to prevent companies from conducting business. Anonymous cryptocurrencies have, however, enabled a new way of gaining financial benefit from malware: extortion.

Ransomware incidents receive extensive media coverage when critical infrastructure is attacked. For example, the UK public healthcare system, the NHS, fell victim to the WannaCry ransomware. In such cases, ransoms of hundreds of thousands of euros are often demanded, but variants aimed at extorting private individuals also exist. These typically demand a ransom of a few hundred euros.

Ransomware may reach a device, for example, as an email attachment via a phishing attack. Unlike, for instance, keyloggers or botnets, which aim to remain hidden from the user, the symptoms of ransomware are quite obvious. Once launched, the malware quickly encrypts all of the user’s personal files (images, videos, documents, installed programs, etc.), rendering them unusable. Apart from the operating system, the only functioning program is the malware itself, in particular its decryption component. Decryption is, of course, possible, and sometimes the malware even offers to decrypt a few files for free to convince the victim that the files can be restored. Whether the extortionist will actually restore the files after receiving the ransom is uncertain. A Computerphile video illustrates how encryption is implemented. The symmetric and asymmetric keys discussed in the video are covered in a later module.

background image file

The background image set by the WannaCry ransomware.

In the CIA model, a ransomware attack therefore targets availability in particular. As noted later in the material, paying the ransom is not advisable. If you do become a victim, the only 100% effective way to recover from the attack is to restore the system from backups. This, of course, requires that backups have been taken at some point and that they are not accessible to the malware, for example on a network drive. If no backups exist, the only remaining option is largely to format storage media and reinstall the operating system, which means losing all data. Companies and organisations can nowadays take out insurance against ransomware incidents.

Because recovery from ransomware is difficult, prevention plays a major role. In practice, this means keeping the device’s operating system and the software in use (especially the web browser) up to date in order to minimise vulnerabilities. From the example in the previous section, you can also find some tips related to antivirus software and browser extensions.

The course includes an availability-related theme, where you can reflect more deeply on your own preparedness for, among other things, ransomware. (Currently only in Finnish, but check for updates.)

Disrupting malware operations

If malware uses domain names or addresses, it is natural to intervene and block the operation of malicious servers. However, there are service providers that refuse to intervene in the operation of internet servers (so-called bulletproof hosting). This is possible if the server is located in a country where legislation does not require action or where local authorities can be bribed. In such cases, efforts must be made to reroute malicious traffic or otherwise influence the malware’s operation.

Botnet networks may also operate in a peer-to-peer manner, in which case tracing control servers is laborious and requires cooperation between multiple parties.

Attribution, i.e. identifying the criminal behind malware

From a legal perspective, it is important to identify the creator of malware. Unfortunately, this is often not possible or would require excessive resources. Virtual tracing is nevertheless an important first step. Criminals use rapidly changing IP addresses that are associated with the same server name but different physical servers. This is known as the DNS fast-flux evasion technique, which is typically used to obscure botnet command-and-control servers. Fast-flux can be identified by analysing botnet malware and network traffic.

Many malware authors reuse the same tools. They may also leave misleading traces in malware that follow a recurring pattern. For example, server registration information can be a strong lead in tracing the perpetrator. Criminals often use the same pattern in registration details, even though these are usually falsified.

Attribution is also discussed here.

Posting submission...