Ransomware has become an ever growing topic of conversation and concern in the security community during the last several years. According to the ZDNet article earlier this year — Ransomware is now the biggest cybersecurity threat — Danny Palmer asserts that ransomware has replaced the Advanced Persistent Threat (APT) as the most problematic cyber threat. He’s not wrong. Ransomware has become a real problem. The FBI states that ransomware attacks have already cost victims $209 million — in just the first three months of this year. It is not unreasonable to assume the total amount paid could reach $1 billion by the end of 2016. Not a bad business if you are a criminal and enjoy ripping people off.
For those not familiar with ransomware, it’s important to understand what ransomware is, how it works, and how to defend yourself against it. Knowing this will help you understand a well-known variant of ransomware called Shade and how the recent updates made to it change the nature of the ransomware game for the worse.
Ransomware is a form of malware that gets installed to a computer and prevents the user from accessing the computer itself or the files on the computer until some kind of payment to the malefactors is made. There are hundreds of different ransomware variants, including some of the well-known variants that have made it into the news, such as Cryptowall, Cryptolocker, Reveton, JIGSAW, TelsaCrypt, Cerber, SDLocker, Torrentlocker, Shade, and even more recently ShinoLocker. The specific techniques used by these ransomware variants differ, but they all act with a single end goal in mind: to take your money! Some of the older, immature ransomware variants will simply pop up a message and scare the user into thinking that the system is truly compromised. Other more sophisticated ransomware variants will actually utilize public key encryption tools to encrypt the files on the system and prevent the user from accessing them, the operating system, and sometimes the entire hard drive.
Ransomware is most often distributed to a victim’s computer using two commonly utilized methods:
(1) Phishing messages. This is the most common method of compromise. Malefactors send emails and other spam to get an unsuspecting end-user to download and open an attachment. This is not terribly sophisticated, but it works well. Users need to be educated about phishing emails, even from what may look like a trusted source - friends and family - that may have been compromised already. Continual diligence and suspicion is not a bad way to look at every email, especially those with attachments that could contain a malicious payload. Of course, users are users. They make mistakes. In this case, a mistake can lead to a ransomware infection.
(2) Exploit kits. This delivery mechanism is far more dangerous and can impact even the most diligent of users. This type of delivery happens when a user unwittingly visits a web site that has been compromised. Sometimes referred to as a “drive by” attack, the web site has malicious code (the exploit kit) that runs on the victim’s computer and downloads the ransomware directly to the user’s machine. The user does not know this has happened, even as they continue to browse other web sites.
Once the ransomware gets installed it is very difficult to remove it , and it can easily spread throughout an entire organization if not put in check. Once installed and active, the malware communicates with its command and control (C&C) server to get instructions. In many cases, this communication is detectable with the right tools. The ransomware also informs the user that the system is compromised and then typically requires the user pay the malefactor to unlock or otherwise make the system usable again. Payment is made using Bitcoin or other hard-to-trace currency exchanges. If the user does not pay, the system becomes unusable and/or files become lost depending on how the ransomware was designed.
What’s Different About Shade Ransomware?
This brings us to a very specific strain of ransomware called Shade. Shade (a.k.a. Trojan-Ransom.Win32.Shade) is a variant of ransomware first publicized by Victor Alyushin and Fedor Sinitsyn of Kaspersky Labs in September 2015. This ransomware trojan is not terribly different from some of the other ransomware trojans that exist. It gets installed using one of the methods described above and, once installed, requires a user to pay to get the files back on his/her computer. The good news is that there are several ransomware decryptor tools available to help remove Shade from an infected system.
So, if it is possible to get rid of Shade without payment, why talk about it? In August 2016, Fedor Sinitsyn published another article that highlights a few subtle but powerful changes made to Shade that make it an even more insidious form of malware that is worthy of this discussion. First, when Shade ransomware is installed, it no longer starts to encrypt immediately. Instead, it searches the system for financial information and applications. If found, it downloads TeamSpy, a well-known remote access tool that leverages a highly modified version of TeamViewer to provide a communication channel to the Shade C&C server. This gives the malware operator remote access to the system and a path to download other forms of malware as needed to further infect the compromised system. And as with other types of malware there are techniques used to hide its existence from the end user. This means that Shade and the additional remote access tools it installs can be running for a long time before it is discovered or before the ransomware code is actually executed.
Is this just the beginning of a new era of ransomware? Perhaps. One thing is for sure, it’s going to get worse as malefactors continue to find new ways to infect systems and use ransomware and other malware to steal your money. There is hope, though. First, be sure to back up your systems. If infected, don’t pay the ransom. Just restore your data. If that is not feasible (and I do understand that in many cases it is not or a backup may not exist), look for a tool that can help detect ransomware in your environment before it becomes a problem.
How AlienVault Helps
The AlienVault Unified Security Management (USM) platform provides the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to ransomware threats like Shade. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep users up to date with new and evolving threats. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.
The Labs team continually updates the USM platform’s ability to detect ransomware like Shade by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a compromised system.
In addition, you can explore the ransomware group in the AlienVault Open Threat Exchange to learn more about Shade and other ransomware variants in the wild.