Threat Brief: Why Ransomware Hurts So Much and Is So Hard to Stop

This post is also available in: 日本語 (Japanese)

In our updated report on ransomware from Unit 42, “Ransomware: Unlocking the Lucrative Criminal Business Model,” Unit 42 researcher Bryan Lee notes: “In 2016, it was thought that there were less than one hundred active ransomware variants out in the wild. Today, the number of total ransomware variants at least over 150, if not hundreds more.”

It’s reasonable to ask why ransomware continues not only to exist but to thrive. The first answer to this, as we’ve outlined in our report, is that ransomware is a lucrative cybercriminal business model. However, in addition to the human factor, there are technical reasons. Specifically, there are three things that combine to make ransomware a particularly potent threat on the technical level:

1. Ransomware very effectively exploits the total trust the Microsoft Windows operating system places in the user.
2. Ransomware specifically targets file types and locations that are valuable to users..
3. Ransomware operates quickly, thwarting post-compromise tools for response

In some ways, these three points state the obvious. But the full ramifications and why these make ransomware hard to stop aren’t always discussed.

The way ransomware works is well documented, but let’s recap here. Ransomware is downloaded to a user’s system and executed on it. The way the attackers get the ransomware on the system varies: it can be through unpatched vulnerabilities, social engineering or both. The most common way ransomware operators levy attacks is through email or by web browsing to malicious or compromised sites. The overwhelming majority of ransomware attacks are against Microsoft Windows systems. Once malware is running on the user’s system, it seeks out and encrypts files and folders that hold information critical for the user, such as documents, business applications or even database files. In some cases, the ransomware is sophisticated enough to target specific application files. Most importantly, because the ransomware is executing with the compromised user’s privileges, any file the legitimate, now-compromised user has access to, including network shares and backups, is fair game for the ransomware.

It’s this last point that gets to the heart of why ransomware is so potent. From an operating system point of view, the ransomware IS the user. Even though Microsoft Windows today features a robust user access control system, that system has inherent limitations. In the early days of Window Vista, Microsoft enabled aggressive security checking to ensure user-initiated actions were legitimate. This was well-intentioned but ultimately backfired: users got fed up clicking “Are you sure?” dialog boxes and quickly disabled the feature, or just mindlessly clicked “OK” every time they saw it. Microsoft made reasonable adjustments so that these alerts are now raised sparingly. Although that feature was never enabled to protect user data files like ransomware targets, there is a clear lesson from the experience: too many security checks on user activity fails in the end.

Bringing that lesson to bear here, the only way the operating system could protect against ransomware would be to raise “Are you sure?” dialog boxes on everyday operations against the kinds of files that ransomware targets.  And this is where the second point comes to bear.

Unlike other forms of malware, ransomware is very specific in its targeting. It goes after the files users are most likely to care about. These also happen to be files users are most likely to use on a day-to-day basis or that are critical to an organization’s operations. Extra layers of protection for those files would be incredibly onerous. Imagine having to click through “Are you sure?” dialog boxes for every document or picture you opened in a day.

From an engineering point of view, this sole, specific targeting of files that matter significantly increases the chances of ransomware’s success. This brings us to the third point: there is little attack time wasted on files that don’t matter to the victim. Even a successful ransomware attack that is halted early by security software will achieve some level of damage – enough to make the victim consider paying the ransom to get the files back. If user32.dll were encrypted and unusable, it would be a problem. But when your organization’s overall accounting and audit report is inaccessible right before the big deadline, that’s catastrophic.

The net of these three points is that ransomware is a threat such that focus needs to be placed solely around prevention. There is no effective solution for ransomware at the operating system level, as outlined above. And unlike other attacks, ransomware attacks can’t succeed “just a little.” In some cases, a single file lost is more than enough to count as a fully successful attack.

In some ways, ransomware is a threat unlike any other. Its impact and scope are both broad and deep in ways that are unique. Because of that, from a risk assessment point of view, ransomware needs to be put in a class by itself – a class that acknowledges that the risks from a successful attack of any kind are very high.