The evolving threat of advanced Ransomware
The ransomware attacks continue to grow with new ransomware groups coming into picture. The whole premise of the ransomware business is based on blackmailing and the crux of the attack is familiar to all, the attackers gain access to the computer system and then encrypts the computer’s disk and holds that information at payoff. The encryption is done using public-private keys that are uniquely created for the target. Once encrypted, the only hope of getting access to the private key and retrieving the encrypted data for the target is by paying the ransome to the attacker.
Unfortunately even paying ransom does not guarantee retrieval of data, as per a survey conducted by Venafi (https://www.bleepingcomputer.com/news/security/ransomware-extortion-doesnt-stop-after-paying-the-ransom/), 35% of the victims were unable to retrieve the data despite paying the ransome.
Rootkits are the type of software that can hide entities in computer systems while enabling continuous access to the same to other selected entities. Rootkit cloaked malware programs are not easily detectable and this is especially true for kernel mode rootkits which execute at the same privilege level as the Operating System’s kernel. Rootkits can hide the processes, files, network connections etc. enabling the attack to continue for weeks, months and even years. For example, the ‘caketap’ rootkit which intercepts banking transactions and pin verification data from compromised ATM servers have gone unnoticed for years.
Rootkits in Ransomware, the Heightened Threat
One of the important goal of the ransomware attack is to remain unnoticed until all the files that may be valuable to a user are detected and encrypted and it is here that a rootkit becomes an important weapon in the attackers arsenal. Robbinhood ransomeware is an example where the attackers managed to load their own driver by exploiting a long standing vulnerability in the Gigabyte kernel driver. On gaining kernel mode access, the attackers stopped many of the security services in the system, stopped backup software and deleted files that are normally locked.
With the presence of opensource rootkits that can be integrated into other malwares and the options of buying functional rootkits from darkweb for a price, there will be an increasing number of ransomwares that will leverage rootkit capabilities to hide themselves until maximum damage is done.
Defending Against the Emerging Threats
The most obvious defense against ransomware is to take the backups regularly but not just the common man but even organizations fail to practice good hygiene when it comes to backup and recovery. It is imperative that computer systems have mechanisms that are effective against advanced malware such as the rootkit. It is not enough to just have malware detection tools as the damage could have been done by the time the notification is acted upon. What is required are advanced malware detection techniques that do not just detect but also prevent the rookit from causing any damage to the system.
Click here to learn more about SecurWeave’s patented rootkit detection and mitigation technology for business critical systems.