Introduction

I dislike the term ransomware attack. Why, you ask? Its a matter of perception.

The word attack indicates specific intent against a particular individual or group. An attack means someone (or something) is targeted. But Im hesitant to use the terms attack and targeted when discussing ransomware. Calling a ransomware infection an attack focuses blame on an enemy. I consider this mindset dangerously close to fear mongering.

If we continue thinking of ransomware infections as attacks, well never seriously consider a wide variety of issues that allow ransomware infections to happen in the first place.

Ransomware distribution

Ransomware is distributed on a large scale. Criminal groups generally use two methods to distribute malware: malicious spam (malspam) and exploit kit (EK) campaigns. These are most often large-scale operations that attempt to reach as many potential victims as possible.

I view EK campaigns as laying a bunch of mousetraps throughout the web. An EK is not an active attack against a specific victim. People stumble across EKs through casual web browsing. Personally, Ive never found any convincing evidence that ransomware infections through EK traffic have been targeted.

But what about malspam, you ask? You might think someone receiving an email with ransomware was targeted. However, I find it hard to believe the massive waves of malspam I sometimes look into are targeted against specific individuals. Especially when its Locky ransomware, which is widely distributed [1, 2, 3]. When someones email address is discovered by a spammer, it gets on a list. That list is often shared, and the persons email address will be constantly bombarded by wave after mindless wave of botnet-based malspam.

Ultimately, I believe ransomware infections are the result of large-scale campaigns covering numerous potential victims, and a comparatively small number of people actually get infected.

Yes, those relatively few infections often have major consequences, but theyre not the result of narrowly-defined attacks. Theyre the result of large-scale campaigns. The important part isnt necessarily who is infected." />
Shown above: Roberto probably said, Its got my name in it, so it must be targeted!

Assigning criminal intent based on statistics

During my day-to-day research, I usually see ransomware. I also see the malspam and EK vectors this malware comes through. But we should not make any assumptions of criminal intent based on the data we collect. Why? Because no matter how wide we cast our net, well never know the full truth.

I still read such reports. The latest one I looked at was based on a July 2016 Osterman Research survey about ransomware [4]. Its typical of what Ive been seeing lately. The report states that healthcare and financial services are the industries most vulnerable to ransomware attacks. According to the report, These industries are among the most dependent on access to their business-critical information, which makes them prime targets for ransomware-producing cyber criminals." />
Shown above: One of the charts from the Osterman report.

I enjoyed reading the report. It has some good insights. But whenever I see these statements, I always wonder if those industries are really targeted more than other industries. Or did they have more infections because theyre inherently more vulnerable? If theyre indeed the most vulnerable, wouldnt it follow theyre more likely to get infected during massive campaigns indiscriminately targeting everyone?

Like the large-scale EK or malspam campaigns spreading ransomware I see every day?

I dont know how to describe this. Were saying certain industries are targeted more because theyre getting infected more. That just feels wrong. Ransomware doesnt need to be targeted if its widely distributed.

Yet everyone and their mother are calling these ransomware attacks.

Final words

We tell ourselves we must know our enemy so we can better protect our network. However, I think we put too much focus on the enemy and not enough focus on ourselves.

Is everyone in your organization following best security practices? Is security a truly essential part of your corporate culture? Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures? Most organizations have problems in these areas. We convince ourselves there are certain weaknesses we must live with.

And management really wants to know who was behind that ransomware infection and why your organization was apparently targeted.

But odds are the ransomware was directed at any number of people who either stumbled across it or were unlucky enough to find it in their inbox.

Sure, call it a ransomware incident. Just dont call it a ransomware attack.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html
[2] https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware
[3] http://researchcenter.paloaltonetworks.com/2016/07/unit42-afraidgate-major-exploit-kit-campaign-switches-from-cryptxxx-ransomware-back-to-locky/
[4] https://go.malwarebytes.com/OstermanRansomwareSurvey.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

rtfdump is a tool I developed to help me analyze (malicious) RTF files. If you just want to extract embedded objects from RTF files, you can use rtfobj. But if you want to perform more analysis, you can use rtfdump. For example, it supports YARA rules.

To familiarize you with rtf files and their analysis, I made 3 videos.

An intro video.

A video analyzing RTF maldoc (MD5 07884483f95ae891845caf0d50ce507f) that contains an exploit for MS12-027 CVE-2012-0158.

And a video analyzing RTF maldoc (MD5 4483ad299158eb54f6ff58b5346a36ee) that contains an exploit for MS10-087 CVE-2010-3333.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status