1(630)802-8605 Ravi.das@bn-inc.net

There are many ways a Cyber attacker can unleash their threats upon you or any business.  The Cyber security threat landscape is an ever changing one, and is constantly changing on a dynamic basis.  Whatever attacks came out yesterday pale in comparison to what can be done today and tomorrow.

In my opinion, one of the most brutal forms of Cyber attacks is that of Ransomware.

As I have described, this is when a hacker can covertly install malware onto your computer (or even mobile device for that matter) and lock all of your essential files and main screen until you pay a ransom, which is usually in the form of a virtual currency, such as that of Bitcoin.

But, keep in mind that the Cyber attacker may never even send the decryption algorithm after they have received your payment to them.

It’s a very risky proposition. There is only one Cyber attack group that I am aware of that will actually send you those needed algorithms, I believe it is the group that has launched the WannaCry malware.  In every instance that has been documented, they have made good on their promise after they received the ransom payment.

That is why most Cyber security professionals will always tell you (and me too) to always back up your files on a daily basis just in case you are ever hit with the Ransomware threat.

But now, there may be a way to circumvent this kind of attack, without ever having to pay a Bitcoin or needing the decryption algorithms.  Cyber security researchers at an organization known as the “Malware Hunter Team” first spotted the Ransom Warrior malware on August 8th.

It is believed that the Cyber attack group originates in India, and the hackers whom developed the malware are rather inexperienced say, when compared to the group of individuals that have developed the WannaCry Ransomware.  How is the former so inexperienced?

Well, the source code for the malware was developed in the .NET framework.  This is more of a software development platform, which was widely used in the last decade along with other platforms such as Cold Fusion and others.  To the best of my knowledge, the .NET platform is hardly used as much, since newer forms of source code development are becoming more popular, such as that of PHP.

Also, this Indian based group did not appropriately “package” or “protect” the malware so that it would be covert and remain undetected when it was launched up until the point it would lock up the victim’s screen and their files.

Second, the level of encryption that was utilized is actually a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys.

Because of this degree of simplicity, the Cyber security researchers were thus able to extract these keys, because index of these keys were saved locally on the victim’s machine, which was another huge mistake made.

With the news now extracted, the infected machine was able to be unlocked, and the files released back to the victims.

My thoughts on this?

Well obviously, it is apparent that this Cyber attack group in India is not too well experienced in crafting the source code for the malware, as there are three distinct areas where they made their mistakes:

*Using a more or less outdated source code development to create the malware;

*Not protecting it well enough so that it remains covert;

*Using a string of keys which can be easily guessed.

In this case, the victims of this Ransomware attack were very lucky that the Cyber security researchers were able to detect these weaknesses, and to have their devices and files recovered.  I would say that in 9 out of 10 cases, Cyber attack groups are much more sophisticated that this when they launch their malware payloads.

But, the moral of the story of all of this is that the Cyber attacker can be penetrated.  Even the most sophisticated ones will leave some sort of clues behind, it just takes an extremely trained forensics investigator and the time needed to discover types of weaknesses.  But unfortunately, time is not on our side, as the Cyber attack group will probably have created a much more sophisticated piece of malware.

But all is not lost either.  This an area there the use of Machine Learning and Neural Networks can come into play.  For instance, once weaknesses have been discovered in a malware, they can literally be fed into these systems in order for them to “learn” and develop models of what future weaknesses in Ransomware attacks could look like.

In other words, rather than a threat profile being built, I imagine a Ransomware “weakness” profile being built, which could hold great potential down the road.