Before we talk ransomware, we must draw a bigger line to the practice of cyber extortion. Cyber extortion is a crime involving an attack or threat of attack coupled with a demand for money to avert or stop the attack.
Today, cyber extortion utilises ransomware as its preferred tool. It wasn’t always that way. When I started in the industry (1998) cyber extortion was done via Website defacements and DoS (and then DDoS) attacks. The point of each was: “pay us and the pain will stop.” It is important to note these other methods because it generally highlights areas of weaknesses for security programs. It also goes to show that cyber criminals want to do the least amount of work necessary to achieve the highest possible profit.
Now that isn’t to say “ransomware” wasn’t a thing back then. The first written one dates all the way back to 1989 and was not very successful. Without expanding on the entire history of extortion, let’s just say that generally the innovation in ransomware was relatively static until the mid-2000s.
The 2000s showed an increase in encryption sophistication culminating with the use of Bitcoin as the payment method. Once CryptoLocker hit the scene, it was game on for cyber criminals, who then had the ability to achieve scale in encryption and decryption and facilitate pseudo-anonymous crypto-transactions.
By 2014 they had moved on to encrypting network-attached storage, not just single machines.
Some other criminals decided to start building massive infrastructures to facilitate extortion at scale. The operation was complete with: the ransomware platform, help desk teams, and, eventually, YouTube marketing videos. 2016 became “The Year of Ransomware.”
Are you beginning to see a pattern here? The business of ransomware became its own industry.
Any industry needs to maximise its profits. We need to stop thinking about ransomware in terms of a singularity and start addressing it as an industry. Until we do so it will remain an issue.
Ransomware has highlighted how poorly we generally do security. We don’t automatically patch yet, we don’t have backups, and we aren’t testing our restorations. I said the same thing when I started in cybersecurity and the same holds true today.
To begin to change the finances behind ransomware, we have to look at the bigger picture.
The Carbon Black Threat Analysis Unit (TAU) recently analysed more than 1,000 ransomware samples, categorising them into 150 families, and found the following:
● Attackers are looking to make quick, easy money with unsophisticated malware combined with sophisticated delivery methods. The majority of today’s ransomware aims to target the largest vulnerable population possible.
● “Ransomware as a Service (RaaS)” and the emergence of Bitcoin have lowered the barrier to entry even further for attackers.
● Some ransomware is beginning to implement non-malware tactics that leverage “trusted” native tools, such as Microsoft’s PowerShell. These tools can be used in the propagation of the ransomware as well as file encryption.
● Nearly 99 per cent of ransomware attacks we analysed targeted Microsoft products. Mac users were largely untouched by the ransomware samples we researched.
This research has also lead to some interesting predictions for the future of Ransomware.
1) Based on the direction ransomware is trending in our sample set, we believe ransomware will increasingly target Linux systems in an effort to further extort larger enterprises. For example, attackers will increasingly look to conduct SQL injections to infect servers and charge a higher ransom price. We have already observed attacks hitting MongoDB earlier this year which provide an excellent foreshadowing.
2) Ransomware will become more targeted by looking for certain file types and targeting specific companies such as legal, healthcare, and tax preparers rather than “spray and pray” attacks we largely see now. There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs. A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders.
3) While most ransomware samples we analysed simply encrypt files in place and transmit encryption keys for the purpose of decryption, there will be ransomware samples that will take the extra step of exfiltrating data prior to encryption. Not only would such an evolution put stress on companies to restore their data but also incorporate the loss of proprietary data that could be sold on the black market.
4) Ransomware will increasingly be used as a smokescreen. For example, in the past, Zeus botnet operators hit victims with DDoS attacks after an infection to take investigators off the trail. A similar trend is emerging with ransomware attacks where the encryption of files could take place after more damning actions are taken by adversaries. Using already existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated.
5) Ransomware will emerge as a secondary method when initial forms of attack fail. Adversaries that rely upon more crafted and targeted attacks may use ransomware as an attack of last resort. Failing to entrench in an environment with a Remote Access Tool (RAT) or exfiltrate data, adversaries can push a ransomware across the environment to ensure at least a minimum return for their effort invested.
6) Ransomware will be used more commonly as a false flag, as seen with NotPetya. Solely from dynamic analysis it was perceived to be Petya, when more detailed analysis showed it wasn’t. Such quick analysis also insinuated it to be obvious ransomware, but a greater depth of disassembly showed that data was not held at ransom; it was simply destroyed.
7) Ransomware will increasingly leverage social media to spread either intentionally or unintentionally. Similar to malware such as Koobface, maliciously shared content on sites such as Facebook could lead victims to click enticing links. Intentionally shared ransomware, seen in prior concepts, such as Popcorn Time where victims could share to reduce or eliminate their ransom, could see larger-scale use.
As a community, we have to start doing the basics right. We have to stop paying the ransoms and we need better defences to prevent it in the first place. Until we do so, the future of ransomware industry looks bright.
Rick McElroy, Security Strategist, Carbon Black
Image source: Shutterstock/Martial Red