Security Experts:

The Evolution of Ransomware: Part 1

Public understanding and concern about cybersecurity has historically been pretty low, the domain of experts and large organizations on the lookout for sophisticated, targeted attacks. Ransomware is changing that, creating a rising tide of successful attacks that are forcing a re-examination of protection in organizations of all sizes.  Businesses, numbed by constant warnings about threats, breaches, and the hopelessness of protection, are getting a serious wake-up call.  A surge in ransomware, caused by the ease of staging widespread attacks, extending even to automated ransomware attack services, has made fast, broad, and anonymous attacks commonplace.  From humble roots in the AIDS Trojan of 1989 to its current myriad forms, ransomware growth is only accelerating. These attacks have come a long way in the last 27 years,  and for those looking to protect themselves in 2017, it is time to understand and address the modern ransomware threat.

The Evolution of Ransomware in Two Dimensions

Examining the original AIDS Trojan ransomware campaign shows that even in its earliest days, the ransomware formula was the same: Criminals force people to pay money quickly to regain control of a system that the ransomware had coopted.  The method for the 1989 infection was a floppy disk delivered by physical mail, and victim information was made inaccessible by weakly encrypting critical files.  This first campaign was neither very successful or long-lived, but 2017 promises ransomware attacks delivered through multiple sophisticated means which threaten serious harm if the victim doesn’t pay.  In this two part series we examine first the increasing maliciousness of new ransomware campaigns and the damage they are already causing.  In Part Two, we will describe the five major techniques that are the common delivery mechanisms for these new and more dangerous payloads, and we will outline a simple strategy for prioritizing protection and recovery strategies for ransomware in 2017.

Crypto Ransomware

Crypto Ransomware is commonly viewed as a simple problem:  Users click on files or links in phishing messages, their systems get infected, their data is strongly encrypted, and victims are given the option to pay ransom to decrypt it or to reconstruct their data from backups.  This technique is so popular that anti-phishing provider PhishMe reports over 97% of current phishing messages integrate ransomware.  Sadly for the criminals, the effectiveness of these campaigns in collecting ransoms has dropped as the attacks have grown more common.  One factor is a general unwillingness to pay, with 97% of infected organizations in the US refusing to pay, according to Ostermann Research.  The other mitigating factor is an increase in attention to data backup as a means of de-fanging these attacks.  Current, secure, backups reduce the cost and downtime of a typical attack.

Locker Ransomware

Ransomware criminals, seeing the decrease in revenues, are moving on.  To create a stronger motivation to pay, they have raised the stakes for non-payers by threatening the entire system. An example is the 2016 package called Petya.  Recognizing that files can be trivially restored, Petya instead encrypts the entire disk, making the system non-functional and requiring a full machine reimaging and update if the ransom isn’t paid. This is considered to be “Locker Ransomware”, where the kidnapping has gone from the files to the entire system.  When this type of ransomware has the ability to distribute itself and corrupt additional machines, as is the case with the 2016 VirLock ransomware, entire organizations can become disabled.  Here, too, backup is carrying most of the burden for attempted cleanup, and is decreasing the ransom-paying hitrate.

Moving to the Dox

The latest twist in ransomware should really have its own category, potentially called “Blackmail-ware”, but is currently emerging as “Doxware”.  In these new packages, like Jigsaw and Chimera, the critical data in the files is not simply held with the threat of destruction, it is held with a timer and a promise to disclose it publicly.  The term “Doxware” comes from the established practice of doxxing, where private information, sometimes very private information, is published on the Internet against the wishes of its owner.  Victims in regulated industries or possessing especially sensitive information are no longer balancing the cost of ransom versus clean-up, they are facing an existential risk.  Law firms, publicly traded companies, pharmaceutical researchers, police departments, and others suffer far more from the exposure of critical private data than they would from the time required to reconstitute it from backups, so great backups will no longer be an option.  The ransom is the only way to keep the genie in the bottle, completely changing the equation behind a decision to pay. 

From the What to the How

The impact of ransomware has expanded from an IT nuisance to attacks that can shut down and potentially ruin the businesses they infect.  The increasing damage is one dimension of the growing ransomware threat, but there are similar advancements in the delivery of these destructive payloads.  In my next column, I will explain how these attacks reach target systems and we’ll finish with a checklist to prioritize the reduction of both types of risk.

Read Next: The Evolution of Ransomware: Part 2

view counter
Jack Danahy is co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security.  He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.