Security Experts:

The Evolution of Ransomware: Part 2

For most, ransomware attacks are the byproduct of uninformed users opening malicious attachments sent by devious and anonymous criminals.  While this is still a useful approach for some attackers, the success of ransomware and the evolution of protections against it have led to the popularization of multiple techniques for infecting user systems.  Protection against the effects of ransomware starts with a clear understanding of all of the means that attackers will use to implant that first malicious package.

The Modern Palette of Infection Vectors

The way in which ransomware is delivered to victim systems has advanced quickly since the the AIDS Trojan of 1989, when the delivery mechanism involved a postal worker, a truck, and a floppy disk.  As with most cyber attacks, the attackers develop new methods in order to bypass the new controls put in place to stop their last successful campaign.  Today, there are five main methods used to get ransomware from source to target.

 The Traditional Favorite: Phishing Campaigns

 Social networking has heavily influenced the growth and effectiveness of phishing campaigns.  According to data gathered from the non-profit Anti-Phishing Working Group (APWG), phishing attacks in the 3rd quarter of 2016 were up 130% since the same period in 2015.  In 2017, these campaigns are more targeted, using available information in one of two ways:

 1. Phishing Nets: A limited amount of target-specific detail is used to create phishing messages which are then sent to a wide list of target employees, creating a high probability of infection on one or more user system.  This is especially true with newer “land and expand” ransomware, which automatically leverages its presence on the current victim to search for and corrupt other systems within reach.

2. Spearphishing or Whaling: Very specific messages are crafted for delivery to organization members who are more likely to opt for payment, like executives or IT staffers. Both of these campaigns direct the victim to execute some malicious program, delivered as either a camouflaged attachment or link to a malicious site. According to awareness training provider PhishMe, 93% of phishing campaigns now deliver ransomware as the payload, which puts phishing at the top of our list.

Innocent Bystanders: Drive-by Downloads - Rampant popularity among criminals has made phishing-based delivery of ransomware more common and recognizable, so attackers are leveraging new techniques that can infect users without requiring them to click. The most well-established of these is the drive-by download, where ransomware is delivered transparently through web pages where malicious links have been hidden. These links exploit vulnerabilities in browsers (there were hundreds in 2016, according to Helmdal Security), and can be placed on vulnerable sites or in areas where user input is not validated, like blog comment fields.  As organizations and security providers invest to blunt phishing attacks, expect to see even more of these drive-by infections.

 Distribution by Trusted Parties: Malvertising - Phishing relies on getting users to click.  Drive-by downloads are assumed to be clustered on questionable sites.  As a result, both have been thought to be mitigated by educating a new breed of more prudent users. Malvertising poses another threat entirely.  Malvertising puts drive-by code in front of users by hiding malicious executables in advertisements served up through popular ad networks on some of the Internet’s most popular sites, like the New York Times, AOL, and the BBC. Like drive-by’s, malvertising relies on vulnerabilities, and some of these remain active and exploitable for years, like this one that was was used to distribute both Reveton and its modern variant, CryptXXX.

Everybody Loves a Bargain : Counterfeit and Forged Applications - According to a report from IDC, approximately one-third of the PC software in use worldwide is counterfeit, and for the users of that software, there is a one-in-three chance that they will be infected with malware.  For organizations that allow users to install their own applications, one “free” version of a favorite application can pose an organization-wide threat, especially when combined with new “land and expand” malware such as VirLock.

One Bad Apple : Parasitic and Social Infections - VirLock is one example of ransomware that is built to spread. Once they have been executed, these packages immediately seek out additional machines to infect.  These automated attacks search for connected computers and drives to infect, or leverage email and social network accounts to spray their ransomware using the local user’s account and contact list.  In all cases, they turn the victim into the perpetrator of a much broader infection.

General Recommendations

It is possible to improve your defense against all of these vectors, if you know how. 

Unfortunately, Googling “ransomware protection” typically yields only general good ideas like user training and backups.  These are fine, since a knowledgeable and slightly paranoid user is certainly the best protection, and backups provide the ability to recover lost data when destroyed.  Actual protection, though, from those inevitable user slips, requires a boost from technology.

At the most basic level, attachments and links should be disabled or contained using some combination of firewall and mail system controls. Systems should be centrally managed, configurations locked down, and policies should enforce patch installations and permissible applications. As a last line of defense, at the users system, anti-virus and runtime malware defenses should be combined to block the ransomware that makes it through. We know that 2017 is going to deliver more sophisticated malware pushed through more numerous channels. Our security practices have to keep up and work together if we are going slow the growth of ransomware by decreasing its success, its profitability, and its public destructive impact.

RelatedThe Evolution of Ransomware: Part 1

view counter
Jack Danahy is co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security.  He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.