Ransomware’s extortion-based business model, currently the latest major trend in the cybercrime industry, is marking a major change in the purpose and outcome of malware attacks and has become a major threat to consumers and enterprises alike.
Almost unheard of a few years ago, ransomware attacks are making the headlines almost daily, with new malware families emerging nearly every week. This should not be surprising, as the underlining business model for cybercriminals it to hit as many victims as possible and monetize attacks before security researchers react and block their malicious activities.
Ransomware attacks are carried out in a similar manner each time, regardless of the ransomware family involved: the malware is distributed via spam emails or exploit kits, files are encrypted (usually using AES encryption), and the victim is urged to pay a ransom of $200–$400 in order to recover their files. That might not seem like a lot, but crooks have already made off with hundreds of millions from extorting a large number of victims.
Ransomware operators almost exclusively use Bitcoin addresses for payments in an attempt to hide their identities. Usually the attackers provide the necessary decryption key and software to those who pay, to help ensure that future victims would pay the ransom as well. However, that isn’t a good-enough reason to pay.
What’s worrying is that enterprises are being increasingly targeted by ransomware, but most organizations are still unprepared to deal with this threat, as Ponemon Institute’s 2016 State of Endpoint Report reveals. According to the the study (PDF), 56 percent of companies surveyed said they are not ready to fend off ransomware attacks, and just 38 percent said they have a strategy to deal with destructive software.
Ransomware – a global threat
Ransomware has become such a major threat to both consumers and enterprises that the United States and Canada recently issued a joint alert on this type of malware. However, the threat is not limited to these two countries but has become a global plague, and researchers say that the area is still evolving and that it might still have quite a few cards up its sleeve.
At the moment, all popular operating systems are being targeted by ransomware, including Windows (families like Locky, Petya, or Samas), Mac OS X (KeRanger), Linux (Linux.Encoder), and Android (Lockdroid). Websites are targeted as well, which shows just how widespread the threat of ransomware is.
With so many ransomware variants in the wild, including types that also steal private data, it could become difficult for victims to determine which malicious program has infected their system, especially if they are facing multiple infections. Luckily, a researcher has decided to create a tool that can help users overcome some threats: an ID Ransomware website.
What’s also worth mentioning is the fact that organizations from all industries could be targeted by ransomware, as cybercriminals don’t discriminate in this regard. In February, the Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom to regain access to its computers, and IBM says that several police departments in the US were unable to decrypt files and had to pay a ransom too.
A brief ransomware history
Although trending up now, ransomware is by no means new, as the first piece of cyber-extortion software emerged back in the 80s. However, the “true revolution” when it comes to ransomware was made only in 2013, when CryptoLocker operators started using virtual currency such as Bitcoin to collect ransom money. Following a takedown operation of the Gameover Zeus botnet in June 2014, other ransomware families adopted the new payment method, with CryptoWall being them most successful copycat.
There are several factors contributing to the success of ransomware, starting with the emergence of Ransom-as-a-service (RaaS), where even crooks without advanced knowledge can launch devastating attacks. There’s also the fact that ransomware operators are constantly improving their code, communication methods, and attack vectors, coupled with the constant development of new variants that build on existing threats but employ new features.
In an extensive report dedicated to this type of malware, researchers at Cisco explain how ransomware is evolving into becoming a self-propagated threat that can move semi-autonomously throughout a network. They also suggest that Samas, which exhibits some of the behaviors of a successful worm, is proof of the next step in the evolution of ransomware, which should arrive in the form of cryptoworms.
The most important aspect of running a nefarious operation, however, remains anonymity, and ransomware operators too have started using the Tor anonymity network for communication with command and control (C&C) servers. They are also using a variety of other techniques to make attacks more efficient and difficult to detect, such as the fast development of new variants, which renders traditional anti-virus programs useless, since they heavily rely on already known threats.
Taking down the C&C server won’t help much when it comes to ransomware, as the operators no longer need it after a successful infection campaign. In fact, some malicious applications were observed being able to infect and encrypt computers even if offline, meaning that they don’t need constant communication with the C&C server to perform their nefarious activities.
What ransomware operators need, however, is a payment-gateway up and running, as victims are directed to these websites to access details on how to pay the ransom. Should the gateway be down, the attacker can’t monetize on the infection.
A recent CheckPoint report reveals that ransomware authors are starting to use the ZeroNet peer-to-peer (P2P) network for malicious activities, which makes it even more difficult to shut down operations. The decentralized censorship-resistant network allows cybercriminals to keep payment-gateways up and running and to continue receiving ransom payments.
A focus on enterprises and corporate users
Cisco researchers say that ransomware attacks will intensify and increasingly focus on enterprises and corporate users, in an attempt to extort more money, faster.
By going for a single, big hit, cybercriminals no longer need to constantly shift IP addresses, domains, and hosting infrastructure to stay ahead of security researchers, and no longer risk being exposed during long-running campaigns. As attacks against organizations intensify, the ransom price is on the rise as well, which could determine some companies to pay the ransom rather than attempt remediation.
Ransomware operators have already started to increase the stakes by aiming for larger targets, and one of the main reasons for this is that they can eliminate the cost of maintaining an infrastructure for persistent attacks on consumers, although the profits are in the hundreds of millions.
However, with the help of technologies such as the ZeroNet P2P network, ransomware authors can easily keep payment-gateways up and running without fearing disruption. This means that the threat could evolve and continue to target consumers and enterprises alike, further maximizing extortionists’ revenue.
Organizations not equipped to deal with ransomware
While the switch toward targeting enterprises and corporate users was a natural step in the evolution of ransomware operations, the fact that organizations are still not prepared to deal with this type of threat creates an opportunity for cybercriminals.
Ransomware is already seen as destructive software, especially following a large number of attacks against the endpoints (including laptops, desktops, smartphones, printers, POS machines, or ATMs) of hospitals in California, Kentucky and Maryland, Ponemon Institute’s annual State of Endpoint study explains.
The issue is not necessarily related to ransomware’s ability to penetrate systems, but to the increasing difficulty in mitigating attacks against endpoints. Only 49 percent of the 694 US IT and IT security practitioners responding to the survey believe that attacks on an organization’s endpoints can be realistically stopped with enabling technologies, processes and in-house expertise.
The report also revealed that 81 percent of the professionals believe that employees and not hackers put the company at risk, a continuing trend from last year and in line with Proofpoint’s Human Factor 2016 study, which showed that cybercriminals see people as the best exploit. Ransomware attacks have increased in severity, but other types of attacks are seen as more destructive, the survey shows.
Professionals believe that zero-day attacks are most destructive (71 percent), followed by DDoS attacks (68 percent), the report found. While 51 percent of respondents said that the consequences of ransomware are severe, 53 percent said the same about an exploit of existing an software vulnerability greater than 3 months old.
Ransomware is here to stay
As Wade Williamson, Director of Product Marketing at Vectra Networks, explained in a SecurityWeek column, ransomware is not going away any time soon, because the business model offers high reward for minimal effort.
Scott Gainey, Senior Vice President and Chief Marketing Officer at SentinelOne, explains that ransomware is not only lucrative for criminals, but also relatively easy to carry out. While ransomware has become a cash cow for cybercriminals, attacks increase in sophistication, he says.
End users and companies alike need to improve their security by employing various prevention techniques and increase awareness on the most used attack vectors: malicious emails. Employees should be educated to avoid opening emails coming from unknown sources. They should also know that enabling macros in documents coming from external sources is one of the main infection sources and that cybercriminals view people as the best exploit.
Backups are Key
Other security measures that both consumers and enterprise users should employ include up-to-date backups of all data, which should be kept out of an infection’s way. Ensuring that the operating system and applications are updat
ed is also important, the same as having an anti-virus program up and running on the computer. Some malware variants probe the compromised machine for anti-malware software and terminate themselves if one is found.
While data-stealing espionage attacks are still a prime concern for enterprises, ransomware has quickly emerged to become a formidable threat to any connected business. Security teams need to be prepared to deal with this ongoing and ever-changing threat that is not likely to subside in the near future.