By its criminal nature, ransomware is a digital alternative of an age-old method, however, instead of keeping something of value hidden and captive, ransomware instills fear by holding sensitive or critical data hostage. Even though ransomware became the attack method of choice in 2017, the various techniques of attack and the strains of the malware are constantly evolving. Further, as this new digital transformation gains momentum through connecting IoT devices and leveraging new business systems the threat from the malware continue to grow.
As more people get connected to the Internet via smart devices, along with the increased global digitization, and as huge amount of data is stored on computers, ransomware defense is becoming critically important. Typically, awareness for businesses is raised when a key incident makes the headlines, and then fades along with the spread of the ransomware attack. The latest attack on Equifax not only provoked immediate panic because so many other organizations had the same vulnerability and same patching processes, but also will likely result in serious regulatory changes. Suffering a loss of $5.3 billion due to the data breach, the former reputable credit reporting bureau may at some point become a shadow of its former self, facing additional lawsuits and a criminal investigation.
It is evident that protecting yourself and your business from ransomware must be based on recognizing the threats before they create irreversible damage. This usually encompasses implementing a strategy of educating staff and adding a variety of security measures geared to identify attacks early and respond to them quickly.
Cryptoware and lockerware are the two well-known ransomware families that have been responsible for the most significant attacks. Petya is a notable cryptoware virus which encrypts files and works by demanding for money in exchange of a decryption key. This year’s Petya attacks were as damaging as any previous ransomware attack, affecting financial institutions, the media and the oil industry. Although it was initially assumed that the newest Petya variant involved standard extortion methods executed by cybercriminals with the intention to profit, further insight into the complexity of the malware indicated that the extortion was not that simple; in fact there was no payment portal. Therefore, as CNBC reports, the attack could have also included hidden motives to damage state infrastructure. In many attacks in 2017, criminal intent went beyond the financial gain and onto creating disruption.
It is not unusual that digital extortion is based on cryptocurrency payments. The low detectability of cryptocurrency, particularly Bitcoin, makes it an ideal method of payment for cybercriminals. Although cases of “fair” ransomware trade have certainly been recorded, payment is in no way a guarantee for a safe return of damaged or encrypted files.
A recent lockerware variant of the infamous Locky malware set a ransom of 0.5 Bitcoin per infected computer, which, at the time equaled $2,300. The attack was executed as a phishing attack through emails with an infected attachment that encrypted or damaged the user’s systems as well as potentially other systems on the network. Thus, even when a single employee clicks on an infected file, the damage can spread to multiple systems or an entire network.
An overview of ransomware evolution is helpful to understand how ransomware works and spreads from system to system. By identifying past ransomware variants responsible for their computer infection, the organization members will also be ready to manage future suspicious file variants that are delivered via phishing techniques or other social engineering methods.
For example, a common problem for cybercriminals is removing the money from the initial accounts it has been placed on without giving a hint on who is behind the attack.
While cryptolockers are currently trending, lockscreen variants are becoming more prevalent. The most recent threats are not only encrypting data and blocking user access to their files, but are also deleting encrypted files.
2017 has indeed been called the year of ransomware, as the attackers have taken aim at private and public enterprises working with large databases. Healthcare, transportation, and even the energy sector are prime targets for the malware. In addition, older malware examples like Reveton, Cryptolocker and Cryptowall are being replaced with more sinister variants, like the May 2017 ransomware threat WannaCry, which affected over 200,000 computers in 150 countries all over the world.
The effect of Wannacry was widespread and lucrative for the attackers. The profits generated $140,000 on three Bitcoin accounts, which ultimately were transitioned to nine in order to throw off investigators. Thus, even though the accounts were public, the transactions were performed anonymously and hindered the efforts to track the account owners. By diverting the focus, Wannacry relied on keeping the investigators on their toes: the more numerous and widespread the transfers, the more difficult it is to trace the transaction to the original perpetrators.
Ransomware attacks are initiated by searching for vulnerabilities on software on the victim’s system. Then, the malware is loaded onto the computer either through an executable attachment or by visiting malicious or compromised websites through a link sent in an e-mail. These are classic and well-known cybercrime techniques for file infection.
Once a payload is dropped or downloaded by malicious software or when a cryptolocker starts exploiting unpatched or otherwise vulnerable systems, the victims will need to fight by employing the right ransomware removal tools. Windows workstations have so far, been recognized as the primary target. Regardless of the prevalence of attacks on Windows workstations, the WordPress platform is the newest addition to potentially targeted software. The EV ransomware reported by Wordfence executes the payload by finding vulnerabilities in compromised websites that use WordPress, which unfortunately is the vast majority of websites.
In a user-friendly way, API monitoring is a technique to monitor applications and services whose failures are most critical and can severely endanger the system under a cyberattack. Typical anti-ransomware methods include monitoring the file system activity, while checking out for known file extensions and unusual changes in renaming files.
A tactic used successfully to identify a ransomware attack is by creating a network or IP address that contains fake data or worthless data. Creating compelling traps for the ransomware, such as decoys and honeypots is a deception-based tactic which redirects the virus to servers or systems with no valuable company assets or data. However, when installing client-based anti-ransomware applications, it is critical to warn the users that using the wrong agent can sometimes increase the threat.
Organizations often wonder whether storing data offsite in the cloud is a safe option for the business. Integrative cloud solutions, such as storing the cloud encryption and customer keys in the software of the cloud service provider can protect the data from ransomware. However regardless of the protections put in place ultimately the cloud is simply another system and vulnerabilities have the same risk as on-premise systems. The appropriately named Cloudbleed malware reported by Google for Cloudflare in February this year, resulted in a random leakage of user’s private and sensitive data. Although this particular attack didn’t leak customer’s SSL private keys, it was still very serious as the leaked memory could involve private information cached by search engines.
The typical way to secure backup data in the cloud is by user authentication. To access cloud targets, one must bypass the authentication, and cloud targets are, in general, stored in the cloud provider’s database. The authentication process is a protection that a ransomware attack will not be able to impact data in the cloud, however, just like on-prem systems, the authentication can be compromised.
The good news is that historical data can be used to predict future ransomware attacks, thus making organizations and industries less vulnerable. If we want to outwit future attackers, sophisticated machine learning can become a counter-measure to modern ransomware threats, enabling digital systems to act in advance. Consider the example set by Amazon Macie, a hosting security tool from the largest online retailer Amazon, just recently introduced by AWS. The tool leverages machine-learning, informing users of suspicious activity with their sensitive data may be at risk. When there is an early warning, preventing significant damage is far more likely.
Many IT security organizations predict that ransomware attacks will decline going forward, however, based on the growing history of cyber-attacks and malware, the odds are that the ransomware will evolve. Any attack that has been profitable and certainly WannaCry and other ransomware attacks have been, will likely continue to be leveraged in future attacks.
In addition, new variants of ransomware attacks use scripts which are much more difficult to identify by security defense technologies that those that have been used previously. Finally, increasing quantities of ransomware are being sold on the Dark web and targeted to organizations that may not have the ability to deliver social engineering training, patch regularly, or invest in quality security defense. However, on the bright side, 2017 has the potential to be the peak of cybersecurity attacks as well. Equifax, Target and other breaches have brought the issue to the boardroom and organizations are getting serious about protecting their employees, customers, and sensitive data.