What's new in ransomware and how can businesses stay ahead of the threat?
EclecticIQ's Aleksander Jarosz on minimising the risk of lockdowns, data theft and disruption
Despite our observations on the decline of ransomware between 2016 and 2017, the profit-hungry criminal underworld never sleeps. Recent developments indicate that ransomware attacks are becoming increasingly complex and now, more than ever, organisations must stay alert to the prospect of potential targeted attacks from the latest attack methods and malware variants.
A recent ransomware landscape analysis by EclecticIQ - 2019 Ransomware Snapshot: Understanding the Current Landscape - focuses on 20 different variants of ransomware found in the wild and worryingly places the current estimated malware variant figure at over 100, meaning the threat at hand is fairly diverse. With the latest reported versions using the same algorithms the US National Institute of Standards and Technology (NIST) recommends to IT administrators in order to secure their systems, there's plenty of scope to keep CIOs and CISOs up at night. But if the right precautions are taken and regular back-ups are made and tested, risks can be managed.
What is ransomware?
Ransomware is a form of malware with file-altering capabilities on an endpoint, database or server, using encryption to change the format of files within a computer system - thus making them inoperable and effectively useless to the owner.
Ransomware uses fraud and is time-based - often victims will be presented with ransomware notes that inform them that they will have to pay the ransom in order to access a decryption service using the key that the attackers hold, within a time period set by the threat actors. The encryption key to permanently decrypt the files is exchanged for money in the form of cryptocurrency. It is worth noting that paying the ransom does not always lead to files being decrypted and it is always worth checking to see whether a free decryption tool is available online.
Relatively simple in its approach, ransomware has become a popular form of attack - both as a standalone vector and in combination with other forms of malware. It employs strong encryption algorithms which are nearly impossible to break if a decryption tool is not available in the public domain, and large ransoms have been paid by organisations desperate to limit the damage.
AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.
As the threatscape has evolved, cybercriminals can now attack thousands of systems at the same time, and, as previously mentioned, ransomware is now often used with other malware. In fact, cybercriminals are now often seen co-operating in dark web markets in order to increase profitability. Ransomware as a Service (RaaS) packages are offered in these environments and are becoming increasingly popular. As part of these schemes, cybercriminals license out ransomware services to buyers and take a cut of any money that is made from the victims.
The rise of RaaS has allowed threat actors to distance themselves from a lot of the dirty, system penetration work and still make money, effectively establishing a hierarchy in which ransomware attacks and campaigns are outsourced. As the popularity of RaaS increases, one limiting factor remains - the devaluation of cryptocurrencies.
What's new in 2019?
Notable variants for Q1 in 2019 include Ryuk, MongoLock and hAnt. Ryuk has been a particularly damaging ransomware as it has been used to deliver other forms of malware such as TrickBot, a powerful banking Trojan which has been plaguing customers of major banks since 2006. Ryuk ransomware has so far targeted a media company, a data aggregation company and several government entities.
The MongoLock ransomware variant is particularly feared as it acts like a wiper, deleting files upon infection instead of the usual course of encryption observed in other variants. MongoLock targets databases with weak security settings and presents a ransom note in a further effort to deceive and monetise, while never actually delivering the files back to the victims.
Finally, hAnt is a highly targeted ransomware that infects CryptoMiners in China. Due to its cheap electricity there has been a surge in cryptomining and cryptojacking activities within the country. To profit on this development, ransomware authors of hAnt have designed their malware to scan systems for specific types of mining rigs - with the Antminer S9 and T9 being primary targets. Once located, the infection threatens to destroy the rigs by turning off fans and any overheating protection.
In a nutshell, the current landscape presents threats which have changed our approach to security in the past few years. A new approach is needed to carefully monitor the known avenues of infection. Organisations and their CISOs need to develop a holistic approach to security, which encompasses the whole of their digital perimeter, beyond just email servers. CISOs now have to consider what devices are being connected to their networks and what programs they are allowed to download, and also to lock down local admins' access to their mainframe systems. Strong identity management policies should also be a key focal point to be considered, with an educational aspect across organisations - if you haven't audited this in a while, now would be the right time to do so.
Cyber Threat Intelligence (CTI) can also go a long way to enhancing security. While ransomware changes quickly, threat intelligence narrows the focus. Instead of tracking hundreds of variants, CISOs are able to focus on a handful of specific ones - for example ransomware programs that have attacked critical national infrastructure in the last 90 days. The key here, is always to be a step ahead of the attacker in order to better manage the risks.
Aleksander Jarosz is a threat intelligence analyst at EclecticIQ