If you thought 2016 was the year of ransomware, you should read the forecasts this year. In 2017, TrendMicro sees a 25 percent growth in the number of new ransomware families available for use in breaches. Reports of ransomware attacks on government, law enforcement, critical infrastructure, and healthcare are already climbing.
Add to this rise of ransomware-as-a-service (RaaS) and payments made to anonymous bitcoin accounts, and the result is a booming criminal enterprise worth $1 billion, according to TrendLabs 2016 Security Roundup. Since RaaS is available in the underground, fledgling cybercriminals now have access to the necessary tools to run their own extortion campaigns.
“Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; with few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data,” says Scott Manson, Cyber Security Leader for Middle East and Turkey, Cisco.
According to the 2017 Annual Cisco Cybersecurity Report, last year, a bright spot emerged with a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino, whose owners were brought down in 2016. Now that three of the most dominant exploit kits have cleared the field, smaller players and new entrants can expand their market share. And they are becoming more sophisticated and agile. Exploit kits that appeared poised for growth in late 2016 were Sundown, Sweet Orange, and Magnitude. These kits, as well as RIG, are known to target Flash, Silverlight, and Microsoft Internet Explorer vulnerabilities.
It is reported that around 27.5 percent of businesses in the UAE experienced a ransomware attack in the last 12 months. “Unfortunately, we have observed that ransomware is not just aiming at businesses now, but is even used for targeted attacks. As a result of such attacks, the victims cannot use data from workstations and servers to continue normal operations because ransomware encrypts the entire disk,” says Ghareeb Saad, Senior Security Researcher, Kaspersky Lab.
Listing out couple of ransomware trends to watch out for, Raj Samani, CTO of McAfee, says mobile ransomware will continue to grow this year but the focus of mobile malware authors will change. “Because mobile devices are usually backed up to the cloud, the success of direct ransom payments to unlock devices is often limited. Mobile malware authors will combine mobile device locks with other forms of attack such as credential theft.”
He adds threats to healthcare is another tend. “We do not yet know why attackers are breaching media devices that collect patient information, but it is happening and medical data is exfiltrated. That is likely to continue for the next two to four years, and we will also learn why they are stealing medical data. More ominously, medical devices that monitor and control human systems—including pacemakers, insulin pumps, and nerve stimulators—are all becoming Internet enabled. Unethical attackers will see these medical devices as the next step in their journey beyond hospital ransomware attacks.”
With the spate of ransomware attacks escalating at an alarming rate, industry pundits say businesses must do more to protect consumers from ransomware extortion, one of the biggest cyberthreats today.
“Ransomware can be difficult to protect against, particularly as perimeter defences increasingly prove to be inadequate at defending a company against cyber-attackers. As a priority, firms need to have a robust back up system in place, to ensure that they have the ability to recover from a complete loss of data. Also, it is essential that firms continuously monitor the network for anomalous behaviour that could indicate a hacker is on the network. From there, the security team can lock down access and expel the attacker from the network before data can be exfiltrated and become at risk of a ransomware attack,” says Roland Daccache, Systems Engineer, MENA, Fidelis Cybersecurity.
Christopher Green, Regional Director, Malwarebytes, says to stay safe, businesses must invest heavily in both employee education and technology. “Above all, it’s crucial for everyone to adopt a layered approach to security – whether faced with ransomware or any other form of malware. On top of this, it always pays to educate staff about basic security practices; for example, if one person spots signs of an email phishing attack, it could save the whole network.”
Since ransomware will eventually find your enterprise, prepare by implementing an information security governance model that you align with the business objectives and the risk assessment of an organisation, says Brandon Gunter, IT Consulting Manager with Moss Adams.
The enterprise should then continually identify risks as these occur, implement risk remediation and mitigation strategies, secure operations, monitor and identify new risks, and come full circle to update and improve the security strategy and road map, explains Gunter.
Enterprises should then take several practical steps down-in-the-trenches to mitigate ransomware, including mature endpoint security measures.
“Use best-in-class endpoint anti-malware products which regularly update and recognise changing ransomware. Professional vendors work hard to keep products current to interdict new variants and protect the data residing on devices. Repelling malware also prevents systems from being leveraged to attack other devices or penetrate deeper into an organisation,” says Ramani.
Simon Bryden, Consulting Systems Engineer, Fortinet, says the important thing is to back up data regularly, and more importantly, to test the restore process to ensure that it works. Often when disaster strikes, users discover that the backup was not happening, or that not all data was being backed up. Regular drills are important.
Also, it goes without saying that users should be careful not to visit links or to open documents which may be suspicious. A good antivirus system, backed up by a sandbox to analyse undetected files, is essential to provide optimum protection. Users who are not sure about particular files or links should check with their security operations teams for advice, he adds.
Mike Lloyd, CTO, Red Seal, agrees: The easiest defense against basic ransomware is to always retain the ability to recover a computer’s state as of one day ago. “Inside a data centre, this is quite easy, but for corporate laptops, it’s harder just due to the physics of mobility and user behaviour. Of course, if we get better at backups, and can brush off ransom demands by going back one day, attackers will have two choices – make fancier ransomware that infects the backups for a while, then only triggers after lying dormant, or move on to other attack forms.”
He says the second choice is actually more likely than the first – the state of our defenses overall is so weak that it is predictable that attackers will find some other vector that is easier and cheaper for them. “This is why we need to increase the level of automation we use, to orchestrate our complex, multi-part defenses.”
While ransomware still relies on a variety of tricks to infect users, phishing is largely seen as the predominant infection vector. Phishing attacks have also gotten much more sophisticated.
“This means users need to be extremely vigilant when handling email attachments and clicking on links within an email. If there’s any doubt about an email’s legitimacy, leave it be. Especially emails from unknown origin with a strong call to action. If it’s from someone you know or an organisation you do business with, don’t forget that you can always pick up the phone and call them. Trust but verify. In addition, making sure your system and all its applications (this includes mobile devices) are fully patched, having a robust backup strategy, and proactive defenses will greatly enhance your chances of preventing or recovering from a ransomware attack,” says John Shier, Senior Security Advisor, Sophos.
The latest ransomware threat
As if ransomware wasn’t bad enough, there is a new twist called doxware. “The term “doxware” is a combination of doxing — posting hacked personal information online — and ransomware. Attackers notify victims that their sensitive, confidential or personal files will be released online. If contact lists are also stolen, the perpetrators may threaten to release information to the lists or send them links to the online content,” says Rishi Bhargava, Co-founder and VP Marketing, Demisto.
He says doxware and ransomware share some similarities. They both encrypt the victim’s files, both include a demand for payment, and both attacks are highly automated. However, in a ransomware attack, files do not have to be removed from the target; encrypting the files is sufficient. A doxware attack is meaningless unless the files are uploaded to the attacker’s system. Uploading all of the victim’s files is unwieldy, so doxware attacks tend to be more focused, prioritising files that include trigger words such as confidential, privileged communication, sensitive or private.
Security analysts agree that doxware attacks are likely to increase over the next two years. So far the attacks have targeted businesses and high-profile individuals rather than the general public. However, that could change if attackers find ways to target smartphones or IoT devices.