2017 has been the year of ransomware. While the file-encrypting malware has existed in one form or another for almost three decades, over the last few months it’s developed from a cybersecurity concern to a public menace. The term even made it into the dictionary in September.
In particular, 2017 had its own summer of ransomware: while incidents throughout 2016 showed the potential damage — both operational and financial — ransomware can cause to organisations, it was in the space of six weeks during May and June this year that the impact of ransomware really became apparent.
First WannaCry hit hundreds of thousands of systems around the globe, thanks to worm-like capabilities of a leaked NSA exploit being attached to the ransomware. The UK’s National Health Service was particularly badly hit and thousands of appointments were cancelled. Weeks later came another global ransomware epidemic in the form of Petya, equipped with similar worm-like features, plus the ability to irrecoverably wipe data from infected machines.
If making money from ransom was the end goal, neither campaign was successful. Those behind WannaCry — intelligence agencies suspect North Korea — eventually cashed out $140,000 from the Bitcoin wallets associated with the attack, something of a paltry sum considering the scale and impact of the campaign. But what both WannaCry and Petya outbreaks managed to do was make it clear just how much of a problem ransomware has become. And it hasn’t gone away again either with the recent Bad Rabbit ransomware attacks in Russia and Ukraine showing that malware writers are still working on new versions. We’ve already seen how ransomware can come with other malicious items in tow. For example, Petya included a wiper designed to irrecoverably destroy data on infected machines. It’s a cunning tactic — while the ransomware presents itself as the immediate problem, the attack may also be doing something else in the background.
“Ransomware will be the public face of what’s going on, scary and visible, but behind the scenes a whole range of other things can be happening: machine infiltration, scraping of data, transfer of funds, all while you have a really big diversion happening,” says Perry Carpenter, strategy officer at security company KnowBe4. This could mean the ransomware infection could being the least of your problems. Trojan malware or stolen credentials could give attackers outright access to the network, even after the ‘ransomware’ infection has been dealt with, so organisations could potentially give in and pay a ransom to criminals who then remain able to exploit vulnerabilities in the network. Another potential development of ransomware is the emergence strains that not only encrypt your data but also steal it.
Ransomware that blackmails you too
“How else might someone use access to a computer to make money? I think we might see more cases of ransomware which aren’t just about data encryption and ‘pay me and get it back’ but more about doxxing — gathering sensitive information and threatening to release it if you don’t pay up,” says Mark Dufresne, director of threat research and adversary prevention at security company Endgame.
This tactic has already been adopted by some families of ransomware. For instance, a form of Android ransomware has already used the threat of exposing private information to the victim’s contacts as ‘encouragement’ for paying up. Meanwhile some forms of malware claim to be able to see the websites victims have been visiting, although it’s unlikely the ransomware actually has this capability 0- yet. “You can’t solve that with good backups. If you’ve got compromising emails in your inbox, or anything which might be secretive or problematic, you’re going to be incentivised to pay in order to stop that getting out,” says Dufresne.
Another potential tactic could see criminals go after enterprise infrastructure. Locking users out of PCs is bad, but getting ransomware onto critical systems could be highly disruptive to businesses and highly lucrative for crooks. “We’re going to see an increased focus on the concept of enterprise ransomware, where they’re moving away from targeting one specific machine to trying to spread virally throughout the organisation and trying to get as many machines as possible,” says Dmitri Alperovitch, co-founder and CTO of security company Crowdstrike.
This would certainly take more effort than randomly distributing ransomware via email campaigns, but would lead to a bigger payoff. “For a few hundred thousand dollars, nobody would think twice. I’ve no doubts that if the ransom asked was $10m, it’d still be paid,” says Alperovitch. “All considerations go out the window when your business is down and you’re facing hundreds of millions of dollars in damages, if you can, you’ll pay at that point and the boards and CEO will make that decision without any hesitation.”
New network attacks
But not every cybercriminal operation is going to spend time and resources in order to go after specific targets — ransomware will continue to be randomly distributed in spam emails because that still works. And as demonstrated throughout 2017, the use of SMB exploits like EternalBlue or EternalRomance can aid that by helping ransomware easily spread itself across a network with minimal effort.
Cybercriminals aren’t going to just forget about these exploits. Bad Rabbit has once again demonstrated how so many organisation simply haven’t applied critical patches issued over half a year ago , so attackers will capitalise on newly discovered exploits — and look to take advantage of lax patching by businesses and consumers. “The next thing I would say is the big risk from malicious software is the addition of more network propagation. They’ll be doing what they’ve traditionally done — be it ransomware or malware — but adding more network propagation,” says Holly Williams, penetration test team leader at Sec-1 Ltd.
Leaked NSA exploits have played a large role in aiding the spread of self-propagating malware: WannaCry took advantage of the EternalBlue SMB vulnerability, while BadRabbit exploited EternalRomance. But it won’t take another NSA leak for ransomware writers to find a new means of attacking networks. “There are many more methods which malware can use to propagate across a network and NotPetya chose a handful of those — a published vulnerability and other features we’ve known about in pen testing for a long time. The ability to extract plain text credentials from a machine — like NotPetya had — has been around since 2012. The priority order of vulnerabilities changes,” says Williams.
While 2017 might be viewed by many as the year ransomware was recognised as a real menace, it could be that there is still worse to come. “Increasingly you’ll see the criminals realise that’s where the big money is. That’s not a few thousand dollars but a few million dollars and that’s a game changer,” says Alperovitch.
Author – Danny Palmer