Malware, Ransomware

Alive and Kickin’

Do you remember where you were the day ransomware died? Me neither. Because, of course, it didn't. But right about mid-2015, many of us were donning our finest, combing our hair and shining our shoes in preparation for the funeral of one of cybersecurity's biggest menaces.

And then 2016 blew in with a vengeance. And 2017 hasn't been any better with ransomware like WannaCry and NotPetya, the resurrection of “old,” familiar ransomware with brand-new twists and the promise of an abundance of new threats and challenges that should keep ransomware alive and kicking for a long time to come.

Sounding an early death knell was (sort of) understandable - c'mon now, wouldn't simply backing up files, something any organization or individual could easily do, solve the problem? Wasn't the problem that most routinely didn't? Wouldn't the fix just require a little best practice mojo? In tech years that age of innocence lasted about a millisecond.

Nearly two brutal years later, though, research from the likes of Infoblox, SANs, BlackHat and ESG find ransomware among the top three threats, often at the top of the list.

 “Everyone interacting with the Internet is at risk for ransomware,” says Michael Patterson, CEO of Plixer. “The continued proliferation of this type of malware re-enforces that we are losing the compromised data war.”

And battered companies hesitantly, and with trepidation, ask, what's next?

What's old is new again

No look into future ransomware threats is complete without at least a peek at the past, in fact it's where the future starts. Not to go into too much detail - that's another story to be told on another page (See Ransomware Resurrected) – companies will continue to see old ransomware evolve into new attacks. Take Cerber, Locky and TorrentLocker which, if they didn't exactly rise up from the dead (because they never died), re-emerged more recently to wreak havoc with new features and purposes.

In more recent months, there's been “an uptick in polymorphic malware in zero-day attacks and advanced exploits,” notes Rod Murchison, vice president of product management at CrowdStrike. “Polymorphic ransomware, distributed at scale, can take down millions of servers in a matter of minutes as we saw with WannaCry.”

The most common ransomware is still file corruption using cryptographic API, according to Imperva's blog. With good reason – it still works and is profitable for attackers. But the firm says that database corruption attacks through SQL queries are on the rise, as evidenced by the latest incidents waged against the likes of MongoDB and MySQL. Makes sense because databases house companies' most sensitive data.

“Ransomware attacks have been widespread this year and as these recent attacks against MongoDB show, there's a growing trend of ransomware attacks against big data databases in the form of database corruption attacks,” says Morgan Gerhart, vice president of product marketing at Imperva. “As the volume of data grows, the challenge of securing it is tied to the nature of the data itself.”

The enormity of data volumes associated with these NoSQL databases presents challenges to those charged with protecting it, requiring “security solutions built to handle them,” says Gerhart. “This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds.”

“The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology,” he says. “There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.”

But that sea of data makes would-be attackers salivate. “And, when you combine this large volume of business data with ransomware, attackers see dollar signs,” says Gerhart, cautioning that “while protecting the data in your databases is important, monitoring big data services like MongoDB and Hive, which are ‘databases on steroids,' is just as important. Data corruption, like in MongoDB, is a key growth area for attackers.”

Encryption, the most common method of corruption, is not the only method. It can, and will more frequently in the future, come in the form of wiping out files, dropping database tables and mucking around with the data's integrity. That latter is particularly scary since corrupted data can have huge impact way down the road.

Data out, money in

Data exfiltration is “where big money is still waiting to be had,” Imperva says, pointing to the Vault 7 attacks that had hackers steal documentation on the CIA's cyberweapons, which was then posted by WikiLeaks.

If the motive was money, the blog post notes, more of it was to be had by selling the information on the dark web rather than encrypting it and pressing for a ransom.

“Making private data public can scare data owners the most. That's probably why the popularity of extortionware–aka doxware– is going to rise. Exposing financial records, medical records, state-actor data, pending patents or any other sensitive data is a major threat,” says Imperva, calling exfiltration “just the tip of the iceberg” with the “potential to continue to be a huge money-making machine.”

Also lucrative to attackers out for monetary gain are disruptive, targeted attacks against organizations with large, customer bases. Targeted attacks, though, are more expensive and time-consuming to execute.  By exploiting a Web vulnerability, though, attackers can gain access to large numbers of devices and customers.

“A vulnerability in the web server communicating with the app or update mechanism can lead to remote code execution on these vehicles,” says the Imperva blog. “For example, hackers could hold you hostage and demand a ransom, while threatening to disable your car's brakes or steering system. The even more chaotic scenario (and bigger payout) is a hacker taking control of all of a specific vendor's connected cars and demanding a ransom directly from the vendor.”

Look out, IoT

The connected car example could serve as a cautionary tale for the Internet of Things on whole. As devices continue to proliferate – many being developed without much thought to security and others not updated with the latest security patches – the likelihood of ransomware attacks proliferates as well. A recent study found that more than 70 percent of organizations were concerned about an IoT-based ransomware attack.  

"Over the next two years, cybercriminals behind ransomware will shift their attention to 'smart devices' permanently connected to the internet i.e. devices which form the Internet of Things,” says Steve Durbin, managing director of the Information Security Forum (ISF). “While holding specific devices for ransom will offer lucrative ways to grow their revenues, attackers will also use these devices as gateways to install ransomware on other devices and systems throughout an organization.”

Durbin notes that “the downstream impacts (e.g. interruptions to business operations and automated production lines) may appear severe, but will fade into the background when lives are put at risk by attacks on medical implants or vehicle components” and that “simply restoring from a data backup (rather than paying the attacker) will not be an option.”

An affected organization, he says, “will face the potential of a double financial hit as it is forced to pay a large ransom to protect its people or resume normal operations, and then to retrospectively build in security.”

The rising popularity of “IoT will extend the potential attack surface for those installing ransomware, with target devices increasingly found in places as diverse as cars, trains, homes, offices, factories and hospitals. They will also be embedded in human bodies as facilitators of improved health,” says Durbin. “However, as the security of IoT devices continues to be overlooked, they will create new opportunities for cyber criminals to remotely encrypt digital files and demand payment (typically in a cryptocurrency such as Bitcoin) from the owner for access or operation to be restored.”

A recent recall of St. Jude's pacemakers by the FDA sounds the alarm for a “lives-at-risk” scenario. “This incident is a reminder of how software has become integral to almost every aspect of our lives, and how security vulnerabilities aren't something that we only need to worry about if we're shopping or banking online,” says Mike Pittenger, director of security strategy, Black Duck. “In this case, the software is driving a device that it is essentially part of a patient's body and responsible for maintaining life.  Imagine a ransomware attack where the consequences could be loss of life.”

Durbin says the potentially “most lucrative model for attackers will be to directly extort the manufacturers of IoT devices.” Once a vulnerability is discovered in a device and an attacker can demonstrate the ability to disable it, the “attacker may approach the manufacturer and threaten to take down a whole product line, thus potentially jeopardizing the organization's entire customer base,” he says. “In such circumstances, some manufacturers may prefer to pay a ransom rather than admit that a vulnerability has been maliciously exploited.”

That's just further evidence of what Joseph Carson, chief security scientist at Thycotic, sees as the next big change for ransomware. “Ransomware is going to evolve drastically in the near future, becoming platform agnostic. This means that ransomware will be able to target any OS platform including smart devices, such as TV's, manufacturing systems and autonomous vehicles,” Carson says. “They will target time sensitive industries like the entertainment, health and transportation that, when unavailable for short periods of time, have major financial costs or even life threatening catastrophes.”

Carson believes that “the financial aspect of ransomware will become much easier than today, meaning it will be as easy as clicking a button.”


“Perhaps the worst part of all this is the cross-breeding we now see between ransomware and worms. These beasts – which some are now calling Ransomworm – take the dangerous file encryption of ransomware and the self-spreading of worms and combine them to terrible effect,” says Sander. “We've seen a couple of these hit big and now that the trick is out there it's likely to stick around and become part of the new mass-produced ransomware.”

In addition, fileless attacks will grow in number and continue to challenge security pros in the future. According to a 2016 survey by Barkly 50-100 percent of fileless attacks got around anti-malware, email filtering, firewalls and antivirus technologies.

“Ransomware has received a lot of attention because it's easily understood, but it's more of a symptom than a disease, and is typically just the last step in a well-orchestrated series of hacking techniques,” says Satya Gupta, co-founder and CTO of Virsec. “These include hard-to-detect fileless techniques to exploit web server vulnerabilities, pivot laterally within networks, and hijack servers to take malicious actions such as theft, destruction or ransom. In fact, most ransomware attacks yield very little actual revenue, but cause lots of disruption – probably the larger goal.”

Lenny Zeltser, vice president of products at Minerva, expects “the use of AV-evasion tactics in ransomware to grow, fueling the need for enterprises to go beyond relying solely on antivirus or similar anti-malware solutions to prevent infections” and urges organizations to “consider what methods they might employ to interfere with attempts by ransomware to bypass baseline security mechanisms on the endpoint.”

While financial gain is the top motive behind most ransomware attacks, motivations will change and expand. In the future the drivers will become more diversified. “Due to the nature of ransomware, it will also evolve into DistructiveWare or TerrorWare that have the same impact of making systems unavailable. However, the motive will be simply to cause destruction,” says Thycotic's Carson. “I believe that we will also likely see an increase in members of the media, their publications as well as political parties being top targets used to disrupt governments.” 

As ransomware matures, it will become a more challenging force to reckon with. “If ransomware follows the same path as other cyber threats, then it's going to enter the mass production phase of its life,” says Jonathan Sander, CTO of STEALTHbits Technologies. “Ransomware in mass production will be especially dangerous because the reliability of payment to fix the problem will likely go down.”

He notes that early ransomware attacks “had a pretty good reputation for giving back the data when paid. That was a key to their success.” But “as less and less professional – and less competent – people get involved, the worse that reputation will get and the worse the damage will be on all sides,” says Sander. “People will be less willing to pay which will hurt the bad guy's business model. Less data will be recovered and that will hurt the victims.”

Hackers already are finding it difficult to pay up quickly.

"There's a natural technical evolution in ransomware that's underway, driven by the success and failures of recent mass-scale campaigns to hold users ransom,” says Robert Capps, authentication strategist, vice president, NuData Security. “With so many organizations all anteing up in Bitcoin simultaneously, the perpetrators struggled to collect their ill-gotten gains and decrypt their victims' machines, and some deadlines weren't hit – the bad actors were simply immobilized by the success of their campaigns.”

Since ransomware campaigns work if attackers can deliver on their promise to unlock files, “if they don't deliver, future victims will be unlikely to cough up the ransom,” says Capps. “ I think the cybercriminals are acutely aware of this fact, and are stepping up their game."

So, unbutton your collars and take off your Sunday best, we won't be attending ransomware's funeral any time soon.

It's coming from inside the house…

Organizations keen on thwarting ransomware attacks might do well to take a lesson from that creepy old movie that has a babysitter a target of crank calls from a murderer who's calling, as it turns out, from inside the house. The biggest threat – and easiest entry point – for a ransomware attack is the insider and or an internal vulnerability that hasn't yet been addressed.

“It's important to keep in perspective that no matter what the affect, whether ransom or otherwise, cyberattacks begin with phishing,” said Oren Falkowitz, cofounder and CEO at Area 1 Security. “99 percent of ransomware is delivered via phishing.”

It is, he says, “the root cause in over 95 percent of cyberattacks.”

Since the “problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected,” says Ajay Uggirata, director at Imperva. “What's more, costs associated with loss of data can run in the millions and lead to customer loss, brand damage and stock price decline.”

When it comes to ransomware, it's “equally as damaging,” he says, “as once a web application is compromised it is easy to plant ransomware to restrict access to the data that application is serving.”

Uggirata says “it is important to protect the application itself by blocking web app attacks and denying account takeover attempts.”

Continued awareness training for users throughout an organization can improve security posture and challenge attackers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.