Researchers at Cisco's Talos Security Intelligence and Research Group published a new report on the next phase of ransomware. Noting trends emerging among recent ransomware strains, the researchers expect to soon see a new era of self-propagating ransomware, or “cryptoworms.”
While ransomware strains have typically cast a wide net through mass phishing campaigns or similar methods, recent ransomware campaigns have employed more targeted strategies, specifically pursuing enterprise networks and healthcare institutions.
The Ransomware: Past, Present, and Future report, written by Talos manager of ICS research Joe Marshall, referenced an earlier Talos study of SamSam ransomware's propagation method; the ransomware infects entire servers, and then spreads across networks. Marshall told SCMagazine.com, “SamSam is the proof of ransomware's evolution to its logical next step.”
Talos security outreach manager Craig Williams noted that SamSam was designed to be “effectively hands-free,” but said the fact that its creators chose to take advantage of two well-known network vulnerabilities – one of the vulnerabilities is nine years old and the other is seven years old – shows that ransomware can get far more sophisticated.
“We believe that this is a harbinger of what's to come -- a portent for the future of ransomware,” theRansomware: Past, Present, and Future report stated.
The researchers reported rising ransom prices, citing estimates that Angler exploit kit operators generate $60 million per year in ransom payloads, but warned that “Ransomware operators are increasing the stakes.”
This figure stands in stark contrast to earlier figures. A section chief at the FBI's Cyber Division said 2,453 ransomware attacks were reported in 2015, costing the victims $24.1 million.
Recent attacks targeting healthcare facilities, such as the reported ransomware incident that took Medstar Health offline last month, are demanding larger payouts. Attacks like these prompted the U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC) to issue a ransomware alert.
“It's almost child's play. You only have to spin them up, and let them go,” said Marshall. “There's a plethora of the vectors the ransomware can utilize.”
Last month, researchers discovered a new version of TeslaCrypt ransomware, featuring stronger encryption algorithms and an ability to extract more data from computer files.
Williams said they have confirmed that ransomware victims are not consistently getting the keys that they purchase and said victims cannot always trust the integrity of the data they get back. “It's astonishing to me that paying the ransom is still being encouraged as a magical quick fix solution for business owners,” he said.
[An earlier version of this story incorrectly stated that Talos security outreach manager Craig Williams and manager of ICS research Joe Marshall co-authored the Ransomware: Past, Present, and Future report. The report was written by Joe Marshall.]