As ransomware grows in popularity, TrendMicro researchers said aside from the social engineering tactics and commercial grade encryption deployed on victims, cyber crooks also use less sophisticated malware routines including deleting shadow copies, using startup modification, using propagation tactics anti-detection mechanisms and other methods that wreak greater havoc when combined, according to a June 16 blog post.
A popular technique employed by CRYPWALL, Locky, CERBER and CRYPTESLA and other ransomwares is to delete shadow copies or backup copies of files in an attempt to hinder a victim from recovering their data, the post said.
Ransomware authors also cause trouble using startup modification techniques that overwrite the Master Boot Record (MBR) to render a system unbootable. This can add an additional layer of difficulty when restoring in safe mode, researchers said in the post. Ransomwares like PETYA employ this technique.
Propagation tactics are another method that makes it harder to restore data by spreading the infection via removable drives and network shares where other crucial data is potentially stored, the post said. Ransomware like Zcryptor use this tehcnique.
Other methods include the use of anti-detection mechanisms, the use of server message block (SMB), and domain generation algorithm (DGA).
Although he could not definitely say what the next wave of sophistication will be, Trend Micro Senior Global Marketing Manager Jon Clay told SCMagazine.com the “customer-centric” and personalized approach could be on the horizon if proven successful.
“We will likely see more use of infostealers to steal data to use in a separate extortion request,” Clay said. “We also will likely see more targeted attacks against organizations who could pay a higher ransom.”
He said that users should protect themselves using reliable, layered security solutions for their devices.