How ransomware took the malware crown with creative attacks and specific targets

Back in 1989, the first ever known and documented strain of ransomware stepped into the spotlight in the form of the AIDS Trojan, also known as PC Cyborg, that was deployed via 20,000 infected floppy disks in 90 countries. Since then, the malicious file-encrypting software has risen to become one of the most menacing forms of cybercrime today.

Verizon’s 2018 Data Breach Investigations Report (DBIR) has identified ransomware as the most popular form of malware, found in 39% of malware-related data breaches and over 700 incidents over the past year. Climbing up from the fourth spot in the 2017 DBIR, ransomware has risen as an effective and lucrative tool of choice for cyber criminals.

“Why has ransomware become so commonplace? Because it’s easy to deploy and can be very effective,” the report noted. “You don’t have to be a master criminal; off-the-shelf toolkits allow any amateur to create and deploy ransomware in a matter of minutes. There’s little risk or cost involved and there’s no need to monetize stolen data.”

Attackers are also looking to move beyond encrypting single user devices towards encrypting file servers or databases within business critical systems to inflict more damage and demand heftier ransoms.

Based on analysis of 53,308 security incidents and 2,216 data breaches across 65 countries, DBIR 2018 notes ransomware attacks are now shifting towards encrypting file servers or databases within business critical systems to inflict more damage and demand heftier ransoms. Although every industry is susceptible to ransomware, the healthcare sector has been heavily targeted by attacks given that hospitals and health service institutions are more likely to pay up and shell out significant amounts of money to retrieve their critical data and get back to work.

In fact, ransomware accounts for 85% of all malware in the healthcare sector.

DBIR 2018 also pointed out that human error continues to be a serious issue with employees still falling for social attacks with companies three times more likely to be breached through attacks like phishing or financial pretexting than actual vulnerabilities.

The rise of ransomware

With ransomware, attackers can go straight for the money, rather than trick users into giving up their credentials, blackmailing them over sensitive details or selling it on the dark web. The ease of execution and success rate of ransomware attacks further make it an attractive tool for cybercriminals looking to begin or expand their arsenal.

Besides high-profile ransomware attacks such as WannaCry, NotPetya and BadRabbit, several successful ransomware campaigns such as Cerber, Locky, Jaff and RoughTed popped up in 2017 that infected thousands of systems worldwide and were quietly updated by their creators to target cryptocurrencies and online wallets.

In 2018, GandCrab emerged as the most prominent ransomware so far, infecting over 50,000 victims mostly in the US, UK and Scandinavia whilst earning its creators a handsome $600,000.

Since 2013, ransomware infections have been steadily increasing year-over-year, reaching a record-high of 1,271 detections per day in 2016 and remained elevated in 2017, Symantec found. Excluding WannaCry and NotPetya from 2017’s detection numbers, there were an average 1,242 ransomware detections every day.

In 2017 alone, the number of ransomware variants spiked by 46%.

In light of these attacks, ransomware detection, recovery tools and techniques have been improving in recent years. In turn, ransomware authors are constantly tweaking their ware as part of a vicious cycle, making it increasingly difficult to detect, prevent and recover encrypted files.

Spoiled for choice

Besides choosing between locker-based or crypto-based ransomware samples, attackers can choose between multiple techniques for actual infection.

Delivering ransomware via malicious links or attached documents delivered en masse is a popular and often used tactic to guarantee a portion of affected users. Beyond email campaigns, organized crime groups have also been delivering fileless, code-injecting ransomware such as Sorebrect ransomware attackers can also exploit unpatched security vulnerabilities to infiltrate a targeted system and deploy the ransomware sample or use a self-propagating strain to infect one machine and spread the malicious code to other connected systems.

To ensure the encryption process is carried out swiftly and successfully, attackers are also using multi-threaded ransomware attacks that launch several processes, as opposed to the usual single process, to accelerate the encryption process. This makes it harder for a victim to stop the process.

Subsequently, as ransomware authors improve their creations, decryption is also likely to become harder. While security experts depend on mistakes in the author’s code or improper key management to write a decryptor, ransomware developers who do fix these errors can make future decryption efforts particularly difficult.

There are also no shortage of targets for attackers to exploit, from the average joe smartphone user to a major corporation that depend on critical data for daily operations.

“The current success of ransomware campaigns - especially their extortion element - will prompt cybercriminals looking to make generous profits out of targeting populations that will yield the most return possible,” Trend Micro’s 2018 Security Predictions report stated. Researchers added that cybercriminals will likely use EU’s upcoming General Data Protection Regulation (GDPR) as a new opportunity for digital extortion.

“Cybercriminals could target private data covered by regulation and ask companies to pay an extortion fee rather than risk punitive fines of up to 4% of their annual turnover,” the report read. “We expect GDPR to be used as a social engineering tactic in the same way that copyright violations and police warnings were used in past FAKEAV and ransomware campaigns.”

Cyberweapon of choice

Given the widespread and extensive damage ransomware could potentially trigger if successful, it could become stand to become a more prolific weapon in cyber warfare. Hacktivists or nation-sponsored threat groups could use ransomware for financial purposes or even use destructive wiper ransomware to disrupt operations, cause significant revenue losses and erode trust. The WannaCry, NotPetya and BadRabbit ransomware attacks are illustrative of this trend.

“What was once a criminally motivated operation model appears to have been adopted by nation-states that are seeking alternative sources of income (e.g., DPRK) or a means to disable opponents (e.g., Russia),” Crowdstrike’s 2018 Global Threat Report notes.

“High-profile attacks in 2017 have introduced the possibility that ransomware could be used for geopolitical, and even militaristic, purposes. It is possible this trend of nation-state ransomware has plateaued, but it is even more likely that other nations - perhaps small countries - or even hacktivist groups will use ransomware and pseudo-ransomware wipers to disrupt victims, eroding trust between vital businesses and their customers or between governments and their constituencies.”