Ransomware is not going anywhere
Over the last few years, an increasing number of threat actors and cyber criminal groups have used ransomware attacks to disrupt business operations and extort large sums of money from their targets.
It reached its height in 2017 with the notorious WannaCry ransomware that brought down major organisations across the globe, and it's showing no signs of slowing down.
Only last month, Norsk Hydro, one of the largest global aluminium manufacturers, confirmed its operations had been disrupted by a ransomware attack.
Verizon's 2018 Data Breach Investigations Report highlighted ransomware as the most common type of malware targeting businesses, found in nearly 40% of malware-related data breaches.
"The first known ransomware virus goes back all the way to 1989 and it was called the AIDS Computer virus," says John Fokker, head of cyber investigations at McAfee.
Fokker will present on "Ransomware: The rise, death and resurrection of digital extortion", at ITWeb Security Summit 2019, to be held from 27 to 31 May, at the Sandton Convention Centre.
AIDS is the computer virus known to exploit the MS-DOS 'corresponding file' vulnerability. It was written in Turbo Pascal 3.01a and overwrote com files. The virus overwrites the first 13 952-bytes of an infected com file, and these files have to be deleted and replaced with clean copies in order to remove the virus. It is not possible to recover the overwritten portion of the program.
Ransomware, or digital extortion, gained its first real popularity at the end of the first decade of the millennium, with the so-called lock-screen ransomware, Fokker adds.
"This type of ransomware didn't really encrypt any files on your computer, but blocked your screen with a message that you had, for instance, downloaded some illegal content and that access to your computer was blocked until you paid a certain amount of money."
In the second decade of the millennium, ransomware viruses that encrypted files on computers gained traction. "Together with the adoption of Bitcoin, the criminals now had a relatively easy method of earning money 'anonymously'. From 2012 till mid-2016, this gave birth to an explosive growth in different families of ransomware, such as Cryptowall, Coinvault, CTB Locker, Cerber and Locky."
He says since 2017, there has been a decline in ransomware. "We don't know the exact cause but there are some contributing factors, including improvements in security technology and backups, the public-private initiative NoMoreRansom that offers free decryption tools to victims of ransomware, and the explosive rise in the price of Bitcoins, which made mining for currency lucrative again. This gave rise to the CoinMiner Malware types."
However, he says ransomware is still a big threat. Even though there are fewer different kinds of families, the families that remain are very strong due to solid operations and underground alliances.
Fokker notes his organisation has observed an increase in targeted ransomware, where criminals seek out certain vulnerable organisations, launch a targeted attack to gain full network access, deploy the ransomware across the network, then charge an astronomical amount of money to decrypt the malware.
"This is very different from the non-discriminative malicious spam e-mails that were sent out before with the older families," adds Fokker.
Delegates attending his talk will hear how the criminal business model works for one of the biggest ransomware-as-a-service families, and will receive prevention tips, to be more resilient against ransomware, as well as mitigation tips for when it is too late.