Hand-delivered, targeted ransomware attacks increase
This year has seen hand-delivered, targeted ransomware attacks growing in popularity.
These premeditated attacks are different from the 'mud against the wall' approach that automatically distributes malware through millions of e-mails.
This is one of the findings of the Sophoslabs 2019 Threat Report, which highlights changes in the threat landscape over the past 12 months and how they are expected to impact cyber security in 2019.
According to the report, "capitalist cyber criminals are turning to targeted ransomware attacks that are premeditated and reaping millions of dollars in ransom".
These hand-delivered, targeted ransomware attacks are different than 'spray and pray' style attacks that are automatically distributed through millions of e-mails. Targeted ransomware is more damaging than if delivered from a bot, as human attackers can find and stake out victims, think laterally, troubleshoot to overcome roadblocks, and wipe out backups so the ransom must be paid, says the report.
This interactive attack style, where adversaries manually manoeuvre through a network step-by-step, is advancing, due in part to the success of SamSam, BitPaymer and Dharma, that Sophos believes will inspire copycat attacks. "We can expect more of this type of attack to happen in 2019."
Smarter, stronger adversaries
Joe Levy, CTO of Sophos, says the threat landscape is evolving, and cyber criminals with fewer skills are being forced out of the business.
"The fittest among them will step up their game to survive and we'll eventually be left with fewer but smarter and stronger adversaries. These new cyber criminals are effectively a cross-breed of the once esoteric, targeted attacker, and the pedestrian purveyor of off-the-shelf malware, using manual hacking techniques, not for espionage or sabotage, but to maintain their dishonourable income streams."
The Sophoslabs report also revealed cyber criminals are using readily available Windows systems administration tools to achieve their ends.
"This year's report uncovers a shift in threat execution, as more mainstream attackers now employ APT techniques to use readily available IT tools as their route to advance through a system and complete their mission, whether it's to steal sensitive information off the server or drop ransomware."
Moreover, attackers are turning admin tools into cyber attack tools.
"In an ironic twist, or cyber Catch-22, cyber criminals are utilising essential or built-in Windows IT admin tools, including Powershell files and Windows Scripting executables, to deploy malware attacks on users."
According to Sophos, cyber criminals are playing 'digital dominos', by chaining together a sequence of different script types that execute an attack at the end of the event series. In this way, cyber crooks can instigate a chain reaction before IT managers detect a threat is operational on the network, and once they break in it's tricky to stop the payload from executing.
In addition, the report found EternalBlue, a spy tool that was behind WannaCry's success, has becomes a key tool for crypto-jacking attacks. Although patches for EternalBlue were issued over a year ago, it remains a firm favourite with attackers.
"The coupling of EternalBlue to crypto-mining software turned the activity from a nuisance hobby into a potentially lucrative criminal career. Lateral distribution on the corporate networks allowed the crypto-jacker to quickly infect multiple machines, increasing payouts to the hacker and heavy costs to the user."
Finally, the report highlighted the ongoing threat of mobile and IOT malware, with the impact of malware reaching beyond the business infrastructure as mobile malware grows. "With illegal Android apps on the increase, 2018 has seen a rise in malware being pushed to phones, tablets and other IT devices."
As homes and businesses employ more IOT devices, criminals are looking for ways to harness these devices for use in their massive botnets.
"In 2018, VPNFilter demonstrated the destructive power of weaponised malware that affects embedded systems and networked devices that have no obvious user interface. Elsewhere, Mirai Aidra, Wifatch and Gafgyt delivered a range of automated attacks that hijacked networked devices to use as nodes in botnets to engage in distributed denial-of-service attacks, mine crypto-currency and infiltrate networks," adds Sophos.