Ransomware trends around the globe

As ransomware evolves in style and sophistication, one thing remains consistent - it's here to stay.

Read time 9min 40sec

The nature of ransomware attacks is starting to change and will continue to evolve - new resistant strains of ransomware are being developed and sold on the dark market for an affordable price, with options to customise the code to meet certain security resistance.

Ransomware as a service (RaaS) is fuelling criminal entities to invest in ransomware code and markets, with most cyber criminals now reverse-engineering ransomware strains to develop better and resistant versions for their cyber crime arsenals of a wide range of attackers, like a keylogger or a network scanner.

Why are more advanced cyber criminals modifying ransomware for their cyber arsenal?

As a cyber security expert, I've seen many attacks already where skilled attackers get into a network, get what they need, and leave ransomware behind to further extort money or destroy systems. Part of the reason for this is that it serves as a useful distraction: to show the victim they have been hacked by a certain group and that it wasn't just a virus infection, but rather a targeted one.

I have seen most people ignoring their network defence after a single machine has been infected by ransomware attacks - it is common that systems administrators fail to look around their network area for other signs of a network breach, making it easier for the attacker to escape unnoticed and infect the whole cluster of machines on the same network environment.

But another reason, and the more common one, is that cyber criminals want to make a ton of money from unsecured systems, and ransomware attacks can give them an instant cash-out, which is mostly untraceable using cryptocurrency systems such as Bitcoins and Zcash.

In some circumstances, rogue nations practising espionage can also conduct state-sponsored cyber criminal activities and infect target countries with ransomware as cyber warfare, and to find new sources of revenue. These countries make use of contractors within the target country, who have very good access into many organisations around the world to throw around their ransomware.

Ransomware attacks designed to shame victims

Press coverage of recent ransomware attacks, such as WannaCry and Petya, has generated a considerably large interest from hacker groups in ransomware sample and analysis. The world must expect to see growth in these kinds of attacks, with more copycat attacks coming up from different geographical areas as more samples of ransomware are being downloaded for reverse-engineering and analysis.

These attacks will be more directed at profitable systems around the world, especially those such as:

* Self-checkout systems at grocery store chains
* Bank ATM
* Hotels
* Computerised billboards
* Hosting servers
* Government institutions
* Profitable groups.

Basically, any organisation that has a kiosk-type system exposed to the public and running on older, insecure versions of Microsoft Windows can be infected. New strains for Linux and MacOS are being developed and sites claiming to have such services on the darknet are beginning to advertise their malware services for interested groups.

Cyber criminals want to make a ton of money from unsecured systems, and ransomware attacks can give them an instant cash-out.

If these types of systems get infected with ransomware, there is a lot of pressure to resolve the problem quickly. Cyber criminals have developed ways to infect the Internet of things (IOT) devices with ransomware. They have devised ways to attack the whole cluster network of IOT devices connected on the same network using open protocols that are facing the public Internet.

Ransomware using no executable as payload to evade security defences

Ransom32 is developed entirely in JavaScript and PowerWare (developed in PowerShell). It uses no executable payload that needs manual installation on the physical host, so downloading this ransomware is easy if JavaScript is enabled in a browser, as the Ransom32 payload will execute through loading the JavaScript.

This intelligent ransomware obfuscation technique will continue to grow because it is easy to evade anti-malware protections and it is also easy to deploy with less suspicion from the victim through Web-hijacking and clickjacking. Execution of the payload runs on the background and the victim won't suspect anything.

This type of ransomware uses a combination of scripting languages (such as PowerShell and JavaScript) and Microsoft API calls to encrypt the files on a victim's machine. The encryption, the ransom note, and the call-out to a command and control server are completed without an executable file. These ransomware families can avoid detection by many traditional security vendors because they are taking advantage of legitimate processes on the system, so everything they do is legitimate.

Ransomware attacks via e-mail service

Spam campaigns are losing the fight against consumer Webmail providers such as Gmail, Outlook and Mimecast. These services have increased their security defences to identify new ransomware campaigns being sent over their service by employing artificial intelligence (AI) algorithms.

AI has proved to be useful in learning dynamic changes in ransomware and its family. It is also able to filter the origins of the sample in certain circumstances, but can be less effective in learning new kinds of threats emerging in cyber space. These services also rely on the open threat exchange and it is only when a threat has been identified that these service providers can come up with a solution to further their security to block these emerging threats.

If ransomware groups can find weaknesses in the security of e-mail providers, or use some of the millions they have made to buy zero-day exploits to take advantage of weaknesses that may exist, they can increase the number of successful installs and increase their revenue even more. This is what is happening today: shadow brokers leaked the Eternal Blue vulnerability and cyber criminals have used vulnerabilities associated with the exploit to build up ransomware such as WannaCry and attacked hundreds of thousands of systems across the world.

Ransomware on IOT devices

Since IOT devices tend to be synced with a local server or cloud environment, it is too easy to wipe and replace them, so in my opinion, there is no compelling reason for a victim to pay the ransom and have their systems restored by cyber criminals.

There is a discrepancy between the IOT device itself and the Windows systems that serve as the face of these IOT systems; those will be subject to attack in the same way as other Windows systems. In fact, in some way they may be more susceptible to ransomware. The control systems of these IOT devices often run specialised software that controls the functions of IOT devices. This specialised software usually requires a specific version of Windows, one that is often outdated, unpatched or with less support in terms of its core development.

IOT devices are mostly built on Linux/Unix/specialised OSes that handle the day-to-day functions of those systems. They are too obscure to be a reliable target for mass-produced ransomware. There is also a difference in the way the file systems are set up between Linux/Unix systems and Windows computers. This makes it ineffective to attack Linux IOT devices.

Practically speaking, users can access every file on their computer systems. So when a victim inadvertently installs ransomware, that ransomware also has access to everything on the system and can encrypt it all. Linux/Unix systems operate differently. The user only has access to his or her files, not all files on the system. Even if a user does accidentally install ransomware, the ransomware will only be able to encrypt the user's files, and not all the files on the system. For ransomware to be effective on a Linux/Unix system, the attacker would either need a victim logged in as root, or to package a privilege escalation with the ransomware.

Consumer-grade IOT, more complex enterprise systems

There is a distinction to be made between consumer-grade IOT devices, such as home routers and Web cameras, and the more complex supervisory control and data acquisition (SCADA) systems that control things like the water supply, electricity supply, nuclear energy stations or traffic lights. These systems also run on specialised operating systems, but they are not disposable in the way consumer IOT devices are.

Russians hackers are allegedly developing ransomware and malware to target SCADA systems for huge profits, and if these sectors are left without appropriate security defence layers, they will soon become more attractive targets.

Law enforcement action on ransomware and cyber criminals

There is a strong need for the security community to collaborate with law enforcement agencies in a big way to permanently shut down the attacking domains behind ransomware and the exploit kits that deliver them. Law enforcement agents should be trained on cyber security, and cyber security units within the law enforcement agencies should work together with other nations to help stop the spread of ransomware and malware-related activities.

Law enforcement agencies should also consider collaborating with security researchers and malware analysts when it comes to dissecting ransomware and offering new protections and cyber response methodologies.

Ransomware prevention tips

As of today, ransomware attacks are here to stay. If victims continue to pay the ransom and fund the growth and development of these new ransomware families, there will more complex, hardened and effective ransomware attacks that will brick computer systems.

Here are a few best practices to minimise the risk and data loss associated with ransomware attacks:

* Backup confidential/useful data and test to verify the backups regularly.
* Disable Microsoft Office macros by default, and selectively enable them for those who need macros.
* Keep Web browsers, services and plug-ins such as Adobe Flash, SMB protocol and Microsoft Silverlight updated, and prioritise patching systems with new update releases.
* Uninstall any browser plug-ins that are not required for business purposes, and prevent users from re-installing them by putting in place effective access control systems and policies.
* Scan incoming e-mails for suspicious attachments, including examining all compressed attachments.
* Disable or remove the PowerShell, wscript, and cscript executables on all non-administrative workstations to prevent infections.
* Automatically quarantine any e-mail that has an attachment containing a script or a .scr file extension or from an unknown domain name.
* Do not give all users in the organisation local administrative access to their workstations if it's an organisation computer system.
* Use threat intelligence to gain visibility into your organisation's external threat environment and monitor for any emerging ransomware threats to your organisation with reputable security and reporting tools such as Symantec Solutions and Kaspersky.

Damian Michael

Founder, Innovo Networks.

Nominated for the second time in this year’s Entrepreneur of the Year Awards, Damian Michael has experience in the public and private sectors. After completing his apprenticeship in the SA Navy as a radio/radar technician, he worked in sales and senior management positions for ICT operators like Vodacom and MTN, and was involved in successfully launching Neotel in SA. He founded voice, data and cloud provider Innovo Networks in 2013. When he is not working on taking Innovo Networks to the next level, he spends his time mentoring youth in various entrepreneur programmes across the country.

See also