Ransomware will continue to evolve in 2018

Ransomware got its start in the late 1980s, but 2017 can rightly be called the year of ransomware. 

Some interesting figures :

• Malwarebytes reports that more than 26% of ransomware attacks blocked by its cybersecurity software were aimed at US users.
• There were 184 million ransomware attacks in 2017 compared with 638 million in 2016.
• While the number of attacks may have subsided, the number of strains more than doubled in 2017
• According to the Federal Bureau of Investigation (FBI), more than $209 million in ransomware payments were made in the US in the first quarter of 2016. This was a 771 percent increase over a reported $24 million for the whole of 2015.
• Furthermore, attacks on business increased three-fold between January and the end of September. Then In September, the FBI announced that there were 100,000 computers infected by ransomware in a single day.

And most ransomware attacks consumers, not businesses. A recent IBM survey of 600 business leaders in the U.S. revealed that almost half of all businesses have been hit by ransomware. And of those, seventy percent have paid the ransom. In 2015, the average ransom was a few hundred dollars per user. According to the Trend Micro, at the end of 2016 the average ransom was over $700, with 20 percent of organizations reporting demands for over $1300. Even after paying the ransom, Trend Micro has found that one in five organizations never get their data back.

Ransomware can affect any type of computer. It became the biggest cyberthreat on Android devices in the first half of 2017 in the U.S., U.K., Germany, Australia and Denmark. According to Bitdefender, ransomware constituted more than half of the malware detected.

Why has ransomware become such as menace?

There are many reasons for the upswing in ransomware:

• Bitcoin has become an easier and more accepted form of payment. Attackers prefer a currency that does not involve financial institutions, both for traceability and for international currency purposes. These requirements are met by Bitcoin. Bitcoin transactions are not anonymous but require significant effort to be accurately traced and can even be “laundered” as money is.
• Attackers want strong encryption to prevent users from recovering files unless they pay a ransom. It is only recently that higher-level encryption technology such as 2048-bit version of the RSA cryptographic algorithm has become more widely available.
• Asymmetric (public key) encryption is widely available on even the oldest computers in use. Many of the recent generations of ransomware use a combination of symmetric and asymmetric encryption. Symmetric encryption is fast. This is an advantage because it has a higher probability of completing encryption before the infection is discovered. If the victim discovers the symmetric key before encryption is complete, the data can be decrypted. Asymmetric encryption is slower but more secure. Attackers can encrypt the victim’s files rapidly using symmetric encryption and then employ asymmetric encryption to encrypt the symmetric key. As a result, the more secure but slower asymmetric method is needed to encrypt only one file.
• There is money to be made. Cybercriminals know that it is a lucrative business model. As of December, SamSa ransomware extortionists earned $450K by targeting primarily healthcare organizations.
• Attackers no longer need to be tech-savvy since most ransomware is available as packaged exploit kits.

Which industries are at the most risk for ransomware?

Some of the most publicized attacks in 2017 involved healthcare, but the problem is more widespread. A new report from BitSight  declares education is the industry most likely to be hit, with 13% of educational organization slammed by ransomware. The report analyzed the cybersecurity performance of nearly 20,000 companies across government, healthcare, finance, retail, education, and energy/utilities.

Ransomware has hit about

• 6% of government agencies
• 3.5% of healthcare organizations.
• The lowest risk was in the financial sector, with only 1.5% of companies affected.

Education is a target for multiple reasons:

The sector tends to have smaller budgets, and thus less up-to-date hardware and software.
Education normally has smaller IT staffs than other industries, so there are fewer software updates and security monitoring.
File sharing both within the institution and with outsiders is high compared with other industries. A BitSight report released earlier this year found that about 58% of academic institutions allowed file sharing on their networks.
Some security analysts believe that schools may be more likely to pay for the information to avoid HIPAA concerns and other regulatory violations. For example, In June, the University of Calgary paid a $20,000 CDN ransom after attackers encrypted its email system.

Types of ransomware in 2016

At the start of 2016, TeslaCrypt and Locky were the biggest ransomware threats, spread by spam attacks. It appears that many businesses affected by the onslaught beefed up their security. As a result, ransomware increasingly affected consumers as opposed to businesses as 2016 progressed.

Well-established ransomware such as CTB-Locker, CryptoWall and Shade  were joined by Cerber, CryptXXX, and Locky. Locky has so far been spread across 114 countries. The year saw increasing variation in the construction of ransomware and the vectors used to deliver it.

At the beginning of 2016 CryptoWall 4.0 attacks rose, including a new variation targeting outdated versions of Flash Player. The payload was delivered via malicious pop-under ads whereas the majority of past ransomware  used spam, phishing emails, and attachments. In November, it was discovered that Cerber 5.0.1 ransomware was spreading via Google and Tor2Web proxies. New ransomware families appeared in different programming languages, such as JavaScript, PHP, PowerShell, or Python. VindowsLocker ransomware emerged in November. It locks up a victim's computer and then asks the person to call a Microsoft customer support number for help. When the user pays the over $300 fee for decryption, he is hung out to dry.

There were new functions and threats added to ransomware as well. Ransoc has been tailored to gather information on the victim. Social media profiles and local files are probed, and users whose PCs contain questionable content are threatened with court action if they fail to pay the ransom. CryptXXX has a feature to gather Bitcoin wallet data and send it to the attackers. Some Cerber ransomware infects the victim’s computer with a botnet to carry out distributed denial of service (DDoS) attacks. Chimera threatens to post the victim’s files, including pictures and videos, on the internet.

The Franchise Model & Ransomware

The franchise model invaded the ransomware world. CTB Locker and Chimera offered its victims an opportunity to become an “affiliate”, with a 50 percent commission for selling the ransomware as a service.  Popcorn Time ransomware waives payment from its victims if they try to infect a few friends.

No More Ransomware Project

The most significant anti-ransomware move was the foundation of the No More Ransom project. Kaspersky Lab, Intel Security, the National High Tech Crime Unit of the Netherlands' police, and Europol's European Cybercrime Centre formed the group. In October, law enforcement agencies from 13 additional countries joined the project, twelve in Europe in addition to Colombia. The project expanded further in December with 30 more members.

No More Ransom offers victims a Crypto Sheriff tool to determine the type of ransomware affecting their devices. If available, tools are then employed to decrypt the victims’ data. In December, 32 new decryption tools for various ransomware variants were added.

Other good news on the ransomware front includes:

• White hats continued to attack command and control servers.
• Microsoft reported that Windows 10 is 58% less likely to be affected by ransomware than Windows 7.
• In May,TeslaCrypt shut down and the master decryption key was released.
• Police shut down Encryptor RaaS and Wildfire variants.
• In July, about 3,500 keys for Chimera were publicly released.

What does 2018 hold?

The number of ransomware attacks is on the decline.  According to a report by SonicWall, there were 184 million ransomware attacks in 2017 compared with 638 million in 2016.  While the number of attacks may have subsided, the number of strains more than doubled in 2017.    Researchers believe this may indicate a shift from quantity to quality.  Reasons for the decline in attacks is attributed to the growing refusal for victims to pay as well as the greater utilization of tools to combat ransomware.  Interestingly enough, hospital administrators of Hanhock Health chose to pay the ransom shortly after their attack in January.

Some industries, such as healthcare and government, will continue to be targeted by ransomware attacks. Many of the tools developed by the criminals behind ransomware, including fileless malware and encryption techniques, will continue to be used in different types of attacks. To escape future ransomware attacks IT pros must leverage the right technology.

 

Conclusion

Despite the decrease in attacks, ransomware accounted for 64% of all malicious emails sent in 2017 so a modern-day email security solution is essential.  In addition, a complete defense strategy also includes an off-site backup strategy, a diligent patching regime, and real-time anomaly detection.  We may be in a temporary lull when it comes to ransomware attacks, but it may in fact just be the calm before the storm.

Are you an IT professional that wants to ensure sensitive data and devices are protected?  Talk to a specialist or email us at info@titanhq.com with any questions.

Related Posts :

https://www.titanhq.com/blog/samsam-ransomware-strain-kicks-off-2018

https://www.titanhq.com/blog/emotet-banking-trojan-how-a-single-mouse-click-cost-a-north-carolina-school