Attacks/Breaches
2/13/2017
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

'Shock & Awe' Ransomware Attacks Multiply

Ransomware attackers are getting more aggressive, destructive, and unpredictable.

RSA CONFERENCE 2017 – San Francisco - The data-hostage crisis isn't going away anytime soon:  In fact, it's starting to get a lot scarier and destructive, and with a more unpredictable outcome.

Security experts long have warned that ponying up with the ransom fee only plays into the hands of ransomware attackers; it doesn't necessarily guarantee victims get their data back and unscathed, even though most of these bad guys thus far honor their promise of decrypting hijacked data after they receive their payment. Ransomware is rising dramatically, growing by a rate of 167 times year over year, according to SonicWall, with some 638 million attack attempts in 2016, up from 4 million the previous year. Kaspersky Lab data as of last October shows there's a ransomware attack every 40 seconds.

James Lyne, global head of security research at Sophos Labs, warns that ransomware attacks are starting to become more of a no-win for victims, as some attackers are also now stealing the data they encrypt for further monetization, destroying it altogether, and even waging subsequent attacks on a victim. The attackers are more sophisticated with their encryption methods, and more aggressive, instituting tighter payment deadlines and including organized-crime style threats that sound more like a physical hostage negotiation, he explains.

He describes their brazen demands and attacks as a "shock-and-awe" approach that's catching fire among cybercriminals hoping to more efficiently strong-arm their victims and potentially cash out more quickly.

"We're seeing more and more inclusion of a timer" and a warning that the victim has X amount of time to pay the ransom or the attackers will begin to delete the files, or purge the data entirely, he says. In one attack Lyne investigated, the attackers warned the victim if he or she balked at payment or contacted law enforcement, they would delete the keys for decrypting the data so it wouldn't be retrievable at all.

"Not even the cybercriminals can recover the data" then, he says.

"It irrevocably shreds them. You're not going to get the data back even if you go to a forensics specialist," Lyne says. "They're starting to move toward a more aggressive approach of 'hand over the money more quickly.'"

"It's a really interesting tactic because it invokes panic in the user" so they are afraid to talk to tech support for help, he says.

Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. "Traditional blackmailers know if someone pays once, they are probably going to pay again," he says. 

Lyne plans to show such case of a repeat attack during his RSAC session entitled Reversing the Year: Let's Hack IoT, Ransomware and Evasive Payloads. "I'm going to show an example of where they got infected and the user pays, cleans up, and the attacker waits a period of time before doing the exact same thing again," he says.

So the days of cleanup post-ransomware infection meaning the event is over may soon be gone. Variants such as Ranscam actually erase the victim's files after promising to relinquish the files after the ransom is paid. The Ranscam attackers basically fool the victim into thinking the data is retrievable; they didn't even invest in encryption, so it's a rather evil but ingenious way to wage a low-cost, high-return attack, according to Cisco's Williams.

Lyne says another big worry is ransomware attackers pilfering the data they locked for future monetization after the victim pays up. To date, most ransomware attacks have been opportunistic rather than targeted, even though industries such as healthcare and law enforcement have been among the hardest hit.

"In truth, most of these we've heard of weren't targeted … the samples I look at have no example that they targeted specific types of businesses," he says.

Even so, he's seeing ransomware attackers stealing credentials and other potentially valuable data from their marks. "It encrypts your data, you pay money to get it back and it then nicks your data" as well, says Lyne, who will demonstrate one such attack here.

"It's not widespread … but it's something people need to be aware of now," he says. "You can't just pay money and consider the incident over."

Another thing to watch for: ransomware targeting databases, which indeed is a sign of fishing for valuable data. 

Headless But Deadly

Another sign of the times with the ransomware boom is campaigns that are abandoned by the attackers but still spread to victims, leaving them stranded with encrypted data and no ransom payment option. "We see this quite a lot," Lyne says, and it tends to be lower-level, older variants such as Vipasana and Satana, and campaigns where the email or payment contact channel are shut down. "Now there's ransomware floating around that's shredware: there isn't a way to get your data back,"  he says.

Craig Williams, senior technical leader and security outreach manager for Cisco Talos, points to CryptoWall 3 as an example of this: "When it was abandoned, it stopped working and there was no key exchange," which made it benign, he says.

The Talos team was seeing 130,000 ransomware samples per day in December of last year.

With the newer generation of more sophisticated and businesslike ransomware, more of the old-school rudimentary variants are likely to be scrapped in favor of more effective attack tools. Even so, the phishing emails and other ransomware-rigged places will still infect users. "This is a sign of things to come. So you should prepare," Lyne says.

Meantime, ransomware variants such as Samsam, which included a self-propagation feature that let it spread like a worm, rather than just via email or malicious web content. Worm-like ransomware spreading could infect more victims more quickly, Cisco's Williams says.

Be Prepared Or Prepare To Lose Data

The best defense from ransomware is preparation: expect the worst, and run regular backups. "Have a backup that works, one that's not constantly connected to your computer such that you end up with an encrypted backup that's also infected with ransomware," Lyne says. There are even ransomware variants that target backups, so offline data backups are the best bet.

Cloud-based backups can be helpful as well, Cisco's Williams says. "Don't put your eggs in one basket … Have unique usernames and passwords" for those types of  services, he says. 

Related Content:

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/17/2017 | 6:36:34 PM
Reinfection
> Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. "Traditional blackmailers know if someone pays once, they are probably going to pay again," he says. 

This is precisely why game theory dictates never paying blackmail.  The blackmailer always retains the leverage -- unless you take that leverage away from the blackmailer by disavowing its proprietariness and minimizing it.

In this case, if you have secure backups of your data, the loss is minimal.  But even if you get caught with your metaphorical pants down, the option of simply accepting the disappearance of your data should at least be considered. 

Moreover, if you pay the ransom and then STILL don't backup your key data, well... Charles Darwin would probably have something to say about that.
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Apprentice
2/16/2017 | 11:28:57 AM
Re: Spora Ransomware
New ransomware samples become more and more sophisticated. Take a look at Spora - highly professional software, probably with big budget and very skilled developers.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: At least with wireless, my coffee's more secure.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.