Attacks/Breaches

12/21/2017
09:00 AM
50%
50%

Small,Targeted Ransomware Attacks Emerge

Cybercriminals narrow their focus on specific industries, geographies, or size for a better return on investment, security experts say.

Ransomware attackers in the past year have begun to launch small, targeted campaigns, seeking a better return on their investment of time and money.

Cybercriminals are expanding beyond ransomware "spray and pray" attacks delivered by spam, and focusing instead on specific industries, geographies, or companies of a particular size with ransomware phishing campaigns, according to security experts.

"For most of 2016, ransomware campaigns were sent by spam. On some days, tens of millions of emails were sent out," says Patrick Wheeler, director of threat intelligence for Proofpoint. He says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.

Ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method, says Anton Ivanov, lead malware analyst with Kaspersky Lab. Attackers behind ransomware campaigns have gone as far as creating special teams with specific developer skills to penetrate networks and language skills to write phishing emails that appear more convincing, too, he says.

Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.

"We find when ransomware targets specific verticals, it is usually healthcare and higher education. We don't know why these verticals, but maybe because there is a large user base," says Wheeler.

A previously undocumented strain of the Defray ransomware was used in one attack against healthcare companies and educational institutions, while another Defray attack targeted manufacturing and technology companies, according to a Proofpoint report.

PetrWrap, a Petya-based ransomware variant, targeted financial organizations across the globe, according to Kaspersky.

Wheeler says the Philadelphia ransomware authors initially targeted healthcare companies, while Petya's authors concentrated on regions within Germany during the spring. Other ransomware campaigns also targeted specific geographies: Serpent's authors focused their campaign on the Netherlands then Belgium, while Crysis targeted German organizations, he says.

Company size also factors into targeted ransomware attacks. Mamba ransomware authors target large organizations with more than 1,000 endpoints, Ivanov says, citing the high-profile attack against the San Francisco Municipal Transportation Agency as one example.

"They are focusing on big organizations because with ransomware, [the payout] is based on how many endpoints you can compromise," Ivanov says, adding that Mamba is still active and targeting organizations in the Middle East.

Evolution

Meantime, while the Philadelphia and Petya authors started out with targeted campaigns, their strategy eventually shifted. "Once ransomware goes global, it is not used as a targeted campaign. That's what happened with Philadelphia and Petya," Wheeler says.

Philadelphia targeted healthcare companies before it later become a commodity and was sold as a ransomware-as-a-service (RaaS), a situation similar to Petya, which initially targeted companies in Germany, explains Wheeler.

Defending against targeted or spray-and-pray ransomware attacks is similar: each require backing up data frequently, dedicating a team to analyze the organization's endpoint security and activity, and ensuring all control processes are in place on the network, Ivanov says.

"Targeted ransomware attacks will continue to evolve," Ivanov warns, so companies need to take steps to reduce the impact.

Related Content:

 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6978
PUBLISHED: 2018-12-18
vRealize Operations (7.x before 7.0.0.11287810, 6.7.x before 6.7.0.11286837 and 6.6.x before 6.6.1.11286876) contains a local privilege escalation vulnerability due to improper permissions of support scripts. Admin user of the vROps application with shell access may exploit this issue to elevate the...
CVE-2018-20213
PUBLISHED: 2018-12-18
wbook_addworksheet in workbook.c in libexcel.a in libexcel 0.01 allows attackers to cause a denial of service (SEGV) via a long name. NOTE: this is not a Microsoft product.
CVE-2017-15031
PUBLISHED: 2018-12-18
In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information.
CVE-2018-19522
PUBLISHED: 2018-12-18
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
CVE-2018-1833
PUBLISHED: 2018-12-18
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507.