Partner Perspectives  Connecting marketers to our tech communities.
11/23/2015
12:10 PM
Michael Sentonas
Michael Sentonas
Partner Perspectives
100%
0%

Where Is Ransomware Going?

As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will go after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Ransomware, the malicious software that encrypts your files until you pay to get the encryption key to unlock them, is having quite a successful run. Initially targeting consumers, criminals are turning toward businesses and government organizations, demanding higher ransoms for more valuable data. An FBI agent has even commented that ransomware is so good the bureau often recommends that people just pay the ransom.

That is obviously not an acceptable long-term solution to the problem, especially as it appears the criminal technique continues to evolve.

We typically see malware threats go through several phases, starting off with attacks in small volumes, as the authors evaluate target systems’ defenses until they identify approaches that achieve reasonable success rates. Then the attacks increase in volume, going after consumers, then businesses, as the technique matures and gets monetized through massive campaigns. The next phase is a shift from volume to highly targeted attacks, as defenses adapt to the generic approach, criminals identify higher value targets, and special interest groups adopt the technique for their own specific purposes.

Ransomware is currently moving from the volume to targeted phase, increasing in sophistication of the delivery mechanism and looking for more valuable ways to get money from its victims.

Ransomware is nasty because, unlike other malware infections, you cannot run a cleaning or removal tool to get rid of it so defenses have to catch it before it can act. However, an offline backup is a reasonable and effective precaution that disarms most of the power of the ransomware. We (law enforcement and security industry) have also had a fair amount of recent successes finding and taking down ransomware servers such as CryptoLocker.

As a result, we are seeing changes to the ransom model, where encryption of your data is just one step. Using targeted attacks such as emails that look like they originate from within your company, attackers are getting their malicious encryption tools into vulnerable systems. Then, after encrypting the files or data stream, they threaten to publish something that you will pay to keep secret, whether it is valuable financial information or embarrassing emails. A recent ransomware campaign in Germany called “Chimera” threatens to publish your files if you do not pay the ransom of more than 600 euros, according to the Anti-Botnet Advisory Centre. It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will. 

Ransomware’s Next Target

Where will ransomware go next? As we adopt more and more technology in our lives, we are also fueling the creativity of our attackers. As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will change and multiply their attack vectors, going after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Think about the risk to your organization of criminals threatening to release audio captured from an executive’s television, video from a board meeting, or embarrassing details from your personnel files. This could result in new opportunities for them to make more money than they do today, charging a ransom to decrypt your data and a premium to not publicly release it. 

When threats go from volume to targeted mode, you need a shared intelligence strategy that can detect threats at multiple points, across both your network and the cloud. You need to be aware of the potential motivations, whether that is organized crime looking for payment or hacktivists looking to expose corporate secrets. Understanding the attacker profiles helps you identify what material is valuable and vulnerable, and helps you prioritize your security efforts.

Ransomware is just one threat that is evolving with our technology usage. Whether it is cloud computing, IoT devices, or virtualization, security needs are changing to require greater integration between defenses; broader collaboration with law enforcement, industry organizations, and supply chain partners; and increased automation that can react at digital speeds. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
11/23/2015 | 1:49:29 PM
Ransomware
Good post! Organizations maybe forced into using ransomware or the like as a security audit. It would be much more effective to look over your data, your security or defense in depth and plug the holes ahead of time, before some cybercriminal does it for you. And backup in multiple places. 
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.