Partner Perspectives  Connecting marketers to our tech communities.
11/23/2015
12:10 PM
Michael Sentonas
Michael Sentonas
Partner Perspectives
100%
0%

Where Is Ransomware Going?

As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will go after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Ransomware, the malicious software that encrypts your files until you pay to get the encryption key to unlock them, is having quite a successful run. Initially targeting consumers, criminals are turning toward businesses and government organizations, demanding higher ransoms for more valuable data. An FBI agent has even commented that ransomware is so good the bureau often recommends that people just pay the ransom.

That is obviously not an acceptable long-term solution to the problem, especially as it appears the criminal technique continues to evolve.

We typically see malware threats go through several phases, starting off with attacks in small volumes, as the authors evaluate target systems’ defenses until they identify approaches that achieve reasonable success rates. Then the attacks increase in volume, going after consumers, then businesses, as the technique matures and gets monetized through massive campaigns. The next phase is a shift from volume to highly targeted attacks, as defenses adapt to the generic approach, criminals identify higher value targets, and special interest groups adopt the technique for their own specific purposes.

Ransomware is currently moving from the volume to targeted phase, increasing in sophistication of the delivery mechanism and looking for more valuable ways to get money from its victims.

Ransomware is nasty because, unlike other malware infections, you cannot run a cleaning or removal tool to get rid of it so defenses have to catch it before it can act. However, an offline backup is a reasonable and effective precaution that disarms most of the power of the ransomware. We (law enforcement and security industry) have also had a fair amount of recent successes finding and taking down ransomware servers such as CryptoLocker.

As a result, we are seeing changes to the ransom model, where encryption of your data is just one step. Using targeted attacks such as emails that look like they originate from within your company, attackers are getting their malicious encryption tools into vulnerable systems. Then, after encrypting the files or data stream, they threaten to publish something that you will pay to keep secret, whether it is valuable financial information or embarrassing emails. A recent ransomware campaign in Germany called “Chimera” threatens to publish your files if you do not pay the ransom of more than 600 euros, according to the Anti-Botnet Advisory Centre. It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will. 

Ransomware’s Next Target

Where will ransomware go next? As we adopt more and more technology in our lives, we are also fueling the creativity of our attackers. As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will change and multiply their attack vectors, going after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Think about the risk to your organization of criminals threatening to release audio captured from an executive’s television, video from a board meeting, or embarrassing details from your personnel files. This could result in new opportunities for them to make more money than they do today, charging a ransom to decrypt your data and a premium to not publicly release it. 

When threats go from volume to targeted mode, you need a shared intelligence strategy that can detect threats at multiple points, across both your network and the cloud. You need to be aware of the potential motivations, whether that is organized crime looking for payment or hacktivists looking to expose corporate secrets. Understanding the attacker profiles helps you identify what material is valuable and vulnerable, and helps you prioritize your security efforts.

Ransomware is just one threat that is evolving with our technology usage. Whether it is cloud computing, IoT devices, or virtualization, security needs are changing to require greater integration between defenses; broader collaboration with law enforcement, industry organizations, and supply chain partners; and increased automation that can react at digital speeds. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
11/23/2015 | 1:49:29 PM
Ransomware
Good post! Organizations maybe forced into using ransomware or the like as a security audit. It would be much more effective to look over your data, your security or defense in depth and plug the holes ahead of time, before some cybercriminal does it for you. And backup in multiple places. 
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.