Vulnerabilities / Threats
3/16/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Will Spike As More Cybercrime Groups Move In

The lure of easy money attracting organized groups is a trend that spells more trouble for enterprises, researchers say.

Look for a sharp uptick in the quantity and quality of ransomware this year as more organized cybercrime groups employ ransomware, thanks to the huge success other criminals have had monetizing these attacks, security experts say.

Take the Dridex group, a Russian cybercrime gang that until now has been known mainly for operating one of the most successful banking Trojans ever. The group is believed to be behind a recently released ransomware tool dubbed Locky that has begun proliferating in a major way on computers worldwide.

Locky, which was what some think was used in the recent ransomware attack on Hollywood Presbyterian Memorial Hospital, surfaced in mid-February and has already emerged as one of the top 5 ransomware tools in circulation. A recent report by security vendor Fortinet in fact, puts Locky as second only to CryptoWall, a ransomware tool that is believed to have generated tens of millions of dollars in revenue for its operators. Forbes last month pegged Locky as infecting a staggering 90,000 computers a day worldwide.

“In the case of Dridex, the lines between crimeware and ransomware are starting to blur,” says Ronnie Tokazowski, senior researcher at PhishMe. “For most of the life of Dridex, the attackers would focus on banking as a primary target for attacks,” he said. But as of last month, “they have shifted and are now trying to monetize from ransomware as a way to cash out and still remain anonymous by using Bitcoins.”

Dridex is not the only example. This week, Reuters quoted executives from three security firms warning about a Chinese group called Codoso being involved in several recent ransomware attacks against US firms. Like the Dridex operators, the Codoso group too appears to have diversified into the ransomware space after initially focusing on another area—in its case, cyber espionage.

Victims of the group include a transportation company and a technology firm that had 30 percent of its machines infected by ransomware, Forbes said.

Expect more such groups to enter the ransomware business, says Stu Sjouwerman, CEO at KnowBe4. “Ransomware is the new criminal business model."

The significant amount of revenue to be made in ransomware is sure to drive more interest from groups like the operators of Dridex. Such groups already have considerable experience in cybercrime, as well as the infrastructure to quickly ramp up their presence in the ransomware space, says Sjouwerman. The fact that Locky has already become such a widespread threat is one indication of how such groups can change the landscape, he says.

“This is bigger than people think. This is the year when ransomware is finally going to be recognized in the mainstream,’’ he says.

And it is not going to be just for the number of infections either. The money to be made in ransomware is also driving up the quality and lethality of the ransomware tools that have begun surfacing in recent months, say analysts.

In February for instance, the FBI warned of a ransomware variant, called MSIL/Samas.A, that for the first time was designed to infect entire networks and to use persistent access to find and delete network backups. “Many of the executables and tools used in this intrusion are available for free through Windows or open-source projects,” the FBI had warned.

Another example is TeslaCrypt, a ransomware variant that has been around for some time and has constantly kept mutating in its efforts to evade detection. The latest version of the malware, which some consider as one of the most sophisticated ransomware variants currently in use, lets criminals use unique encryption keys for each victim, thereby eliminating any likelihood that a single key could be used to unlock multiple encrypted systems.

2016 will be the year that ransomware wreaks havoc on the US critical infrastructure community, said the Institute for Critical Infrastructure Technology (ICIT) in a recent 44-page report examining the ransomware crisis.

For instance, healthcare organizations that were hitherto off-limits for ransomware operators are no longer safe from the threat, ICIT said. The organization surmised the trend might have to do with the appearance of sophisticated Advanced Persistent Threat groups who are entering the stage because of the money to be made in such schemes.

“Ransomware attacks are under-combated and highly profitable,” ICIT said in its report. “With [the] prevalence of mobile devices and the looming shadow of the internet of things, the potential threat landscape available to ransomware threat actors is too tantalizing a target to ignore.”

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thomasfischer
50%
50%
thomasfischer,
User Rank: Author
3/17/2016 | 5:11:59 PM
Great article
Great article Jai. I think the question becomes if you should pay the ransomware or not. I am a strong advocate against this tactic but see this trend rising among companies, especially smaller victims. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.