Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

6/29/2017
04:40 PM
Eric P. Schlesinger
Eric P. Schlesinger
News Analysis-Security Now
50%
50%

WannaCry Was Just the Beginning

Petya proves that WannaCry is just the beginning of a new, far more serious type of cyberattack.

Ransomware isn’t a new topic for 2017. The recent outbreak of WannaCry across the globe has reinforced many of the predictions that were boldly projected by many security experts as 2016 came to a close. With an uptick of cyberattacks, ranging from botnets implanted on Internet connected devices, cybercrime-as-a-service and variants on ransomware too numerous to count, it is easier than ever to envision what the next evolution of ransomware could be as cyber criminals take what they just learned from the WannaCry attack and change its attack vector.

Here are a few predictions about what we could see in the second half of 2017:

More sophisticated ransomware
WannaCry is the first impactful ransomware that seemingly spread like a traditional malware worm through an organization’s network from within, without solely having to rely on a user to open an email or malicious attachment. This is a stark contrast to traditional ransomware where the sole purpose is to encrypt files only on the hard drive of the single machine where the infection originated, and any of the shared folders that are presented as network drives from a file server.

WannaCry certainly leveraged this replication feature, relying on a lack of urgency in many organizations to fail to upgrade from legacy Microsoft operating systems such as Windows XP or simply not deploying the relevant patch released in March to protect the supported operating systems. This "whistling through the graveyard" approach not only allowed the ransomware in but enabled it to produce an infinite number of copies of itself, propagating the infection from one end of a network to the other.

As ransomware becomes more sophisticated, it is not a stretch to think that it will begin to be able to move laterally within a network or leave hidden payloads that are undetectable with current malware and threat detection techniques, just waiting to activate and begin to spread again.

More platform-independent ransomware
WannaCry continues to expose the fact that ransomware is mostly a problem that exists for users of the Windows operating system. This should come as no surprise as Windows is the most widely used operating system in the world usually holding a commanding 90% of the desktop operating system market share.

The time is rapidly approaching where ransomware variants will become more platform independent, making the investment for cyber criminals to create ransomware that could impact the other major desktop operating systems such as Linux or Mac OS X more attractive.

As organizations begin to invest in the deployment of more heterogeneous environments, it is guaranteed that the attack vector will increase for these platforms as the enterprise desktop landscape evolves. Multi-platform ransomware will proliferate as a catch-all threat that will target non-Windows victims. Couple this with the false belief that a Linux or Mac OS X operating system is inherently more protected from malicious activity such as viruses and malware and a perfect storm is brewing.

More targeted ransomware
WannaCry, like most traditional ransomware, scanned and encrypted almost all non-system and non-executable related files that it found on the system it infected. This brute force methodology is focused on attacking any and all files, without any need to discern file type or size, as the ability to collect on the ransom demands is purely based on the victim’s perceived value of the data that is encrypted and ability to recover.

With that said, there are examples of newer variants of ransomware that are targeting non-traditional technologies making it even harder to detect, contain and recover from an attack. Recent examples of the malicious attacks that are erasing and replacing data with a ransom demand in databases powered by MongoDB and MySQL indicate that more targeted ransomware attacks are on the horizon.

There is no doubt that attackers will improve on their targeting techniques, performing reconnaissance and building out the most effective attack vector to impact specific technologies, all with the goal of disrupting critical systems that will force the target organization to pay the ransom.

More personal ransomware
WannaCry also brings into question the potential impact ransomware could have in conjunction with the rapid adoption of Internet-enabled hardware devices. The proliferation of the Internet of Things has introduced an army of mini computers running scaled-down versions of popular operating systems that connect to the Internet via low-range wireless technologies. These devices are just as vulnerable to ransomware and other computer threats yet are mostly ignored during vulnerability assessments and patching exercises.

Ransomware authors will begin setting their sights on vulnerable Internet-enabled hardware devices. The next evolution of ransomware will quickly move past the encryption of files and databases and will be replaced with extortion via disabling physical systems or medical devices.

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled, or a piece of malicious code locks up their brakes to cause an accident. A far worse situation is if ransomware begins targeting devices used in the medical community causing patients to have to pay if they want their embedded heart defibrillator or portable oxygen tank to keep working. The personal nature of these types of attacks could easily cause life or death situations.

More state-of-the-art techniques
WannaCry is just one example of the coming ransomware evolution that has generated a lot of news coverage, mainly because of how far and wide its reach was.

Unfortunately, cyberattacks will continue to evolve as cybercriminals' methods grow more advanced each year. But, as the problem continues, more state-of-the-art techniques developed by forward-thinking cybersecurity solution providers will adapt to meet the threat.

Groundbreaking counter-measures will emerge that include cutting-edge distributed storage architectures for rapid recovery, early warning detection systems that can identify and slow down a threat before it spreads and innovative protection technologies such as "cloaking" that can reduce the attack surface.

No one is absolutely safe
Chances are you know someone, or some organization, that has suffered a ransomware attack, and as seen with WannaCry, a breach can happen at any time. One thing that should become perfectly clear with its rapid propagation is that no individuals or organizations, regardless of their size, geographic location or industry, are safe from these types of security threats. A breach can happen at any time and it is up to every person to be aware of these threats and be cyber vigilant to help stop them from spreading.

Eric Schlesinger serves as Senior Vice President, Information Security, Polaris Alpha. He has more than 20 years of experience in infrastructure and operations management, focused on building efficient and scalable solutions.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...