Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:40 PM
Eric P. Schlesinger
Eric P. Schlesinger
News Analysis-Security Now

WannaCry Was Just the Beginning

Petya proves that WannaCry is just the beginning of a new, far more serious type of cyberattack.

Ransomware isn’t a new topic for 2017. The recent outbreak of WannaCry across the globe has reinforced many of the predictions that were boldly projected by many security experts as 2016 came to a close. With an uptick of cyberattacks, ranging from botnets implanted on Internet connected devices, cybercrime-as-a-service and variants on ransomware too numerous to count, it is easier than ever to envision what the next evolution of ransomware could be as cyber criminals take what they just learned from the WannaCry attack and change its attack vector.

Here are a few predictions about what we could see in the second half of 2017:

More sophisticated ransomware
WannaCry is the first impactful ransomware that seemingly spread like a traditional malware worm through an organization’s network from within, without solely having to rely on a user to open an email or malicious attachment. This is a stark contrast to traditional ransomware where the sole purpose is to encrypt files only on the hard drive of the single machine where the infection originated, and any of the shared folders that are presented as network drives from a file server.

WannaCry certainly leveraged this replication feature, relying on a lack of urgency in many organizations to fail to upgrade from legacy Microsoft operating systems such as Windows XP or simply not deploying the relevant patch released in March to protect the supported operating systems. This "whistling through the graveyard" approach not only allowed the ransomware in but enabled it to produce an infinite number of copies of itself, propagating the infection from one end of a network to the other.

As ransomware becomes more sophisticated, it is not a stretch to think that it will begin to be able to move laterally within a network or leave hidden payloads that are undetectable with current malware and threat detection techniques, just waiting to activate and begin to spread again.

More platform-independent ransomware
WannaCry continues to expose the fact that ransomware is mostly a problem that exists for users of the Windows operating system. This should come as no surprise as Windows is the most widely used operating system in the world usually holding a commanding 90% of the desktop operating system market share.

The time is rapidly approaching where ransomware variants will become more platform independent, making the investment for cyber criminals to create ransomware that could impact the other major desktop operating systems such as Linux or Mac OS X more attractive.

As organizations begin to invest in the deployment of more heterogeneous environments, it is guaranteed that the attack vector will increase for these platforms as the enterprise desktop landscape evolves. Multi-platform ransomware will proliferate as a catch-all threat that will target non-Windows victims. Couple this with the false belief that a Linux or Mac OS X operating system is inherently more protected from malicious activity such as viruses and malware and a perfect storm is brewing.

More targeted ransomware
WannaCry, like most traditional ransomware, scanned and encrypted almost all non-system and non-executable related files that it found on the system it infected. This brute force methodology is focused on attacking any and all files, without any need to discern file type or size, as the ability to collect on the ransom demands is purely based on the victim’s perceived value of the data that is encrypted and ability to recover.

With that said, there are examples of newer variants of ransomware that are targeting non-traditional technologies making it even harder to detect, contain and recover from an attack. Recent examples of the malicious attacks that are erasing and replacing data with a ransom demand in databases powered by MongoDB and MySQL indicate that more targeted ransomware attacks are on the horizon.

There is no doubt that attackers will improve on their targeting techniques, performing reconnaissance and building out the most effective attack vector to impact specific technologies, all with the goal of disrupting critical systems that will force the target organization to pay the ransom.

More personal ransomware
WannaCry also brings into question the potential impact ransomware could have in conjunction with the rapid adoption of Internet-enabled hardware devices. The proliferation of the Internet of Things has introduced an army of mini computers running scaled-down versions of popular operating systems that connect to the Internet via low-range wireless technologies. These devices are just as vulnerable to ransomware and other computer threats yet are mostly ignored during vulnerability assessments and patching exercises.

Ransomware authors will begin setting their sights on vulnerable Internet-enabled hardware devices. The next evolution of ransomware will quickly move past the encryption of files and databases and will be replaced with extortion via disabling physical systems or medical devices.

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled, or a piece of malicious code locks up their brakes to cause an accident. A far worse situation is if ransomware begins targeting devices used in the medical community causing patients to have to pay if they want their embedded heart defibrillator or portable oxygen tank to keep working. The personal nature of these types of attacks could easily cause life or death situations.

More state-of-the-art techniques
WannaCry is just one example of the coming ransomware evolution that has generated a lot of news coverage, mainly because of how far and wide its reach was.

Unfortunately, cyberattacks will continue to evolve as cybercriminals' methods grow more advanced each year. But, as the problem continues, more state-of-the-art techniques developed by forward-thinking cybersecurity solution providers will adapt to meet the threat.

Groundbreaking counter-measures will emerge that include cutting-edge distributed storage architectures for rapid recovery, early warning detection systems that can identify and slow down a threat before it spreads and innovative protection technologies such as "cloaking" that can reduce the attack surface.

No one is absolutely safe
Chances are you know someone, or some organization, that has suffered a ransomware attack, and as seen with WannaCry, a breach can happen at any time. One thing that should become perfectly clear with its rapid propagation is that no individuals or organizations, regardless of their size, geographic location or industry, are safe from these types of security threats. A breach can happen at any time and it is up to every person to be aware of these threats and be cyber vigilant to help stop them from spreading.

Eric Schlesinger serves as Senior Vice President, Information Security, Polaris Alpha. He has more than 20 years of experience in infrastructure and operations management, focused on building efficient and scalable solutions.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.
PUBLISHED: 2021-11-30
nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giv...
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format...