Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

4/17/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Ransomware: Still a Security Threat & Still Evolving

While ransomware may have faded from the headlines a bit during the first four months of 2018, a bevy of reports from Verizon, Symantec and Webroot find that not only does it remain a top security threat, but it continues to evolve as well.

Ransomware continues to be a significant security threat to businesses and consumers alike, as the high-profile WannaCry and NotPetya attacks that have spilled over from 2017 into this year clearly illustrate, but it is evolving as it matures.

Several reports released in recent weeks that examine the cybersecurity landscape of 2017 noted that ransomware remains among the most prevalent malware threats worldwide. In its annual Data Breach Investigations Report (DBIR), Verizon Enterprise noted that in 2013, ransomware made up less than 5% of the malware incidents reported that year.

In 2017, the percent was up to about 45%.

"Ransomware was first mentioned in the 2013 DBIR and we referenced that these schemes could 'blossom as an effective tool of choice for online criminals,' " the researchers wrote in the report. "And blossom they did! Now we have seen this style of malware overtake all others to be the most prevalent variety of malicious code for this year’s dataset."

It's not surprising, given the low level of effort and the high return on investment that ransomware represents to the cyber-criminal. The Verizon report notes that there is little risk or cost to the attacker, who essentially sends out phishing emails, and when it works, they don’t have to concern themselves with monetizing the data they capture. Instead the money comes when the victimized business or consumer pays the ransom, usually through bitcoin. In addition, those ransoms can be even larger by deploying the malware across multiple devices within the same organization.

Still evolving
WannaCry and NotPetya were the largest and most prolific ransomware attacks and represent an escalation in the damage this type of malware can do, according to researchers at Webroot. In 2017, the two ransomware variants hit 200,000 machines in more than 100 countries within a 24-hour period, they said in the 2018 Webroot Threat Report. The estimated damage from the NotPetya attacks reached $1.2 billion, researchers said. Kapersky Labs has said that before it was contained, WannaCry impacted about 400,000 computers in 150 companies, causing about $4 billion in damage.

Symantec researchers in their 2018 Internet Security Threat Report said that the vendor had blocked 5.4 billion WannaCry attacks.

"These attacks used the EternalBlue exploit to attack the server message block (SMB), which is essentially a filesharing vulnerability on Windows XP and newer," the Webroot researchers wrote. "The malware was then able to move laterally through the network just like a worm, reaching any computer running SMB, even those not connected directly to the network, but to another network-connected device."

Ransomware in 2018
And the attacks are continuing. Last month, a Boeing aircraft plant in South Carolina sustained a ransomware attack that apparently was related to the WannaCry virus. Meanwhile, both Atlanta and Baltimore also were hit by ransomware attacks on government agencies. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

Ransomware variants have evolved over the past year or two, changing how they operate. Verizon researchers noted that attacks have increasingly focused on servers, and that the attackers are looking to extend the malware’s reach beyond the first infected system.

"Focusing on the increase in server assets that were affected over time we see that infections aren’t limited to the first desktop that is infected," according to the report. "Lateral movement and other post-compromise activities often reel in other systems that are available for infection and obscuration. Encrypting a file server or database is more damaging than a single user device."

In an earlier interview with Security Now, Risk Expert Gabe Bassett noted that ransomware attacks involving databases jumped in one year from 4.1% to 12%, and that breaches involving backup systems went from essentially nothing to 4%. (See Verizon: Change the Attacker's Value Proposition.)

RDP weakness
Webroot researchers also found that ransomware attackers also are evolving their methods, expanding attack vectors beyond spam email campaigns to include exploiting unsecured remote desktop protocol (RDP).

"A convenient way to control servers and other machines remotely, RDP suffers from several security weaknesses, such as leaving port 3389/TCP open to any inbound connection (more than 11 million endpoints do so); not requiring administrators to change the default admin account credentials; and allowing a very large number of login attempts before triggering an alert or account lockout," they wrote. "Cybercriminals can use specialized tools equipped with large username and password lists to eventually make their way in."

Once they're inside, the criminals can use specialized tools or custom malware to move past or disable security measures. Leveraging an RDP campaign for ransomware creates "an especially potent infection, since the attacker can also view other computers on the network and gather information for future campaigns. Whether for profit or destruction, new developments in ransomware are causing the industry to reevaluate the role and intentions of ransomware in future global attacks."

There also are questions about the long-term impact of ransomware, with some anticipating a decline in such attacks. WannaCry, which many researchers believe started in North Korea, was able to spread in part by attacking machines with older versions of Microsoft Windows that enterprises had not patched. Once WannaCry hit the scene, Microsoft rolled out new patches and also sent out alerts urging users to update their older systems.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

In addition, cybercriminals appear to be shifting their efforts to other crimes, including "coin mining as an alternative to cash in while crypto currency values are high. Some online banking threats have also experienced a renaissance as established ransomware groups have attempted to diversify," Symantec researchers wrote.

Malwarebytes saw a similar trend during the first three months this year. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)

'Market' adjustment
Symantec researchers also wrote that the profits that ransomware attackers reaped in 2016 led to a land rush on the space last year, creating a crowded market and overpriced ransom demands. The company in 2017 saw a 46% in new ransomware variants, but the market saw what researchers called a "correction," with fewer ransomware families and lower ransom demands, indicating that ransomware was becoming commoditized.

"Last year, the average ransom demand dropped to $522, less than half the average of the year prior," the report found. "And while the number of ransomware variants increased by 46%, indicating the established criminal groups are still quite productive, the number of ransomware families dropped, suggesting they are innovating less and may have shifted their focus to new, higher value targets."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...