Ransomware continues to be a significant security threat to businesses and consumers alike, as the high-profile WannaCry and NotPetya attacks that have spilled over from 2017 into this year clearly illustrate, but it is evolving as it matures.
Several reports released in recent weeks that examine the cybersecurity landscape of 2017 noted that ransomware remains among the most prevalent malware threats worldwide. In its annual Data Breach Investigations Report (DBIR), Verizon Enterprise noted that in 2013, ransomware made up less than 5% of the malware incidents reported that year.
In 2017, the percent was up to about 45%.
"Ransomware was first mentioned in the 2013 DBIR and we referenced that these schemes could 'blossom as an effective tool of choice for online criminals,' " the researchers wrote in the report. "And blossom they did! Now we have seen this style of malware overtake all others to be the most prevalent variety of malicious code for this year’s dataset."
It's not surprising, given the low level of effort and the high return on investment that ransomware represents to the cyber-criminal. The Verizon report notes that there is little risk or cost to the attacker, who essentially sends out phishing emails, and when it works, they don’t have to concern themselves with monetizing the data they capture. Instead the money comes when the victimized business or consumer pays the ransom, usually through bitcoin. In addition, those ransoms can be even larger by deploying the malware across multiple devices within the same organization.
WannaCry and NotPetya were the largest and most prolific ransomware attacks and represent an escalation in the damage this type of malware can do, according to researchers at Webroot. In 2017, the two ransomware variants hit 200,000 machines in more than 100 countries within a 24-hour period, they said in the 2018 Webroot Threat Report. The estimated damage from the NotPetya attacks reached $1.2 billion, researchers said. Kapersky Labs has said that before it was contained, WannaCry impacted about 400,000 computers in 150 companies, causing about $4 billion in damage.
Symantec researchers in their 2018 Internet Security Threat Report said that the vendor had blocked 5.4 billion WannaCry attacks.
"These attacks used the EternalBlue exploit to attack the server message block (SMB), which is essentially a filesharing vulnerability on Windows XP and newer," the Webroot researchers wrote. "The malware was then able to move laterally through the network just like a worm, reaching any computer running SMB, even those not connected directly to the network, but to another network-connected device."
Ransomware in 2018
And the attacks are continuing. Last month, a Boeing aircraft plant in South Carolina sustained a ransomware attack that apparently was related to the WannaCry virus. Meanwhile, both Atlanta and Baltimore also were hit by ransomware attacks on government agencies. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)
Ransomware variants have evolved over the past year or two, changing how they operate. Verizon researchers noted that attacks have increasingly focused on servers, and that the attackers are looking to extend the malware’s reach beyond the first infected system.
"Focusing on the increase in server assets that were affected over time we see that infections aren’t limited to the first desktop that is infected," according to the report. "Lateral movement and other post-compromise activities often reel in other systems that are available for infection and obscuration. Encrypting a file server or database is more damaging than a single user device."
In an earlier interview with Security Now, Risk Expert Gabe Bassett noted that ransomware attacks involving databases jumped in one year from 4.1% to 12%, and that breaches involving backup systems went from essentially nothing to 4%. (See Verizon: Change the Attacker's Value Proposition.)
Webroot researchers also found that ransomware attackers also are evolving their methods, expanding attack vectors beyond spam email campaigns to include exploiting unsecured remote desktop protocol (RDP).
"A convenient way to control servers and other machines remotely, RDP suffers from several security weaknesses, such as leaving port 3389/TCP open to any inbound connection (more than 11 million endpoints do so); not requiring administrators to change the default admin account credentials; and allowing a very large number of login attempts before triggering an alert or account lockout," they wrote. "Cybercriminals can use specialized tools equipped with large username and password lists to eventually make their way in."
Once they're inside, the criminals can use specialized tools or custom malware to move past or disable security measures. Leveraging an RDP campaign for ransomware creates "an especially potent infection, since the attacker can also view other computers on the network and gather information for future campaigns. Whether for profit or destruction, new developments in ransomware are causing the industry to reevaluate the role and intentions of ransomware in future global attacks."
There also are questions about the long-term impact of ransomware, with some anticipating a decline in such attacks. WannaCry, which many researchers believe started in North Korea, was able to spread in part by attacking machines with older versions of Microsoft Windows that enterprises had not patched. Once WannaCry hit the scene, Microsoft rolled out new patches and also sent out alerts urging users to update their older systems.
In addition, cybercriminals appear to be shifting their efforts to other crimes, including "coin mining as an alternative to cash in while crypto currency values are high. Some online banking threats have also experienced a renaissance as established ransomware groups have attempted to diversify," Symantec researchers wrote.
Malwarebytes saw a similar trend during the first three months this year. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)
Symantec researchers also wrote that the profits that ransomware attackers reaped in 2016 led to a land rush on the space last year, creating a crowded market and overpriced ransom demands. The company in 2017 saw a 46% in new ransomware variants, but the market saw what researchers called a "correction," with fewer ransomware families and lower ransom demands, indicating that ransomware was becoming commoditized.
"Last year, the average ransom demand dropped to $522, less than half the average of the year prior," the report found. "And while the number of ransomware variants increased by 46%, indicating the established criminal groups are still quite productive, the number of ransomware families dropped, suggesting they are innovating less and may have shifted their focus to new, higher value targets."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.