WannaCry Was Just the Beginning

Ransomware isn’t a new topic for 2017. The recent outbreak of WannaCry across the globe has reinforced many of the predictions that were boldly projected by many security experts as 2016 came to a close. With an uptick of cyberattacks, ranging from botnets implanted on Internet connected devices, cybercrime-as-a-service and variants on ransomware too numerous to count, it is easier than ever to envision what the next evolution of ransomware could be as cyber criminals take what they just learned from the WannaCry attack and change its attack vector.

Here are a few predictions about what we could see in the second half of 2017:

More sophisticated ransomware
WannaCry is the first impactful ransomware that seemingly spread like a traditional malware worm through an organization’s network from within, without solely having to rely on a user to open an email or malicious attachment. This is a stark contrast to traditional ransomware where the sole purpose is to encrypt files only on the hard drive of the single machine where the infection originated, and any of the shared folders that are presented as network drives from a file server.

WannaCry certainly leveraged this replication feature, relying on a lack of urgency in many organizations to fail to upgrade from legacy Microsoft operating systems such as Windows XP or simply not deploying the relevant patch released in March to protect the supported operating systems. This "whistling through the graveyard" approach not only allowed the ransomware in but enabled it to produce an infinite number of copies of itself, propagating the infection from one end of a network to the other.

As ransomware becomes more sophisticated, it is not a stretch to think that it will begin to be able to move laterally within a network or leave hidden payloads that are undetectable with current malware and threat detection techniques, just waiting to activate and begin to spread again.

More platform-independent ransomware
WannaCry continues to expose the fact that ransomware is mostly a problem that exists for users of the Windows operating system. This should come as no surprise as Windows is the most widely used operating system in the world usually holding a commanding 90% of the desktop operating system market share.

The time is rapidly approaching where ransomware variants will become more platform independent, making the investment for cyber criminals to create ransomware that could impact the other major desktop operating systems such as Linux or Mac OS X more attractive.

As organizations begin to invest in the deployment of more heterogeneous environments, it is guaranteed that the attack vector will increase for these platforms as the enterprise desktop landscape evolves. Multi-platform ransomware will proliferate as a catch-all threat that will target non-Windows victims. Couple this with the false belief that a Linux or Mac OS X operating system is inherently more protected from malicious activity such as viruses and malware and a perfect storm is brewing.

More targeted ransomware
WannaCry, like most traditional ransomware, scanned and encrypted almost all non-system and non-executable related files that it found on the system it infected. This brute force methodology is focused on attacking any and all files, without any need to discern file type or size, as the ability to collect on the ransom demands is purely based on the victim’s perceived value of the data that is encrypted and ability to recover.

With that said, there are examples of newer variants of ransomware that are targeting non-traditional technologies making it even harder to detect, contain and recover from an attack. Recent examples of the malicious attacks that are erasing and replacing data with a ransom demand in databases powered by MongoDB and MySQL indicate that more targeted ransomware attacks are on the horizon.

There is no doubt that attackers will improve on their targeting techniques, performing reconnaissance and building out the most effective attack vector to impact specific technologies, all with the goal of disrupting critical systems that will force the target organization to pay the ransom.

More personal ransomware
WannaCry also brings into question the potential impact ransomware could have in conjunction with the rapid adoption of Internet-enabled hardware devices. The proliferation of the Internet of Things has introduced an army of mini computers running scaled-down versions of popular operating systems that connect to the Internet via low-range wireless technologies. These devices are just as vulnerable to ransomware and other computer threats yet are mostly ignored during vulnerability assessments and patching exercises.

Ransomware authors will begin setting their sights on vulnerable Internet-enabled hardware devices. The next evolution of ransomware will quickly move past the encryption of files and databases and will be replaced with extortion via disabling physical systems or medical devices.

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled, or a piece of malicious code locks up their brakes to cause an accident. A far worse situation is if ransomware begins targeting devices used in the medical community causing patients to have to pay if they want their embedded heart defibrillator or portable oxygen tank to keep working. The personal nature of these types of attacks could easily cause life or death situations.

More state-of-the-art techniques
WannaCry is just one example of the coming ransomware evolution that has generated a lot of news coverage, mainly because of how far and wide its reach was.

Unfortunately, cyberattacks will continue to evolve as cybercriminals' methods grow more advanced each year. But, as the problem continues, more state-of-the-art techniques developed by forward-thinking cybersecurity solution providers will adapt to meet the threat.

Groundbreaking counter-measures will emerge that include cutting-edge distributed storage architectures for rapid recovery, early warning detection systems that can identify and slow down a threat before it spreads and innovative protection technologies such as "cloaking" that can reduce the attack surface.

No one is absolutely safe
Chances are you know someone, or some organization, that has suffered a ransomware attack, and as seen with WannaCry, a breach can happen at any time. One thing that should become perfectly clear with its rapid propagation is that no individuals or organizations, regardless of their size, geographic location or industry, are safe from these types of security threats. A breach can happen at any time and it is up to every person to be aware of these threats and be cyber vigilant to help stop them from spreading.

— Eric Schlesinger serves as Senior Vice President, Information Security, Polaris Alpha. He has more than 20 years of experience in infrastructure and operations management, focused on building efficient and scalable solutions.