Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/26/2019
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Situation Goes From Bad to Worse

New malware distribution techniques and functionality updates are sure to put more pressure on enterprise organizations in 2020.

The surge in ransomware attacks on cities, municipalities, schools, and healthcare organizations this year is just a foretaste of what is likely come in 2020.

Threat actors have sensed a very real opportunity to make big returns attacking enterprise organizations using ransomware and are refining their tools and techniques to increase their chances for success, say worried security experts.

Some recent developments include growing collaboration between threat groups on ransomware campaigns; the use of more sophisticated evasion mechanisms; elaborate multi-phase attacks involving reconnaissance and network scoping; and human-guided automated attack techniques.

IT and security groups that are already under pressure to respond will be challenged even more by the growing sophistication of the ransomware threat, experts note. While municipal governments, schools, and other perceived "soft" targets will continue to bear the brunt of the attacks, no organization will really be safe.

"We would assume that the larger and more important an organization is, the more attractive a target it poses for extortionists," says Fedor Sinitsyn, senior malware analyst at Kaspersky. But "any company or organization should be aware of [the] threat and plan accordingly," he notes.

With the current reliance on digital infrastructure, any network disruption equals loss of money. Taking into account the disastrous effects of ransomware, the recovery period for some organizations could end up being long and painful, Sinitsyn says.

Going From Bad to Worse

2019 turned out to be a far more active year for ransomware than many might have anticipated given the declining overall volume in attacks last year.

Emsisoft recently estimated that ransomware attacks have cost US government agencies, educational establishments, and healthcare providers alone more than $7.5 billion this year. According to the security vendor, up to December 2019, at least 759 healthcare providers, 103 state and municipal governments and agencies, and 86 universities, colleges, and school districts have been hit in ransomware attacks.

In addition to financial losses the attacks have resulted in emergency patients being redirected to other hospitals, medical records being lost, property transactions being halted, surveillance systems going offline, and other very real-world consequences, Emsisoft said.

Several developments suggest that the situation in 2020 is likely going to be at least as bad, if not actually worse.

One troubling trend is the growth in instances of threat groups collaborating with each other to enable easier delivery of malware. Security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware.

Such collaboration is allowing threat groups to distribute ransomware more easily without having to do any initial breaching of a network on their own.

Carl Wearn, head of e-crime at Mimecast, describes the advent of collaboration across criminal groups with differing specialties as one of the most significant ransomware developments in 2019. "Malware threat actors are increasingly trading their work," he says. "This leads to hackers selling access to already compromised networks."

The highly targeted use of ransomware via precursor infections to ascertain a suitable ransom payment is another big issue, Wearn says.

In many attacks, threat actors have first infected a target network with malware like Emotet and Trickbot to try and gather as much information about systems on the network as possible. The goal is to find the high-value systems and encrypt data on it so victims are more likely to pay.

"If we look at the big picture, we will discover that what is changing is the threat actors' approach to distributing the Trojans and selecting their victims," Sinitsyn says. If five years ago almost all ransomware was mass-scale and the main distribution vector was via spam, nowadays many criminals are using targeted attacks instead.

"Threat actors carry out a reconnaissance in order to find a large corporation or a governmental entity or a municipal network and try to breach their defenses," Sinitsyn says. Since the criminals know with whom they are dealing, they tend to set the ransom amount significantly high.

Another trend to note is the increase in incidents where criminals not only encrypt the victim's data, but also exfiltrate some of it during the infection, Sinitsyn says. It gives the threat actors additional leverage for extorting money. "In case the victim is reluctant to pay up — [because] for example, they have consistent backups offsite — the criminals will threaten to release some of the stolen data into public," he adds. One example of ranomware being used in this way is Maze, a tool that some believe was used in a recent attack on Pensacola, where threat actors are demanding a $1 milion ransom.

Growing Malware Sophistication

A majority of ransomware families deployed in the wild is of the cookie-cutter variety. Even ransomware that uses obfuscation to get around some kind of detection usually ends up being detectable when it starts to actually encrypt files. However, some threat actors are using very sophisticated tools, says Andrew Brandt, principal researcher at Sophos. As one example, he points to ransomware that use "kill lists" to try and terminate anti-malware tools.

Another example is ransomware that sets itself up as a service running in Windows' built-in Safe Mode, then reboots the system into Safe Mode before beginning to encrypt the hard drive, he says. "Booting into Safe Mode effectively terminates nearly all endpoint protection tools," Brandt says. Sophos recently spotted the Safe Boot feature added to Snatch, a ransomware sample used in targeted attacks that the security vendor has been tracking for a year.

"Among the most notable advancements is an increase in ransomware attackers employing automated active attack techniques," Brandt says. These are attacks where threat-actors use automated malware to quickly profile an infected environment and laterally spread within a targeted network or trigger simultaneous infections across multiple machines within the same environment, Brandt says.

Many of the most troublesome recent ransomware campaigns — including those involving Ryuk, Lockergoga, Robbinhood, and Sodinokibi — have involved the use of active attack techniques, according to Sophos.

Kaspersky researchers in December also reported identifying a new type of ransomware targeting Network Attached Storage (NAS) devices that organizations use to back up data. The vendor described the malware as posing new risks for organizations because NAS devices are generally perceived as secure technology.

Going Mobile

If all this wasn't enough, some believe that mobile devices could start getting targeted as well.

Joel Windels, chief marketing officer at NetMotion Software, points to data from the 2019 Verizon Data Breach Investigations Report showing users as more susceptible to phishing attacks on mobile devices, and another report about Chinese hackers breaching 10 global cellular providers. "All of the pieces are in place for an increase in mobile ransomware in 2020," Windels says.

"We expect to see the first concerted ransomware attacks target mobile applications running on Android," he says.

The same combination of factors - unsupported, outdated, and unpatched systems - that led to the surge in ransomware attacks on local governments and others will drive attacks on mobile devices. "As OS fragmentation becomes a bigger issue for Android devices, in particular, many devices are being left unsupported with older software and less frequent security patches," Windels notes.

Related Comments:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:55:55 AM
Not Surprised
Unfortunately, whether you are a corporation or singular consumer, our security hygiene has not increased at a rate required to quell advanced threats. 

With that being said, ransomware is really effective because it is extremely simplistic and takes minimal effort to deploy. 

We need to learn from others mistakes and start not only taking a step to perform best practice security principles but best practice backup/recovery principles. Because if the former is not observed, the latter may be your only hope.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.