Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

Ransomware Situation Goes From Bad to Worse

New malware distribution techniques and functionality updates are sure to put more pressure on enterprise organizations in 2020.

The surge in ransomware attacks on cities, municipalities, schools, and healthcare organizations this year is just a foretaste of what is likely come in 2020.

Threat actors have sensed a very real opportunity to make big returns attacking enterprise organizations using ransomware and are refining their tools and techniques to increase their chances for success, say worried security experts.

Some recent developments include growing collaboration between threat groups on ransomware campaigns; the use of more sophisticated evasion mechanisms; elaborate multi-phase attacks involving reconnaissance and network scoping; and human-guided automated attack techniques.

IT and security groups that are already under pressure to respond will be challenged even more by the growing sophistication of the ransomware threat, experts note. While municipal governments, schools, and other perceived "soft" targets will continue to bear the brunt of the attacks, no organization will really be safe.

"We would assume that the larger and more important an organization is, the more attractive a target it poses for extortionists," says Fedor Sinitsyn, senior malware analyst at Kaspersky. But "any company or organization should be aware of [the] threat and plan accordingly," he notes.

With the current reliance on digital infrastructure, any network disruption equals loss of money. Taking into account the disastrous effects of ransomware, the recovery period for some organizations could end up being long and painful, Sinitsyn says.

Going From Bad to Worse

2019 turned out to be a far more active year for ransomware than many might have anticipated given the declining overall volume in attacks last year.

Emsisoft recently estimated that ransomware attacks have cost US government agencies, educational establishments, and healthcare providers alone more than $7.5 billion this year. According to the security vendor, up to December 2019, at least 759 healthcare providers, 103 state and municipal governments and agencies, and 86 universities, colleges, and school districts have been hit in ransomware attacks.

In addition to financial losses the attacks have resulted in emergency patients being redirected to other hospitals, medical records being lost, property transactions being halted, surveillance systems going offline, and other very real-world consequences, Emsisoft said.

Several developments suggest that the situation in 2020 is likely going to be at least as bad, if not actually worse.

One troubling trend is the growth in instances of threat groups collaborating with each other to enable easier delivery of malware. Security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware.

Such collaboration is allowing threat groups to distribute ransomware more easily without having to do any initial breaching of a network on their own.

Carl Wearn, head of e-crime at Mimecast, describes the advent of collaboration across criminal groups with differing specialties as one of the most significant ransomware developments in 2019. "Malware threat actors are increasingly trading their work," he says. "This leads to hackers selling access to already compromised networks."

The highly targeted use of ransomware via precursor infections to ascertain a suitable ransom payment is another big issue, Wearn says.

In many attacks, threat actors have first infected a target network with malware like Emotet and Trickbot to try and gather as much information about systems on the network as possible. The goal is to find the high-value systems and encrypt data on it so victims are more likely to pay.

"If we look at the big picture, we will discover that what is changing is the threat actors' approach to distributing the Trojans and selecting their victims," Sinitsyn says. If five years ago almost all ransomware was mass-scale and the main distribution vector was via spam, nowadays many criminals are using targeted attacks instead.

"Threat actors carry out a reconnaissance in order to find a large corporation or a governmental entity or a municipal network and try to breach their defenses," Sinitsyn says. Since the criminals know with whom they are dealing, they tend to set the ransom amount significantly high.

Another trend to note is the increase in incidents where criminals not only encrypt the victim's data, but also exfiltrate some of it during the infection, Sinitsyn says. It gives the threat actors additional leverage for extorting money. "In case the victim is reluctant to pay up — [because] for example, they have consistent backups offsite — the criminals will threaten to release some of the stolen data into public," he adds. One example of ranomware being used in this way is Maze, a tool that some believe was used in a recent attack on Pensacola, where threat actors are demanding a $1 milion ransom.

Growing Malware Sophistication

A majority of ransomware families deployed in the wild is of the cookie-cutter variety. Even ransomware that uses obfuscation to get around some kind of detection usually ends up being detectable when it starts to actually encrypt files. However, some threat actors are using very sophisticated tools, says Andrew Brandt, principal researcher at Sophos. As one example, he points to ransomware that use "kill lists" to try and terminate anti-malware tools.

Another example is ransomware that sets itself up as a service running in Windows' built-in Safe Mode, then reboots the system into Safe Mode before beginning to encrypt the hard drive, he says. "Booting into Safe Mode effectively terminates nearly all endpoint protection tools," Brandt says. Sophos recently spotted the Safe Boot feature added to Snatch, a ransomware sample used in targeted attacks that the security vendor has been tracking for a year.

"Among the most notable advancements is an increase in ransomware attackers employing automated active attack techniques," Brandt says. These are attacks where threat-actors use automated malware to quickly profile an infected environment and laterally spread within a targeted network or trigger simultaneous infections across multiple machines within the same environment, Brandt says.

Many of the most troublesome recent ransomware campaigns — including those involving Ryuk, Lockergoga, Robbinhood, and Sodinokibi — have involved the use of active attack techniques, according to Sophos.

Kaspersky researchers in December also reported identifying a new type of ransomware targeting Network Attached Storage (NAS) devices that organizations use to back up data. The vendor described the malware as posing new risks for organizations because NAS devices are generally perceived as secure technology.

Going Mobile

If all this wasn't enough, some believe that mobile devices could start getting targeted as well.

Joel Windels, chief marketing officer at NetMotion Software, points to data from the 2019 Verizon Data Breach Investigations Report showing users as more susceptible to phishing attacks on mobile devices, and another report about Chinese hackers breaching 10 global cellular providers. "All of the pieces are in place for an increase in mobile ransomware in 2020," Windels says.

"We expect to see the first concerted ransomware attacks target mobile applications running on Android," he says.

The same combination of factors - unsupported, outdated, and unpatched systems - that led to the surge in ransomware attacks on local governments and others will drive attacks on mobile devices. "As OS fragmentation becomes a bigger issue for Android devices, in particular, many devices are being left unsupported with older software and less frequent security patches," Windels notes.

Related Comments:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.