Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/26/2019
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Situation Goes From Bad to Worse

New malware distribution techniques and functionality updates are sure to put more pressure on enterprise organizations in 2020.

The surge in ransomware attacks on cities, municipalities, schools, and healthcare organizations this year is just a foretaste of what is likely come in 2020.

Threat actors have sensed a very real opportunity to make big returns attacking enterprise organizations using ransomware and are refining their tools and techniques to increase their chances for success, say worried security experts.

Some recent developments include growing collaboration between threat groups on ransomware campaigns; the use of more sophisticated evasion mechanisms; elaborate multi-phase attacks involving reconnaissance and network scoping; and human-guided automated attack techniques.

IT and security groups that are already under pressure to respond will be challenged even more by the growing sophistication of the ransomware threat, experts note. While municipal governments, schools, and other perceived "soft" targets will continue to bear the brunt of the attacks, no organization will really be safe.

"We would assume that the larger and more important an organization is, the more attractive a target it poses for extortionists," says Fedor Sinitsyn, senior malware analyst at Kaspersky. But "any company or organization should be aware of [the] threat and plan accordingly," he notes.

With the current reliance on digital infrastructure, any network disruption equals loss of money. Taking into account the disastrous effects of ransomware, the recovery period for some organizations could end up being long and painful, Sinitsyn says.

Going From Bad to Worse

2019 turned out to be a far more active year for ransomware than many might have anticipated given the declining overall volume in attacks last year.

Emsisoft recently estimated that ransomware attacks have cost US government agencies, educational establishments, and healthcare providers alone more than $7.5 billion this year. According to the security vendor, up to December 2019, at least 759 healthcare providers, 103 state and municipal governments and agencies, and 86 universities, colleges, and school districts have been hit in ransomware attacks.

In addition to financial losses the attacks have resulted in emergency patients being redirected to other hospitals, medical records being lost, property transactions being halted, surveillance systems going offline, and other very real-world consequences, Emsisoft said.

Several developments suggest that the situation in 2020 is likely going to be at least as bad, if not actually worse.

One troubling trend is the growth in instances of threat groups collaborating with each other to enable easier delivery of malware. Security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware.

Such collaboration is allowing threat groups to distribute ransomware more easily without having to do any initial breaching of a network on their own.

Carl Wearn, head of e-crime at Mimecast, describes the advent of collaboration across criminal groups with differing specialties as one of the most significant ransomware developments in 2019. "Malware threat actors are increasingly trading their work," he says. "This leads to hackers selling access to already compromised networks."

The highly targeted use of ransomware via precursor infections to ascertain a suitable ransom payment is another big issue, Wearn says.

In many attacks, threat actors have first infected a target network with malware like Emotet and Trickbot to try and gather as much information about systems on the network as possible. The goal is to find the high-value systems and encrypt data on it so victims are more likely to pay.

"If we look at the big picture, we will discover that what is changing is the threat actors' approach to distributing the Trojans and selecting their victims," Sinitsyn says. If five years ago almost all ransomware was mass-scale and the main distribution vector was via spam, nowadays many criminals are using targeted attacks instead.

"Threat actors carry out a reconnaissance in order to find a large corporation or a governmental entity or a municipal network and try to breach their defenses," Sinitsyn says. Since the criminals know with whom they are dealing, they tend to set the ransom amount significantly high.

Another trend to note is the increase in incidents where criminals not only encrypt the victim's data, but also exfiltrate some of it during the infection, Sinitsyn says. It gives the threat actors additional leverage for extorting money. "In case the victim is reluctant to pay up — [because] for example, they have consistent backups offsite — the criminals will threaten to release some of the stolen data into public," he adds. One example of ranomware being used in this way is Maze, a tool that some believe was used in a recent attack on Pensacola, where threat actors are demanding a $1 milion ransom.

Growing Malware Sophistication

A majority of ransomware families deployed in the wild is of the cookie-cutter variety. Even ransomware that uses obfuscation to get around some kind of detection usually ends up being detectable when it starts to actually encrypt files. However, some threat actors are using very sophisticated tools, says Andrew Brandt, principal researcher at Sophos. As one example, he points to ransomware that use "kill lists" to try and terminate anti-malware tools.

Another example is ransomware that sets itself up as a service running in Windows' built-in Safe Mode, then reboots the system into Safe Mode before beginning to encrypt the hard drive, he says. "Booting into Safe Mode effectively terminates nearly all endpoint protection tools," Brandt says. Sophos recently spotted the Safe Boot feature added to Snatch, a ransomware sample used in targeted attacks that the security vendor has been tracking for a year.

"Among the most notable advancements is an increase in ransomware attackers employing automated active attack techniques," Brandt says. These are attacks where threat-actors use automated malware to quickly profile an infected environment and laterally spread within a targeted network or trigger simultaneous infections across multiple machines within the same environment, Brandt says.

Many of the most troublesome recent ransomware campaigns — including those involving Ryuk, Lockergoga, Robbinhood, and Sodinokibi — have involved the use of active attack techniques, according to Sophos.

Kaspersky researchers in December also reported identifying a new type of ransomware targeting Network Attached Storage (NAS) devices that organizations use to back up data. The vendor described the malware as posing new risks for organizations because NAS devices are generally perceived as secure technology.

Going Mobile

If all this wasn't enough, some believe that mobile devices could start getting targeted as well.

Joel Windels, chief marketing officer at NetMotion Software, points to data from the 2019 Verizon Data Breach Investigations Report showing users as more susceptible to phishing attacks on mobile devices, and another report about Chinese hackers breaching 10 global cellular providers. "All of the pieces are in place for an increase in mobile ransomware in 2020," Windels says.

"We expect to see the first concerted ransomware attacks target mobile applications running on Android," he says.

The same combination of factors - unsupported, outdated, and unpatched systems - that led to the surge in ransomware attacks on local governments and others will drive attacks on mobile devices. "As OS fragmentation becomes a bigger issue for Android devices, in particular, many devices are being left unsupported with older software and less frequent security patches," Windels notes.

Related Comments:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:55:55 AM
Not Surprised
Unfortunately, whether you are a corporation or singular consumer, our security hygiene has not increased at a rate required to quell advanced threats. 

With that being said, ransomware is really effective because it is extremely simplistic and takes minimal effort to deploy. 

We need to learn from others mistakes and start not only taking a step to perform best practice security principles but best practice backup/recovery principles. Because if the former is not observed, the latter may be your only hope.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.