Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/15/2017
10:00 AM
Brian Vecci
Brian Vecci
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Grandma Could Be the Next Ransomware Millionaire

Today's as-a-service technology has democratized ransomware, offering practically anyone with a computer and an Internet connection an easy way to get in on the game.

HELP WANTED: Are you looking to pad your golden years and increase your grandkids' birthday money? Forget about reverse mortgages; instead, join our network of ransomware agents. If you can play bridge online, you can run your own ransomware campaign.

The billion-dollar ransomware business, and fifth-highest distributed malware according to the 2017 Verizon DBIR, is now accessible to anyone — no technical expertise required. Just like you can use an app to get a date, a ride, or even a mortgage, today's as-a-service technology has democratized ransomware, offering no-skilled criminals — or grandmothers who need a little extra cash — a low-friction way to get in on the game. And it's having an impact on enterprises. 

The first ransomware criminals had to build malware and sneak it inside an organization — usually accomplished with a convincing phishing campaign. Once inside, the malware locks down valuable data and holds it for ransom. The more targets an attacker hits, the better their return.

Now, with ransomware-as-a-service, attackers no longer have to build and maintain their own malware, develop an infrastructure, or manage an attack — all they need to do is sign up, offer a few grandkids' or pesky neighbors' emails, and pay a percentage as a service fee.

Ransomware-as-a-service strains like Cerber and Karmen — and now WannaCry — are dominating information security headlines and Twitter feeds, even unseating Locky from the ransomware throne. Both variants offer as-a-service models that lower the barrier to entry and provide graphical dashboards on metrics like infection rates and ransoms paid. Customers can even increase their ransom price.

RaaS: Best Tools at the Best Price
Similar to how legitimate SaaS offerings allow organizations to outsource parts of their business and infrastructure, ransomware criminals can now outsource managing and maintaining their ransomware practice. Ransomware-as-a-service providers — just like their legitimate SaaS counterparts — have an interest in making sure their customers (like grandma) have access to the best tools at competitive prices so that more will choose their service. When one threat vector closes, their business revenue is affected, so it's in their best interest to deploy updates and stay ahead of the technologies and practitioners working to stop them.

Organizations should expect the number of attacks to continue to increase, thanks to ransomware's low barrier to entry and increased sophistication due to competition between ransomware-as-a-service businesses that fight to stay ahead of each other and enterprise malware detection efforts. 

Though as-a-service ransomware may increase the frequency and sophistication of attacks, the key strategies that organizations need to employ to address ransomware and other threats remain the same:

  • Protect data from the inside. The perimeter isn’t going to protect against code running inside the firewall. Determined attackers will likely be able to get inside the network (if there's even such a thing as "inside" any more), so assuming a strong perimeter will protect you by itself may mean that your security inside the perimeter leaves you at risk.
  • Rethink your access rights. In the recent 2017 Varonis Data Risk Report, an average 20% of all folders within an organization are open to everyone. That means that only one user needs to make a mistake and become infected with ransomware to take down 20% of your shared files. Make sure that only the right people have access to what they're supposed to and data isn't accessible to every employee.
  • Monitor everything. You can't catch what you can't see, and monitoring the data that's at risk is critical. Nobody breaks into the bank to steal the pens, so make sure that you're looking at how users access data so you know when something goes wrong. Here's a hint: if you've missed a ransomware attack, you've definitely missed just about any other data-centric attack. Ransomware is the easiest attack to spot if you're watching how file systems are being used.
  • Have a remediation plan. Finally, organizations should regularly perform backups of their file system, especially critical and sensitive data, and have a remediation plan to find and restore compromised data in the case of ransomware and other cyber attacks.

Related Content

 

Brian Vecci is a 19-year veteran of information technology and data security, including holding a CISSP certification. He has served in applications development, system architecture, project management, and business analyst roles in financial services, legal technology, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/17/2017 | 6:41:22 PM
Data Access Governance becomes critical
Today the perimeter is too porous to protect data and IAM or DAG ( Data access governance) program will become necessary to feud and mitigate these types of attacks.  In the WannaCry latest development, it is essential to detect changes in file shares to be able to stall the attack and limit it to a few machines.  Hard to believr we are goign back to pure detection as prevention becomes more and more impossible.
richard0011
50%
50%
richard0011,
User Rank: Apprentice
5/17/2017 | 5:06:24 AM
Re: Cybersecurity Through Education
nice
PhilA345
100%
0%
PhilA345,
User Rank: Apprentice
5/16/2017 | 11:47:45 AM
Cybersecurity Through Education
Over 70% of data breaches and hacks occur due to some form of human error. End user education and cyber awareness training are the most important steps in preventing a future data breach. The impact of cyber awareness training is something that every organization should take into account when developing their cyber strategy. https://www.securable.io/blog/cyber-security-through-education-infographic
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.