Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11/23/2015
12:10 PM
Michael Sentonas
Michael Sentonas
Partner Perspectives
100%
0%

Where Is Ransomware Going?

As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will go after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Ransomware, the malicious software that encrypts your files until you pay to get the encryption key to unlock them, is having quite a successful run. Initially targeting consumers, criminals are turning toward businesses and government organizations, demanding higher ransoms for more valuable data. An FBI agent has even commented that ransomware is so good the bureau often recommends that people just pay the ransom.

That is obviously not an acceptable long-term solution to the problem, especially as it appears the criminal technique continues to evolve.

We typically see malware threats go through several phases, starting off with attacks in small volumes, as the authors evaluate target systems’ defenses until they identify approaches that achieve reasonable success rates. Then the attacks increase in volume, going after consumers, then businesses, as the technique matures and gets monetized through massive campaigns. The next phase is a shift from volume to highly targeted attacks, as defenses adapt to the generic approach, criminals identify higher value targets, and special interest groups adopt the technique for their own specific purposes.

Ransomware is currently moving from the volume to targeted phase, increasing in sophistication of the delivery mechanism and looking for more valuable ways to get money from its victims.

Ransomware is nasty because, unlike other malware infections, you cannot run a cleaning or removal tool to get rid of it so defenses have to catch it before it can act. However, an offline backup is a reasonable and effective precaution that disarms most of the power of the ransomware. We (law enforcement and security industry) have also had a fair amount of recent successes finding and taking down ransomware servers such as CryptoLocker.

As a result, we are seeing changes to the ransom model, where encryption of your data is just one step. Using targeted attacks such as emails that look like they originate from within your company, attackers are getting their malicious encryption tools into vulnerable systems. Then, after encrypting the files or data stream, they threaten to publish something that you will pay to keep secret, whether it is valuable financial information or embarrassing emails. A recent ransomware campaign in Germany called “Chimera” threatens to publish your files if you do not pay the ransom of more than 600 euros, according to the Anti-Botnet Advisory Centre. It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will. 

Ransomware’s Next Target

Where will ransomware go next? As we adopt more and more technology in our lives, we are also fueling the creativity of our attackers. As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will change and multiply their attack vectors, going after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Think about the risk to your organization of criminals threatening to release audio captured from an executive’s television, video from a board meeting, or embarrassing details from your personnel files. This could result in new opportunities for them to make more money than they do today, charging a ransom to decrypt your data and a premium to not publicly release it. 

When threats go from volume to targeted mode, you need a shared intelligence strategy that can detect threats at multiple points, across both your network and the cloud. You need to be aware of the potential motivations, whether that is organized crime looking for payment or hacktivists looking to expose corporate secrets. Understanding the attacker profiles helps you identify what material is valuable and vulnerable, and helps you prioritize your security efforts.

Ransomware is just one threat that is evolving with our technology usage. Whether it is cloud computing, IoT devices, or virtualization, security needs are changing to require greater integration between defenses; broader collaboration with law enforcement, industry organizations, and supply chain partners; and increased automation that can react at digital speeds. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
11/23/2015 | 1:49:29 PM
Ransomware
Good post! Organizations maybe forced into using ransomware or the like as a security audit. It would be much more effective to look over your data, your security or defense in depth and plug the holes ahead of time, before some cybercriminal does it for you. And backup in multiple places. 
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...