Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/11/2016
06:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Imagining The Ransomware Of The Future

Cisco Talos Lab paints a dark picture of what ransomware could have in store next.

Ransomware that can encrypt and lock 800 of your organization's servers, 3,200 workstations, and the vast majority of your data...in one hour flat. That's the nightmare that researchers at Cisco Talos Labs described in a report today: a self-propagating, stealthy, modular ransomware that can move laterally across internal networks and cross air-gapped systems.

In addition to the standard core ransomware functionality, Cisco Talos' hypothesized "King's Ransom framework" has a variety of modules for both stealth and propagation.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

To avoid detection, "king's ransom" would have a rate limiter module -- to prevent the code from eating up too many system resources and therefore attracting the user's unwanted attention. In this framework, the ransomware would also eschew the traditional command-and-control infrastructure; it would instead transmit a beacon, containing global unique IDs (GUIDs), to a C2 domain via common protocols like HTTP or DNS. This domain could then collect these GUIDs, and use them to monitor and manage stats about infection rates.

The framework would contain modules for propagating through a variety of vectors. With a file infector module, the ransomware would attempt to add itself to other executables already residing on the infected system, which would both help the code spread and re-infect the system if it's somehow ejected.

With a USB mass-storage propagator, the ransomware would copy itself to mapped drives, and be configured to automatically connect and run; it could thus cross air-gapped systems. Authentication infrastructure exploits (similar to mimkatz) would enable the attacker to gain admin privileges to a variety of systems and domains. An RFC 1918 target address-limiter would be used to attack targets using RFC addresses -- used by internal networks, as opposed to Internet-wide. 

In the devastating scenario Cisco proposes, the ransomware takes over up to 800 servers, 3,200 workstations, half the digital assets and the "vast majority" of data in an organization within the first hour of infection. The attackers request a $1 million ransom, which will automatically increase to $3 million eight days later.

Will organizations pay such a steep price, even after such an extensive infection? Cisco Talos Labs says that depends upon a number of factors, such as the value of the data they cannot access and their ability to restore that data. Do they have sufficient off-site backups that were not affected? Can they do manual restoration of data, and if so, how much will that cost, in comparison to the cost of the ransom?  

Although it's just theory now, the quickly increasing sophistication of ransomware makes it all too believable.

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Azathoth
50%
50%
Azathoth,
User Rank: Apprentice
4/14/2016 | 10:10:55 AM
Protection Money
What happens when ransomware becomes protectionware?  Instead of one payment you have to make regular "protection" payments to keep your data from being relocked?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/12/2016 | 7:45:55 AM
Cloud concern
This is my real concern when it comes to the growth of cloud computing also. By storing all data in singular locations, we run the risk of millions of people being affected in one fell swoop. 

For starters, I hope companies are paying attention and have insurance to cover the mass encryption of customer data, but also I want to see new measures put in place to protect against this kind of attack. Cold storage data that is backed up regularly, but hardware disconnected from the internet otherwise. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.