What To Watch For With Ransomware: 2017 Edition
Ransomware will continue to evolve in 2017, bringing new and diverse threats to businesses. What changes are in store?
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltad6216a40cc33d39/64f0d8705d8311f4325932eb/ransomware2017_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Ransomware has businesses concerned - with good reason. Organizations across all industries are at risk of infection via email or Web attacks.
This brand of malware attack will grow and change in the new year. New variants, such as the new version of KillDisk that no longer just erases data but instead encrypts information and demands a Bitcoin ransom, are constantly surfacing.
Threat actors have successfully used ransomware to infiltrate businesses and demand money long before the rise in ransomware attacks in 2016. But ransomware is reaching a plateau now: stolen data is less valuable because of the sheer amount of it available on the black market, experts say. So attackers are getting more creative, generating new ways to broaden their reach and demand more money from their victims.
"Ransomware is a business, and as a business, it's going to evolve," says Allan Liska, intelligence analyst at Recorded Future.
Many security watchers believe ransomware will get worse. Some think attackers will take advantage of IoT devices and target consumers. Others think mobile devices are at greater risk.
What else is on the horizon for ransomware in 2017? We did some digging to find out. Read on to learn more about how threats will evolve, what to watch for, and how to mitigate risk.
After an active year of online extortion, ransomware is poised to plateau in 2017, predict experts at Trend Micro. 2016 set the stage for more delivery methods, stronger encryption, and publicized code, which drove a 400% spike in the number of ransomware families between January and September.
While experts predict ransomware families will grow 25% in 2017, we have passed the tipping point. Businesses, rather than consumers, could be a primary target of these new families next year, reports Booz Allen Hamilton. Successfully extorting a business often leads to greater reward and lower risk for malware operators.
Criminals driven by stabilization will diversify their strategies so they can target larger businesses with more focused attacks. Ransomware that focuses on key parts of the Windows OS, like the MBR or system components' firmware, could likely become a new pathway.
As part of their efforts to target businesses, hackers will employ ransomware that's harder to detect. Liska anticipates an increase in malware-less ransomware, which does not contain an executable and relies entirely on tools like JavaScript or PowerShell, to carry out attacks. Because attacks are conducted using legitimate tools, they bypass traditional detection mechanisms before executing at the last second.
"Malware-less ransomware will become more prominent because it's much harder to detect," he explains. While there are tools built to discover this malware, not many are good at detecting it.
Ryan Kazanciyan, chief security architect at Tanium, explains how malware prevention-based tools have increasingly used "signature-free" mechanisms to detect ransomware. Many apply heuristics to low-level patterns of activity common across different strains of ransomware. Businesses should know malware operators will have access to these defensive tools and adopt techniques to avoid them.
He also notes that businesses have had to decrease the aggression of their anti-ransomware tools after they are deployed due to high rates of false positives. Rather than channel their focus on preventive solutions, they should focus on preventing ransomware from entering their organization in the first place.
This year will bring an increase in the number of bad guys employing ransomware and the number of systems they target. "The financial motivations and low barriers to entry behind most ransomware campaigns will ensure that attackers continue focusing on the paths of least resistance to maximize their profit," says Kazanciyan.
Hackers' tactics will evolve in 2017 and the risk to businesses will grow. Single-target ransomware will become a thing of the past, he continues. Advanced groups will target several systems at once because they aren't solely relying on email and Web for delivery. Once inside a business network, they can target databases, file stores, and take things they wouldn't be able to target with ransomware.
"Over the past two years, an increasing number of businesses were extorted by targeted ransomware campaigns, as opposed to opportunistic, large-scale attacks," says Kazanciyan. "In many cases these incidents remained closely-held secrets that were privately investigated and resolved, often at great expense."
Going into next year, Liska predicts a rise in public shaming attacks similar to the one on MUNI, San Francisco's public transportation system, in November 2016. Even though MUNI didn't pay the ransom demanded, the world knew it had been attacked in a public, embarrassing way.
"You're launching ransomware in a way that will draw attention to the attack, to shame the victim into paying," he says. We're going to see more of these types of attacks on public systems, hospitals, and an array of other insitutions. Public shaming attacks won't discriminate.
Experts are split on the future of ransomware amidst the rise of connected devices.
Some anticipate the Internet of Things will be a prime target among attackers. "The impact of IoT ransomware could be bigger than mobile," says James Carder, CISO of LogRhythm and VP of LogRhythm Labs. Mobile-based ransomware is intriguing from a business perspective, he says, but the overall impact of IoT -- with the sheer number of sensors and amount of people wearing them -- could be severe in 2017. It could pose a particularly large threat to critical infrastructure, he says.
Liska, in contrast, doesn't foresee a rise in ransomware attacks among connected devices. Many IoT products are "headless" and contain little data, or have information backed up to the vendor's cloud. "There are all kinds of security issues with that model, but ransomware isn't one of them," he says.
For most potential victims of IoT ransomware, there would be little motivation to pay a ransom. This is especially relevant for consumer devices; for example, a connected refrigerator. Home appliances contain no critical information. If hacked, users could simply restart them.
However, he continues, there is a risk for people using connected medical devices or other types of data systems. "If you have a medical device with a Windows head and someone installs ransomware on the system controlling those, it could pose a huge threat," he explains.
In the near term, IoT devices with poor security won't increase the threat of data-centric ransomware attacks on businesses. As long as organizations struggle to patch and monitor endpoint devices, users' workstations will remain an easier path of attack than other connected devices. Hackers are already effective in penetrating organizations with encrypted Office docs. Why should they bother working their way through other connected devices?
Ransomware operators have traditionally attacked computers but will target mobile devices more in the coming year, predicts Carder.
There are two key factors fueling the trend. One is the tremendous size of today's mobile market, which presents hackers with billions of opportunities to extort money from victims. The second is greater mobile expertise among ransomware users.
This has dangerous implications. People keep plenty of sensitive data on their phones. How much would they be willing to pay to keep it secret? How great is the risk for businesses with loosely controlled BYOD policies? Carder notes how organizations have put BYOD controls in place, but nobody has done it well. The move to mobile has potential to devastate businesses.
It's time for companies to decide how to handle mobile devices, says Carder. Either they control devices employees bring into the organization, or they don't allow mobile devices to enter the network if they're not company-owned.
"You can no longer ignore the problem and assume you'll be ok, especially now with an increase in mobile malware and attacks against mobile devices," he cautions.
"Copycat attacks will absolutely increase," emphasizes Liska. "If someone successfully attacks a system, we're going to see more of those kind of attacks happen."
He cites the healthcare industry as a prime example. Attackers learned how providers are often willing to pay ransom because patient care is their biggest priority. As a result, organizations became easy targets and the industry suffered a wave of cybercrime.
If there is any decline in ransomware, it will be when law enforcement takes down larger ransomware families, he says. However, it's only a matter of time before new entrants take their place.
"As long as the potential for profit outweighs the risk of law enforcement, we'll continue to see new players in ransomware delivery and attacks," notes Liska.
The threats may be growing more complex, but Liska notes the biggest red flags will come via Web and email, which remain the two biggest ransomware vectors "for the foreseeable future."
Carder advises educating employees on safe browsing behaviors and how to recognize phishing emails. Oftentimes, ransomware code will run through a series of tasks before encrypting a system and reveal a few red flags users should know.
"I've heard of people complaining about their computers running slow for a period of time, their Internet browser crashing, new processes they've never seen before executed, and connections to their file shares or other systems they don't normally access or aren't accessing at the moment," he says.
Beyond this, a lot of ransomware will leave users a note either as a file or a desktop wallpaper. By the time the users sees this, the majority of damage has been done.
The ransomware threat may grow this year, but there are a few ways to mitigate risk.
The most important thing businesses can do is keep their IT and security departments mature, says Carder. Know your critical business systems, back up key systems and data, practice restore procedures, create and practice a disaster recovery plan, and implement programs for patch management, hardening business and user systems, and monitoring security.
All of these are critical for preventing and responding to a ransomware attack -- without having to pay a ransom, he continues. The same best practices apply to the mobile and IoT spaces.
"If these are not in place, not only does the risk of ransomware impacting your organization go up tremendously, but you would likely be a repeat victim until you do put those things in place," he says.
Liska recommends scanning emails and keeping a sharp eye out for things like Office attachments, .scr attachments, or JavaScript and PowerShell files delivered directly as attachments. Businesses should also keep their browser patches updated, avoid enabling unnecessary plugins, and back up their data to minimize damage in the event of a successful attack.
The ransomware threat may grow this year, but there are a few ways to mitigate risk.
The most important thing businesses can do is keep their IT and security departments mature, says Carder. Know your critical business systems, back up key systems and data, practice restore procedures, create and practice a disaster recovery plan, and implement programs for patch management, hardening business and user systems, and monitoring security.
All of these are critical for preventing and responding to a ransomware attack -- without having to pay a ransom, he continues. The same best practices apply to the mobile and IoT spaces.
"If these are not in place, not only does the risk of ransomware impacting your organization go up tremendously, but you would likely be a repeat victim until you do put those things in place," he says.
Liska recommends scanning emails and keeping a sharp eye out for things like Office attachments, .scr attachments, or JavaScript and PowerShell files delivered directly as attachments. Businesses should also keep their browser patches updated, avoid enabling unnecessary plugins, and back up their data to minimize damage in the event of a successful attack.
Ransomware has businesses concerned - with good reason. Organizations across all industries are at risk of infection via email or Web attacks.
This brand of malware attack will grow and change in the new year. New variants, such as the new version of KillDisk that no longer just erases data but instead encrypts information and demands a Bitcoin ransom, are constantly surfacing.
Threat actors have successfully used ransomware to infiltrate businesses and demand money long before the rise in ransomware attacks in 2016. But ransomware is reaching a plateau now: stolen data is less valuable because of the sheer amount of it available on the black market, experts say. So attackers are getting more creative, generating new ways to broaden their reach and demand more money from their victims.
"Ransomware is a business, and as a business, it's going to evolve," says Allan Liska, intelligence analyst at Recorded Future.
Many security watchers believe ransomware will get worse. Some think attackers will take advantage of IoT devices and target consumers. Others think mobile devices are at greater risk.
What else is on the horizon for ransomware in 2017? We did some digging to find out. Read on to learn more about how threats will evolve, what to watch for, and how to mitigate risk.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024