In 2017, we predict that ransomware authors will target mission-critical servers and PCs - within targeted departments.
By holding these sensitive devices hostage, ransomware authors will be applying the right pressure at the right time to quickly receive the ransom.
The past couple of years have shown that ransomware is only going to increase, although its tactics may shift. Initially, ransomware authors sprayed and prayed any and all – from individual users to SMBs — in the hopes that they would see big returns. It worked; according to end of year 2015 reports, ransomware developers have made up to $30 million annually.
The year 2016 will be known as the year that that ransomware held America hostage. During the year ransomware took on a more targeted approach, hitting specific verticals. Ransomware moved from consumers and mom-and-pop shops to healthcare. As they shifted verticals, ransomware targeted the financial and education sectors. Just last September, ransomware held an LA-investment bank hostage. According to a recent SANS report, the financial sector’s #1 attack threat is ransomware. In fact, a third of the affected financial firms have admitted losing between $100,000-$500,000 due to a ransomware incident.
We’ll see the next step in the ransomware evolution in 2017. Attackers will improve on their processes, from performing reconnaissance and building out the most effective attack vector to performing lateral movement — all with the goal of hitting the critical divisions and servers within a target organization.
The impact from a successful ransomware attack isn’t just lost data either; it’s lost productivity and revenue. To a financial institution that performs hundreds of transactions per minute any delay in service can be worth millions to the business and its customers. Furthermore, with such a high rate of transactions, timely backups are impossible to create – or restore. The attackers know this and can demand a substantial ransom that is close enough to the division’s revenue for a certain time period. From a cost of interrupted operations standpoint, ransom payments will sky rocket and these sums will no longer be write-off clauses.
An organization overseeing infrastructure will likely be quick to meet ransom demands when ransomware disrupts traffic light controlling workstations, for instance.
How will this type of targeted ransomware operate?
- Ransomware will cover a wider range of operating systems (e.g. Linux, OS X and Android).
Targeting mission-critical devices and key figures, advanced ransomware won’t just be a “Windows-thing.” We’ll see variants targeting *NIX servers and OSX devices.
- Remote Access Trojans (RATs) will adopt ransomware features.
The success of ransomware as a standalone will lead Remote Access Trojans (RATs) to integrate encryption capabilities. After all, the infrastructure that enables ransomware to perform lateral movement, communicate with C2 servers, and ultimately target mission critical servers and PCs, already exists – with RATs. In fact, already today a handful of RAT variants such as DirtyRAT and OrcaKiller have that ransomware functionality. Prepare to see more.
How to address targeted ransomware?
Before diving into the security strategy businesses should take, it’s important to first note that a successful ransomware attack points to a security vulnerability that needs to be effectively remediated. Additionally, when dealing with attackers, there are no guarantees the device will actually be released. In fact, it will likely lead to another attack that is nastier and more expensive than the first.
Businesses should adopt the following strategy:
- Stay vigilant for cyber-threats.Ransomware typically infects employees through sophisticated methods of social engineering, enticing a victim to open a file or click on a link. Ensuring that everyone in the organization is aware of the threats targeting their organization through education and training is a key component to any cyber-security program. However, it is important to note that awareness only reduces the risk; a sophisticated threat actor will eventually find a way to dupe a user and get into the network.
- Backupdata regularly. This best practice ensures that when data is held ransom, users can go back and retrieve information stored in other locations. This is not a remedy, but it will buy a little time when data is hostage. Nevertheless, beware that when using network-enabled backups like a common share or cloud, it won’t take a sophisticated attacker with lateral movement capabilities to advance towards those backups as well.
- Share information on cyberattacks and best practices. Organizations have been calling their industry peers to be more open about attacks and share their attack data. As a result, we are starting to see various forums sprouting up facilitating information sharing in order to educate peers about best practices. Initiatives such as org brought together The Europol and several security vendors to publish decryption keys of various ransomware, while RansomwarePrevention.com provides a business-education site to facilitate boardroom discussion around ransomware. Alliances like the one formed by leading law firms in New York and London, and between Wall Street banks and law firms, as well as industry specific Information Sharing and Analysis Centers (ISAC) initiatives such as FS-ISAC for financials, and R-CISC for retail, increase information available regarding attacks, which can lead to better defenses.
- Deploy technologies that can proactively protect against ransomware. Organizations should have in their arsenal the means to prevent the consequences of having their data and operations held ransom. Ensuring that data tampering or other malicious file modification is prevented enables organizations to continue to work, even in a compromised environment.