Ransomware is not Dead Yet

Toward the end of last year I made a pair of bold predictions.  The first, that ransomware exploits would start declining, because anti-malware software companies were bringing products online that would prevent the encryption from taking place.  The second, there would be an increase in Business Email Compromise (BEC) exploits, as cyber-criminals turned to new income streams.  I was only half right.

BEC exploits have increased, because the potential returns are so much greater, and require much less infrastructure than ransomware.

Ransomware however is holding its own.  The reason is that the attackers are changing the way the exploit works.  One change is the move to malware-free ransom attacks.  This involves compromising a server and just extracting the database or other information.  That is, removing the data, rather than encrypting it in place. In order to get this data returned, the victim would have to pay a ransom.  Easy-peasy, no encryption, no malware.

The Wanna-Cry ransomware and Petya attacks took advantage of of a Microsoft zero-day vulnerability, and was spread by a worm, rather than by email.  This made rapid distribution easier, and Wanna-Cry infected over 200,000 systems in  just a few days.  The Petya attack appears to have affected many systems in the Ukraine, and spread to Russian systems, before spreading worldwide.  It appears more likely to be a disruptive cyber-attack rather than a ransomware exploit.

Another change is that the ransom amount has been increasing.  According to Symantec, average ransom amounts have increased from $294 in 2015 to $1077 in 2016.  We have heard of ransoms paid that were much larger, such as the $17,000 ransom paid by Hollywood Presbyterian Hospital.  In June we saw the $1 million ransom payment paid last week by South Korean web hosting company Nayana.  Major companies are actually stockpiling Bitcoin so they are prepared to pay a ransom if necessary. The reasons for paying vary, but often it is less expensive to pay the ransom, and the recovery goes much quicker than rebuilding servers and endpoint systems and restoring from images and backups.

Some of the more effective methods for preventing crypto-ransomware and other ransomware attacks are:

  • Training your staff to detect phishing emails, and avoid opening attachments or clicking on email links.
  • Using one of the new anti-encryption software products, such as Sophos InterceptX.
  • Geo-blocking IP address ranges for Russian, China, India, and other trouble spots if you don’t do business in these regions.  This will prevent the attacks from from connecting in the first place or phoning home to a C2 server.
  • Application white-listing prevents anything that is not explicitly pre-approved from installing on your computer.
  • Web filtering using a tool such as Cisco Umbrella (OpenDNS).  This will keep your users away from known malicious sites, whether through typographical error, clicking on an phishing link, or willful intent.

The take away is that we need to keep our guard up for ransomware attacks, as we have in the past.  Make use of some of the new tools that can help prevent these attacks from working.  And keep your staff informed and involved, so they know what to look for.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.