Toward the end of last year I made a pair of bold predictions. The first, that ransomware exploits would start declining, because anti-malware software companies were bringing products online that would prevent the encryption from taking place. The second, there would be an increase in Business Email Compromise (BEC) exploits, as cyber-criminals turned to new income streams. I was only half right.
BEC exploits have increased, because the potential returns are so much greater, and require much less infrastructure than ransomware.
Ransomware however is holding its own. The reason is that the attackers are changing the way the exploit works. One change is the move to malware-free ransom attacks. This involves compromising a server and just extracting the database or other information. That is, removing the data, rather than encrypting it in place. In order to get this data returned, the victim would have to pay a ransom. Easy-peasy, no encryption, no malware.
The Wanna-Cry ransomware and Petya attacks took advantage of of a Microsoft zero-day vulnerability, and was spread by a worm, rather than by email. This made rapid distribution easier, and Wanna-Cry infected over 200,000 systems in just a few days. The Petya attack appears to have affected many systems in the Ukraine, and spread to Russian systems, before spreading worldwide. It appears more likely to be a disruptive cyber-attack rather than a ransomware exploit.
Another change is that the ransom amount has been increasing. According to Symantec, average ransom amounts have increased from $294 in 2015 to $1077 in 2016. We have heard of ransoms paid that were much larger, such as the $17,000 ransom paid by Hollywood Presbyterian Hospital. In June we saw the $1 million ransom payment paid last week by South Korean web hosting company Nayana. Major companies are actually stockpiling Bitcoin so they are prepared to pay a ransom if necessary. The reasons for paying vary, but often it is less expensive to pay the ransom, and the recovery goes much quicker than rebuilding servers and endpoint systems and restoring from images and backups.
Some of the more effective methods for preventing crypto-ransomware and other ransomware attacks are:
- Training your staff to detect phishing emails, and avoid opening attachments or clicking on email links.
- Using one of the new anti-encryption software products, such as Sophos InterceptX.
- Geo-blocking IP address ranges for Russian, China, India, and other trouble spots if you don’t do business in these regions. This will prevent the attacks from from connecting in the first place or phoning home to a C2 server.
- Application white-listing prevents anything that is not explicitly pre-approved from installing on your computer.
- Web filtering using a tool such as Cisco Umbrella (OpenDNS). This will keep your users away from known malicious sites, whether through typographical error, clicking on an phishing link, or willful intent.
The take away is that we need to keep our guard up for ransomware attacks, as we have in the past. Make use of some of the new tools that can help prevent these attacks from working. And keep your staff informed and involved, so they know what to look for.