Ransomware’s popularity continues to skyrocket, due to its successful business model and the significant profit paid by its victims. Unlike other malware business models, based on Darknet sales, hackers who utilize ransomware as their attack vector receive payment directly from their victims.
Additionally, custom-made solutions for laymen such as Ransomware as a Service (RaaS) and do-it-yourself (DIY) kits, which offer out of the box, easy to use tools to launch attacks, are also helping to fuel the growth of ransomware.
Ransomware’s latest incarnations tend to be focused on file encryption, but future versions aren’t likely to rely on that tactic alone as taking files hostage is only one method of making easy money.
Attacking—whether the vector is corruption, exfiltration or disruption—then demanding a ransom to stop or revert the attack, could very well be the future of the malware landscape. Cyber-extortion if you will.
What’s Next for Ransomware? These are the ransomware trends I expect to see in the months ahead.
Data Corruption
File and database corruption: Currently, the most common type of ransomware attack is file corruption (encryption), using cryptographic API. Lately we’ve witnessed database corruption attacks (against MongoDB and MySQL for example) through SQL queries, striking tens of thousands of databases around the world. Ransomware attacks against databases are likely to increase since they are where an organization’s most sensitive data is usually located.
Keep in mind that encryption is only one method of corruption. Corruption can also be:
- A complete files wipeout
- Dropping all database tables
- Any data tampering (e.g., changing database records)
Still, file encryption isn’t going away any time soon. The method works, the potential attack audience is large (both individuals and enterprises), and anti-virus solutions do not effectively protect against it.
Backup encryption or complete wipeout: Backups are important to have as a mitigation technique against ransomware. However, relying on backups isn’t ideal as a lot of time is required to get systems back up and running (they obviously don’t serve as a prevention mechanism).
This downtime can be costly for employees and customers—the case of ransomware locking up San Francisco public transportation ticket machines is one example. Still, backups are one of a few possible mitigation options after a ransomware attack has already struck. Subsequently, it’s possible that we’ll see ransomware targeting backups to maximize the chances of getting paid.
Data Exfiltration
Take for example one of the latest data exfiltration attacks—Vault 7—where documentation of the CIA’s cyber weapons was leaked, then published by WikiLeaks. If we assume the hackers were looking for money, what is the most profitable approach - corruption or exfiltration? The possibilities include:
- Encrypting the data and demanding payment in order to decrypt it (corruption)
- Stealing the data and trying to sell it on the dark web (exfiltration)
- Stealing the data and demanding payment in order not to disclose it (exfiltration)
In this example, or Yahoo!’s one billion accounts breach with the actual cost of at least $350 million, exfiltration has the potential to be more profitable. Making private data public can scare data owners the most and this is why I suspect the popularity of extortionware (aka doxware) - will rise.
Disruptive, Targeted Attacks
The Internet of Things (IoT) trend only makes this type of attack more possible. Take today’s connected cars and tomorrow’s autonomous cars; both have internet connectivity, whether through an app enabling owners to control car functions, or to enable push updates to be sent from the car vendor (e.g., automatic software update).
A vulnerability in the web server communicating with the app or update mechanism can lead to remote code execution on these vehicles. For example, hackers could hold you hostage and demand a ransom while threatening to disable your car’s brakes or steering system. The even more chaotic scenario (and bigger payout) is a hacker taking control of all of a specific vendor’s connected cars and demanding a ransom directly from the vendor.
In a few years, I expect most attacks will evolve into ransomware/extortionware and will share this common DNA: attack by corruption, exfiltration or disruption, then demanding a ransom to stop or reverse the attack. Considering this, organizations must continue to protect their data and assets in response to these changing tactics.
How Your Organization Can Protect its Assets from Ransomware? Dealing with ransomware is not an easy task. The following guidelines will help you minimize damage and maximize the chances of preventing or repelling an attack.
Have data audit and monitoring in place with an out-of-the-box alerting system - Mainly for post-breach forensics and incident response enablement.
Enable real-time blocking - Often just alerting on an attack is too late. Real-time blocking enables attack prevention. In addition to real-time blocking, having the capability to quarantine users/hosts whose systems appear compromised provides a significant advantage.
Use deception techniques - One of the most effective approaches when dealing with ransomware is to plant data decoys for hackers to steal/corrupt, then alert/block when that data has been accessed. It lets you deceive the hacker and use it to your advantage.
Perform regularly scheduled discovery and classification scans -Identify where your sensitive data is located.
Institute Insider Threat and User and Entity Behavior Analytics (UEBA) technology - Find anomalous access to your data, especially among those who already have access to it—careless, compromised or malicious insiders.
In conclusion, crime associated with ransomware and cyber-extortion, is just getting started. The potential profit to hackers is great, and the potential risk to organizational data is even greater. It is important that enterprises take steps now to protect against these type of attacks.