After years of extorting individual consumers on a global scale, ransomware purveyors have turned their attention to much bigger fish: businesses.
For years, now, ransomware extortionists have profited handsomely from locking up the computer screens of millions of consumers with scams to sell bogus $79 antivirus cleanup services.
Now fresh intelligence from consultancy Deloitte, networking giant Cisco, and cloud security vendor Arctic Wolf Networks underscore an alarming paradigm shift. Ransomware gangs have turned their attention to accessing, then encrypting, valuable data stored deep inside corporate networks. They then demand—and get paid—six- and seven-figure ransoms to restore access to the corporate victims.
“Ransomware is just everywhere,” says David Goeckeler, senior vice president and general manager of Cisco’s networking and security divisions. “It’s going after every vertical. It’s one of the most prolific forms of attacking that’s out there. Attackers are making lots of money.”
Malvertising new tool for crooks
In its 2016 Midyear Cybersecurity Report, Cisco details how cyber criminals have turned to using malvertising to scale up ransomware attacks against businesses.
“Essentially attackers are setting up legitimate ad services and they’re using that to inject malware into ads, or redirect people into malicious sites,” says Steve Martino, Cisco’s chief information security officer. “This is fast becoming the No. 1 way that attackers are delivering ransomware.”
Deloitte reports that ransomware attacks on business networks are much harder to detect and block than traditional breaches. That’s because the fundamental way corporate networks are defended today revolves around detecting malware as it attempts to communicate with a command-and-control server outside of the perimeter, says Scott Keoseyan, threat intelligence leader at Deloitte Cyber Risk Services.
However, once the network is breached, ransomware does its dirty work inside the perimeter, connecting only briefly, if at all, with an outside controller, and thus leaving only the slightest detectable signature.
“Recent variants complete their dirty work without making a single call to the internet,” Keoseyan says. “Other variants attempt to eliminate the data recovery options by encrypting additional connected drives and network shares, deleting files and system restoration points, or even remaining dormant until after a backup cycle.”
Cisco analysts found that the bad guys also are using cryptocurrency, Transport Layer Security and Tor to communicate with victims and to facilitate untraceable extortion payments. Cisco also found that many organizations are doing a poor job keeping security patches up to date, and are unprepared for future strains of more sophisticated ransomware.
That makes getting inside the network perimeter comparatively easy. Ransomware distribution techniques include emailing viral attachments and deploying automated attacks designed to seek out and infect weakly defended web servers.
New pattern of attack
Once installed on the network, ransomware does not lie dormant and undetected, typical behavior of other types of malware designed to breach, then go under cover to evade detection, according to a report from Arctic Wolf Networks.
Ransomware does its dirty work instantly. Within just a few seconds, a typical ransomware variant will unpack and execute itself, then briefly call out to a command and control server to retrieve a key, which it will use to encrypt the files, says Brian NeSmith, co-founder and CEO of Arctic Wolf Networks.
Instead of stealing data and having to find a buyer for it in the cyber underground, the attacker focuses on locating and encrypting caches of sensitive data, or blocking access to a web server or other key systems. The payday comes by restoring access—for a price. The beauty, from the criminal’s perspective, is that a highly motivated purchaser stands at the ready: the original owner, says Liviu Arsene, a senior analyst at Romanian anti-malware vendor Bitdefender.
Arsene says it’s clear the bad guys recognize how lucrative ransomware attacks against businesses can be. He too expects these cyber extortionists to continue taking full advantage of organizations that make themselves easy targets.
“Cyber criminals could even try extorting the same victim more than once,” Arsene says. “Probably the most likely targets will be small and medium-size businesses that work with large organizations, as they’re less likely to invest a great deal in cybersecurity.”
Big money is big lure
Indeed, ransomware attacks are so profitable that it is inspiring the best and brightest malicious hackers to new heights of innovation.
For instance, Bitdefender recently detected and has begun blocking ransomware crafted to encrypt the NTFS Master File Table, buried deep inside the Microsoft Windows operating system. This severs access to the operating system and consequently to everything stored on the disk, instead of just restricting access to particular files.
“Not being able to access any information might scare people into paying, as they could lose much more than just work documents, but personal information as well,” Arsene observes.
Infecting an individual user can bring a double payday. The attacker can extort the individual user, and also use his or her infected computer to gain administrative access to the victim’s company network. From there, ransomware can be spread across corporate systems.
Implanting ransomware on a web server also has multiple payoffs. The attack can activate drive-by downloads and malvertisments to spread ransomware to visitors. Or he can directly encrypt anything of value within reach: web pages, documents, images, scripts, etc. In such attacks, a message follows announcing the infection and giving instructions on how to purchase a decryption key to restore normal functionality.
Techniques such as automatically rolling command functions from one server to the next, on a rotating basis, help attackers stay one step ahead of search engine and antivirus crawlers on the hunt for malicious traffic.
Threat too serious to ignore
Due to its high potential to massively disrupt core business operations, ransomware clearly should be considered a major security concern by information security professionals.
With ransomware attacks against businesses on a rising curve, CIOs, CSOs and IT department heads need to fully familiarize themselves with the dynamic risks associated with this type of infection, and prepare their organizations accordingly.
It is more imperative than ever to deflect as much incoming malware as possible, and to detect and neutralize malware that does get inside network perimeters as quickly as possible.
This means aggressively filtering email, monitoring website traffic, and keeping current with security patches—in both licensed and open-source business applications.
“Ransomware will grow in sophistication and become more widespread as it continues to plague individual users, as well as enterprise,” warns Deloitte’s Keoseyan. “The successes thus far in the extortion of money from victims is paving the way for more cyber criminals to utilize ransomware as their main tactic.”