Managed Security Provider (MSP) SecureWorks has said it expects ransomware threats to keep growing in 2017. This should come as no surprise despite some ransomware owners giving up in 2016. The number of ransomware families released in 2016 more than trebled from the previous year.
Ransomware has been so successful in 2016 that the owners of the CryptXXX ransomware offered a seasonal discount to those affected. An unexpected side-effect of the success of ransomware has been a surge in the price of Bitcoin. As of today it is now trading at over $900 and is expected to stay at this level for some time.
Alexander Hanel, a security researcher at SecureWorks said: “Though most ransomware attacks are not targeted, it is likely there will be an uptick in targeted attacks in 2017 as well. Compromising corporate environments through targeted attacks allows the attackers to request more money than they would receive from a typical user. That makes enterprise targets more attractive.”
Ransomware increasingly targeting enterprises
There is already a shift from consumer to business targets by ransomware owners. 2016 saw healthcare come under sustained attack from ransomware. Administrators are quick to pay ransomware demands. This is due to administrators being concerned about the risk to patient health if records cannot be accessed. Hospitals are easy targets for hackers due to the number of computer terminals spread across their premises. It takes just seconds to plug in a USB device and the chances of being seen are minimal. They also offer Wi-Fi access for patients and clinicians. This provides another easy route to attack systems.
Enterprises have been doing a slightly better job of fighting off ransomware. However, January is likely to provide a serious test of the state of IT security. Many users will be bringing in their latest BYOD devices. These will not yet have enterprise security software on them. IT administrators will need to identify and deal with these devices quickly. Users are also likely to being in other Internet connected devices just to show off to workmates. These are unlikely to be properly secured. If connected to the office Wi-Fi they provide cyber criminals with an easy route onto the enterprise network.
Ransomware attackers are also getting more professional in choosing the files they target. Back in March SecureWorks researchers said they: “observed a threat group deploying ransomware only after it had established and maintained a foothold in the victim’s environment for weeks. Having access to the target’s infrastructure for extended periods of time enables a threat actor to do reconnaissance and discover where and what valuable data is being stored by the victim.”
SecureWorks sees better encryption being used by ransomware
One of the failings of some ransomware in the past two years has been its poor and to some extent inadequate encryption. This has allowed a number of organisations such as No More Ransom to create solutions to unlock infected machines. While there will continue to be poor examples of malware ransomware is going to get much harder to defeat.
The SecureWorks release says: “..malware creators will continue to develop more sophisticated malware. In 2016, the success of professional-grade ransomware relied on the RSA encryption algorithm for key exchange and storage, and the Advanced Encryption Standard (AES) algorithm to encrypt victims’ files. Using the RSA algorithm allowed attackers to securely exchange and store the encryption key generated for AES so that it was never exposed by file-system forensics or network traffic monitoring.”
This increased use of better encryption is not just about ransomware. There has been a significant rise in the use of encryption by cyber criminals across multiple attacks. Increasing amounts of data stolen from companies is encrypted before it is exfiltrated. This is to defeat network monitoring systems that are looking for key words or phrases in network traffic.
Six steps to mitigate the impact of ransomware
SecureWorks has listed six things that enterprises can do to mitigate the impact of ransomware. These are:
- Implement employee security awareness training to educate users about evolving malware threats, paying particular attention to the risks associated with social engineering and attachments or links in email messages.
- Regularly back up data with offline backup media and periodically test media integrity. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because many ransomware families encrypt these files along with those found on the system.
- Re-evaluate permissions on shared network drives to prevent unprivileged users from modifying files.
- Apply software patches in a timely manner and verify that system firmware and software is up-to-date.
- Use antimalware solutions and stay current with the latest threat information.
- Incorporate a scenario in incident response plans that includes ransomware and rehearse the response.
Conclusion
Ransomware is not going away. It is now the dominant form of attack and one that is highly profitable. The ransomware owners are so confident of their revenue stream that they have reward programmes for distributors. A successful distributor bringing in > 125 Bitcoins per week gets to keep around 85% of the revenue. At the current rate of over $900 per Bitcoin that now equates to over $95,000 per week.
The emergence of Ransomware as a Service was also disclosed by Flashpoint in 2016. It showed how the average Russian ransomware boss was earning around $90,000 per year. The rise in Bitcoin means that amount is now closer to $250,000 per year. These are attractive numbers and show why companies need to take their security more seriously.
If 2017 is to be worse than 2016 for ransomware it will also lead to a demand for more Bitcoins. This will continue to drive the price higher and lead to greater revenue for malware creators. Those enterprises who are not already buying their Bitcoin in advance will need to start doing so.
[…] March, SecureWorks said that its researchers were aware of ransomware only going live after investigating v…. They claim that this allows the ransomware owner to be more selective about the data they encrypt. […]