During such attacks, malware is installed on the victim’s computer, which encrypts files important to the user or blocks the entire system, after which the attacker requires a ransom for unlocking. The growing number of such attacks is forcing organizations to increase investments in protecting data, networks and client devices.
A large number of attacks using ransomware have been observed in the healthcare sector in the USA after the transition to the use of electronic medical records. The banking sector and financial services firms are also increasingly affected by ransomware viruses due to the increasing use of mobile and web applications for transactions and payments.
According to the forecast of the research firm MarketsandMarkets, by 2021 the market for protection against ransomware will reach $ 17.36 billion in revenue and will show an average annual growth rate (in compound interest, CAGR) of 16.3% compared with the previous five-year period. The Asia-Pacific region offers the greatest growth opportunities thanks to increased cybersecurity spending in China, Australia, and India.
As part of its traditional Cybersecurity Week, CRN / USA talks about new features of the use of ransomware that are used during long-term targeted attacks that organizations must be able to defend against.
what are ransomware attacks
Sight backups
Attackers are now looking for not only mission-critical files, but also backups of files, images, and documents, says Terry Ray , senior vice president and honorary employee (Fellow) of Imperva (Redwood Shores, Calif.), Specialist in cybersecurity. Therefore, organizations should not store their copies where their system and work files are located.
Even when backing up, organizations often store backups in the same data center as all their data, and this makes it easier for cybercriminals to find and block such copies, says Rey. To eliminate such risks, you should use third-party storage or SaaS backup services, he says.
At the same time, Ray does not recommend sending backups to the AWS or Microsoft Azure cloud, since if attackers manage to gain access to the internal servers in the organization, then they can then do whatever they want with the files that are stored in the public cloud. And even if the backup copy is stored outside the corporate data center, there should not be an open channel of communication with such a storage so that attackers could not reach it, Ray said.
Combined attacks
Programs-extortionists are increasingly used in combination with other attacks, such as rootkits or Trojan horses to carry out hacking method "brute force" and to receive registration data as an administrator, says Adam Kudzhava (Adam Kujawa), director of the research laboratory of Malwarebytes (Santa Clara, California). Using exploits such as EternalBlue or EternalRomance helps further expand the front of the attack.
This method allows you to infect not just a single computer, but all the systems in the company's corporate network, says Kujava. After the entire network was covertly infected with the ransomware virus for several days or even weeks, it is not known where and when the strike will be delivered. Therefore, Kujava recommends that you determine which data is most valuable to the organization or can cause the most damage if lost, and introduce additional security measures to make it more difficult for attackers to reach them.
Database encryption
Ransomware viruses are now able to encrypt not just individual files, but database items and even pull data from the database, leaving a ransom request message instead, says Rey from Imperva.
When using even ad hocless attacks, file servers are often infected, because the organization has open access to them and all employees can store their data on them, says Rey. Therefore, it can be easy for attackers to gain access to file servers without even phishing them.
Unlike file servers, databases tend to have a very limited number of users in an organization, says Rey. Therefore, attackers have to target their phishing account to the database administrator in a particular organization in order to obtain a username and password from the application server that accesses this database. but the actions themselves to encrypt or steal data from the file server and from the database are essentially the same, says Rey.
Loaders and stylers
Typically, a password stealer or malware downloader will first be sent to the organization’s network, says Ryan Kalember , Executive Vice President, Cyber Security Strategy at Proofpoint (Sunnyvale, CA). The first is designed to collect registration data, web logins and cookies and to try to find out exactly where the most important files for the organization are located.
The bootloader behaves differently: it is covertly installed on the victim's computer and for the time being does not manifest itself in any way so that the attacker could install his exploit at the right time. Crackers have become more likely to use such bootloaders, as they help to introduce ransomware viruses that bring fast money, and the stylers are behind them after Emotet went into the shadows at the end of May, Kalember says.
Be that as it may, attackers will use the access given by the styler or bootloader for larger-scale attacks involving ransomware, says Kalembert. In other words, the primary function of malware in a phishing attack is to set the stage for the introduction of ransomware.
Encryption is improving
At first, most ransomware programs were poorly implemented with encryption algorithms, so many affected organizations were able to decrypt the data themselves, ignoring the ransom demand, says Kuware from Malwarebytes.
The fact is that many crackers were newbies, not professional developers, and often ineptly, manually made their encryption keys, says Kujava. As a result, they could not create correctly working decryption tools, that is, the victim would still not return his data, even if he paid.
The situation has changed since Microsoft created a new cryptography platform for Windows, and CryptoLocker performed encryption perfectly, reminded this story of Kujava. Today ransomware viruses are generally well-made, and most attackers are now deciding the question: how to correctly perform encryption on a massive scale.
Geofence attacks
Geofence scanning malware only works on specific IP addresses, allowing attackers to target their attacks in specific geographic regions, says Kalembert from Proofpoint. For example, it was noticed that many types of malware do not affect Russia and other former Soviet republics at all, he says.
Today, many attackers are creating ransomware options to target specific countries, he said. For example, they can create bait in Italian or German to try to catch employees of some organizations in these countries.
Manifestations of such a virus on other IP addresses, outside Italy or Germany, pose an unnecessary risk of detection without any benefit to attackers, since recipients in other countries simply cannot read the message, Calember explained.
Attacks on Weaker
Ransomware used to attack companies, indiscriminately, but now that more established organizations have strengthened their defenses and protected backups more reliably, they are increasingly able to restore work after an attack without paying any ransom, Kalember says. Therefore, the attackers shifted the sight to small firms and municipal authorities that are not so well equipped in terms of protection.
Attackers are guided by a demographic profile, identifying small organizations in sectors with a traditionally low budget and low level of staff training, says Kalembert, and then they look for freely available online email addresses with a common mailbox to increase the likelihood of success, as several people see the letter at once.
Also, crackers partially abandoned attempts to process the first user with the help of phishing, selecting the necessary victim within the organization and attacking it with the “brute force” method. Hackers also began to use the remote desktop protocol to infiltrate the known resources in the organization’s ecosystem that were open to the Internet, Callember added.
Extortion-as-a-service
The creators of ransomware began to attract botnet owners, offering them to distribute malicious code for “commissions,” said Kuware from Malwarebytes. If everything went well and a ransom is received, such an accomplice partner will receive a certain share, and the creator of the virus will take the rest of the money.
If an attacker tries to create and distribute his own viruses, he uses only one channel and method of distribution, says Kujava. When a network of partner accomplices operates, it is much more difficult to block certain types of ransomware programs, since 15-20 people are engaged in their distribution , each acting differently and taking different targets on target, explained Kujava.
Building a “supply chain” of ransomware programs helped their creators monetize their creation and keep their strains active for several years after discovery, says Kujava. However, the creation of such a network implies a certain trust in accomplices whom they actually do not know, and there is always a risk that they will use reverse decoding, restore the source code and, having created their own strain of the ransomware virus, put it into business.