Ransomware eclipsed most other cyberthreats in 2017 and has emerged as one of the most pressing security concerns for organizations today.
Highlighting the trend are attacks such as the recent attack on Hancock Health of Greenfield, Indiana, which resulted in the hospital paying $55,000 in bitcoins to recover data that had been encrypted in a ransomware attack.
In comments to local newspapers, Hancock Health’s CEO claimed the hospital had the ability to recover the data on its own but the process would have taken too long and ended up being more costly than the payout.
Growing Business Concern
Some 8 in 10 respondents in a survey of 500 IT practitioners conducted by Cybersecurity Insiders last year viewed ransomware as a moderate to severe threat presumably for similar reasons. More than half were only slightly to moderately confident about their organization’s ability to defend against ransomware attacks and nearly 40 percent believed it would take them from one day to several weeks to recover from an attack.
The numbers are disconcerting because ransomware attacks against businesses—such as the one on Hancock—are growing in number, even as the number of overall victims itself appear to be declining.
Security vendor Kaspersky Lab estimated that more than 26 percent of those targeted by ransomware in 2017 were businesses, compared to around 23 percent in 2016. The overall number of victims dropped from 1.5 million in 2016 to 950,000 last year but many exploits including WannaCry, which infected some 300,000 systems globally, and NotPetya were designed specifically to infect business networks, Kasperksy noted. FedEx subsidiary TNT Express last year incurred a staggering $300 million in recovery costs after systems worldwide were infected with the self-propagating NotPetya ransomware tool.
Last year witnessed a sharp drop in the number of new ransomware families that threat actors released but there was a corresponding increase in modifications to existing tools that were designed to evade detection by security products, Kaspersky noted.
Evolving Malware and Distribution Methods
A growing number of ransomware are being designed or tweaked specifically for business compromise, as are the distribution methods. The attack on Hancock Health, for instance, involved the use of SamSam, a strain of server-side ransomware designed specifically for use against hospitals. Last August, Comodo reported discovering a new Locky ransomware Trojan specifically designed to evade most corporate defenses, including those employing machine learning and AI.
Phishing emails continue to be the top vector for ransomware distribution, even those targeting businesses. But some ransomware tools have begun employing other more business-focused infection methods. WannaCry and NotPetya, for instance, were self-propagating tools that spread via a Server Message Block exploit. The authors of the CRYSIS ransomware family last year tweaked the malware to deliver it to businesses via remote desktop (RDP) brute force attacks.
Significantly, not all attacks that were classified as ransomware last year were about extortion. Many analysts believe that some ransomware families, such as Petya, were designed to cause damage to systems on infected networks.
Following the Money
Few expect the trend to targeted businesses to slow down anytime soon. Attackers have realized they can extort potentially much greater ransom amounts from businesses than they can from individual victims and have, therefore, begun focusing on them more.
“Ransomware attacks will continue to grow at double-digit rates,” said Avivah Litan, an analyst at Gartner. “I think we’ll continue to see the growth of mass ransomware attacks against corporations and large institutions rather than small victims.” Litan also predicted a price drop on common ransomware kits sold in underground forums this year as they become increasingly commoditized.
John Pescatore, director of emerging security threats at the SANS Institute, said organizations should be on guard against attacks targeting data stored on cloud services. Data left unprotected in the cloud can be a tempting and easy target for attackers, he said, noting a recent incident in which a security researcher at UpGuard found a massive data trove belonging to the Pentagon left unguarded on Amazon’s cloud.
Ransomware attacks against data stored in the cloud could take one of two forms, he said: Attackers could either simply lock access to whatever data they find and demand a ransom for it or, if data is being backed up to the cloud, they could encrypt the backup data first before encrypting the source data. “Think of all the mobile apps where people use the cloud as their storage space,” he said of the potential implications.
As defenders get better at throwing anti-ransomware controls around their databases and other data assets, expect to see attackers try other tactics, such as encrypting key executable files to make applications unusable instead, Pescatore said.
“When you think about it, one of the weakness of this whole DevOps model and this whole cloud model is that executables are changed pretty rapidly,” he said. An attacker that manages to encrypt key executable files in such an environment can bring an entire organization to a halt. “Maybe I was stuck on an older version and my apps aren’t going to run on a new executable.”