Mobile Devices As Attack Vector for Ransomware
The amount of damage that can be done by a ransomware attack against a network is well known. We’ve seen the stories about hospitals, universities, and governments taken offline and the threats made to organizational and consumer information.
The focus of ransomware, however, remains almost exclusively on network attacks. But the time has come—actually, the time has probably long passed—to look at securing mobile devices against ransomware. It’s not the next attack vector for ransomware gangs; it’s an attack vector they are already using but to which few are paying attention.
Mobile Malware Impacts Everyone
Almost every organization encountered a mobile malware threat in 2020, according to Check Point’s Mobile Security Report 2021. The report also found that four in 10 mobile devices are vulnerable to cyberattacks and nearly half had an employee download a malicious app.
“Cybercriminals are continuing to evolve and adapt their techniques to exploit our growing reliance on mobiles,” said Neatsun Ziv, VP of threat prevention at Check Point Software, in a formal statement. “And there are more complex threats on the horizon.”
Cybersecurity professionals have known that threat actors would target mobile devices since BYOD became a buzzword, and they knew that ransomware would evolve over time—following users from their desktop computers and connected networks to mobile devices. Security teams have been fighting the mobile ransomware battle on both Android and Apple devices for nearly a decade.
“Ransomware, starting in 2013, was exclusively targeted to individuals; that proved lucrative enough,” explained John Bambenek, principal threat hunter at Netenrich, in an email comment. “Then, the focus shifted almost exclusively to organizations where large ransom payments started coming into play. Mobile ransomware seems to present a step back, at least for some threat actors. As so much of our digital lives take place on our mobile phones, it represents a way to extract money.”
More Sophisticated Attacks Coming
And ransomware is all about the money. “The mobile ransomware attacks we’ve encountered tend to be financially motivated; the consequences limited to individual devices being compromised and the victims paying the requested ransom or losing access to their device file system,” said Kristina Balaam, senior threat researcher, threat intelligence, at Lookout, in an email interview.
In the earlier days of mobile ransomware, threat actors didn’t even have to actually encrypt anything; pretending to encrypt the device’s file system was enough for the payoff. Mobile device users were so surprised to get the ransomware notice that they often paid without a second thought. Those days are over, but not because users have grown wiser about checking to see if their data was, in fact, locked.
Instead, (and not surprisingly) the attacks have become much more sophisticated. “As we’re seeing an increase in the prevalence and sophistication of these attacks—probably in response to how successful other non-mobile ransomware attacks have been over the last few years—it’s possible that a threat actor may attempt to gain access to corporate assets or infrastructure through such an attack in the future, rather than just attempting to extort money from an unsuspecting user,” said Balaam.
Targeted mobile ransomware victims have tended to be the average user; essentially anyone the attacker can convince to install their application. This differs from the network-targeted ransomware attacks, which tend to be of a larger scale and result in more collateral damage to organizations and many individuals.
“The current landscape for mobile ransomware is somewhat like that of banking Trojans: The threat actors appear to be purely interested in making money from unsuspecting victims, either by blocking access to necessary device files and demanding payment for their recovery or by pretending to withhold access to those files,” explained Balaam.
Mobile ransomware, like all ransomware and cyberattacks, will only become more sophisticated. Threat actors and ransomware gangs know that the line between network and mobile is blurring and mobile devices are likely to have as much access to organizational data as personal data.
“The best way for mobile device users to mitigate the threat of mobile ransomware attacks is to be vigilant about the kinds of applications they’re installing on their devices: Don’t download applications from unverified app stores, don’t download applications shared on social media and consider installing a mobile antivirus client that can help detect known ransomware (and other malware) families if they are downloaded or installed on a device,” said Balaam.
Organizations and their cybersecurity teams can help prevent these kinds of attacks by educating their users about device compromise and considering an enterprise-wide mobile security strategy for any employees whose devices connect to corporate infrastructure.
Any individual’s device that grants a threat actor access to a larger network or corporate assets is at risk—so that means just about every mobile device could be the vector of an organization’s ransomware attack.
