Cyber criminals use ransomware to hook big fish

Targeted attacks aim to cripple large organizations, but basic defense goes a long way to protect businesses of all sizes

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ransomware is no longer random.

It used to be simply clicking on the wrong web page at the wrong time could result in an infection that cut you off from your computer files—until you paid a “ransom.”

But over the past few months, a new, much more alarming trend has been emerging—cyber criminals have shifted to attacks that specifically target organizations.

Instead of extorting comparatively small amounts from many individuals, cyber criminals are increasingly going after bigger payouts from the big fish.

“Their goal is to make as much money as quickly as possible, the easiest possible way,” says Joe Marshall, ICS security research manager at Cisco Talos.

A report issued last week by security vendor Infoblox shows there was a dramatic surge of newly observed ransomware domains in the first three months of this year.

The Infoblox DNS Threat Index measures both registration of new domains and hijacking of previously legitimate domains or hosts being used to run ransomware campaigns. The baseline for this Index is 100, representing the average for the creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

The index soared to 137 in Q1 2016, rising 7 percent from 128 in the prior quarter, and topping the previous record of 133 established in Q2 2015.

Related story: Why the ability to create domains quickly fosters cyber threats

Rod Rasmussen, Infoblox vice president of cybersecurity
Rod Rasmussen, Infoblox vice president of cybersecurity

Rod Rasmussen, vice president of cybersecurity at Infoblox, says there has been a “seismic shift” in ransomware threats, from attacks on individuals to “industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises.”

While many of the recent high-visibility attacks have been in the health care sector, Cisco’s Marshall says criminals are not necessarily targeting a specific industry. Health care organizations may be simply more visible, in part because of their disclosure and reporting requirements.

Critical consequences

Kevin Epstein, vice president of the Threat Operations Center at cybersecurity and compliance company Proofpoint, agrees.

“We have not seen ransomware disproportionately targeting health care,” he says, “but we have certainly seen an increase in ransomware targeting organizations where the impact would be rapidly felt.”

In those attacks, he says, the organizations have “an extremely high incentive to pay up quickly because of the amount of money being lost in real time.”

Still, the fact that hospitals have been in the crossfire worries John Bambeneck, threat systems manager for Fidelis Cybersecurity.

“At hospitals, you have people who need the technology to live, and if it stops working, you have a real problem,” he says. “You start attacking hospitals in disruptive ways and so many of their machines are interconnected—what happens if (the attack) hits a respirator with embedded Windows? Somebody could die.”

Predictions coming true

Last year, security experts warned that ransomware attacks would grow in 2016, some even saying that this will be “the year of ransomware.” The observations included more than 4 million ransomware samples seen by McAfee Labs in the second quarter of last year. Of those, 1.2 million were new samples, compared to fewer than 400,000 new samples in the third quarter of 2013.

McAfee researchers, among others, warned back then that targeted ransomware campaigns were likely to hit different sectors in 2016. Not only were they proven right, just the first quarter showed evidence of new, more aggressive tactics.

Among them was a widespread campaign, observed by Cisco Talos that used the Samsam (or Samas) variant (which was responsible for the attack on MedStar Health in March). Unlike typical ransomware, which uses human interaction and vectors like exploit kits or phishing campaigns, Samsam is distributed via unpatched network servers. On top of that, it has the ability to self-propagate and encrypt backup files.

“The adversaries are evolving and using different methods of propagation to bring entire businesses down, and they’re going to get more creative with how they do that,” Marshall says.

A recently published white paper by Cisco Talos gave a hypothetical example of what a cryptoworm like Samsam may be able to do in the near future: Once it gets a foothold inside a network, the ransomware spreads to more than 800 servers and 3,200 workstations, forcing core applications to fail and crippling the ability to restore from a backup—all this in just one hour.

Marshall says while no one has yet “assembled the pieces cogently” to make that scenario a reality, the Darwinian nature and capabilities of Samsam could very likely lead to that type of evolution.

More virulent strains

Another previously undocumented strain was observed by Proofpoint research in March. Dubbed CryptXXX, this ransomware not only encrypts files, but also steals the data.

“It’s like kidnapping you and stealing your wallet at the same time,” says Epstein, adding that this is clearly an evolution from the typical “cyber kidnapping” where people were assured to get their files back safely if they paid the ransom.

The CryptXXX discovery came on the heels of Proofpoint’s discovery that the same actors who orchestrated the Dridex campaign—distributing ransomware through Word documents and macros—also were behind the newly discovered strain dubbed Locky.

“If the trend continues, this will certainly be an interesting year,” Epstein says.

While the newest tactics seem to angle for the bigger fish, small and medium businesses are far from being off the hook. Considering the oversaturation of stolen credit card numbers on the black market, experts says the simple economics of ransomware means there’s no end in sight, including in the consumer category—which is where most SMBs fall.

Bambeneck points out that unlike a corporate data breach, it’s up to the individual end users—like smaller businesses—to protect themselves from ransomware attacks. And cyber criminals are often exploiting vulnerabilities that are a year or two old because those end users are not patching their computers.

“The good news is that the awareness is growing for consumers, and small and medium businesses are part of that,” he says.

Marshall says that defense often comes down to basic cybersecurity hygiene—even simple steps like applying patches regularly or copying data to a removable hard drive that’s unplugged from the network and stored in a fireproof safe.

“It doesn’t have to be a cost-prohibitive thing for small or medium businesses,” he says. “Something is better than nothing.”

More stories related to ransomware:
SMBs in cross-hairs as ransomware becomes more difficult to dodge
Ransomware is a real and persistent threat, even to Apple users
Hospitals show little resistance to ransomware virus