Cyber criminals use ransomware to hook big fish

Targeted attacks aim to cripple large organizations, but basic defense goes a long way to protect businesses of all sizes

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ran­somware is no longer random.

It used to be sim­ply click­ing on the wrong web page at the wrong time could result in an infec­tion that cut you off from your com­put­er files—until you paid a “ran­som.”

But over the past few months, a new, much more alarm­ing trend has been emerging—cyber crim­i­nals have shift­ed to attacks that specif­i­cal­ly tar­get organizations.

Instead of extort­ing com­par­a­tive­ly small amounts from many indi­vid­u­als, cyber crim­i­nals are increas­ing­ly going after big­ger pay­outs from the big fish.

Their goal is to make as much mon­ey as quick­ly as pos­si­ble, the eas­i­est pos­si­ble way,” says Joe Mar­shall, ICS secu­ri­ty research man­ag­er at Cis­co Talos.

A report issued last week by secu­ri­ty ven­dor Infoblox shows there was a dra­mat­ic surge of new­ly observed ran­somware domains in the first three months of this year.

The Infoblox DNS Threat Index mea­sures both reg­is­tra­tion of new domains and hijack­ing of pre­vi­ous­ly legit­i­mate domains or hosts being used to run ran­somware cam­paigns. The base­line for this Index is 100, rep­re­sent­ing the aver­age for the cre­ation of DNS-based threat infra­struc­ture dur­ing the eight quar­ters of 2013 and 2014.

The index soared to 137 in Q1 2016, ris­ing 7 per­cent from 128 in the pri­or quar­ter, and top­ping the pre­vi­ous record of 133 estab­lished in Q2 2015.

Relat­ed sto­ry: Why the abil­i­ty to cre­ate domains quick­ly fos­ters cyber threats

Rod Rasmussen, Infoblox vice president of cybersecurity
Rod Ras­mussen, Infoblox vice pres­i­dent of cybersecurity

Rod Ras­mussen, vice pres­i­dent of cyber­se­cu­ri­ty at Infoblox, says there has been a “seis­mic shift” in ran­somware threats, from attacks on indi­vid­u­als to “indus­tri­al-scale, big-mon­ey attacks on all sizes and man­ner of orga­ni­za­tions, includ­ing major enterprises.”

While many of the recent high-vis­i­bil­i­ty attacks have been in the health care sec­tor, Cisco’s Mar­shall says crim­i­nals are not nec­es­sar­i­ly tar­get­ing a spe­cif­ic indus­try. Health care orga­ni­za­tions may be sim­ply more vis­i­ble, in part because of their dis­clo­sure and report­ing requirements.

Crit­i­cal consequences

Kevin Epstein, vice pres­i­dent of the Threat Oper­a­tions Cen­ter at cyber­se­cu­ri­ty and com­pli­ance com­pa­ny Proof­point, agrees.

We have not seen ran­somware dis­pro­por­tion­ate­ly tar­get­ing health care,” he says, “but we have cer­tain­ly seen an increase in ran­somware tar­get­ing orga­ni­za­tions where the impact would be rapid­ly felt.”

In those attacks, he says, the orga­ni­za­tions have “an extreme­ly high incen­tive to pay up quick­ly because of the amount of mon­ey being lost in real time.”

Still, the fact that hos­pi­tals have been in the cross­fire wor­ries John Bam­be­neck, threat sys­tems man­ag­er for Fidelis Cyber­se­cu­ri­ty.

At hos­pi­tals, you have peo­ple who need the tech­nol­o­gy to live, and if it stops work­ing, you have a real prob­lem,” he says. “You start attack­ing hos­pi­tals in dis­rup­tive ways and so many of their machines are interconnected—what hap­pens if (the attack) hits a res­pi­ra­tor with embed­ded Win­dows? Some­body could die.”

Pre­dic­tions com­ing true

Last year, secu­ri­ty experts warned that ran­somware attacks would grow in 2016, some even say­ing that this will be “the year of ran­somware.” The obser­va­tions includ­ed more than 4 mil­lion ran­somware sam­ples seen by McAfee Labs in the sec­ond quar­ter of last year. Of those, 1.2 mil­lion were new sam­ples, com­pared to few­er than 400,000 new sam­ples in the third quar­ter of 2013.

McAfee researchers, among oth­ers, warned back then that tar­get­ed ran­somware cam­paigns were like­ly to hit dif­fer­ent sec­tors in 2016. Not only were they proven right, just the first quar­ter showed evi­dence of new, more aggres­sive tactics.

Among them was a wide­spread cam­paign, observed by Cis­co Talos that used the Sam­sam (or Samas) vari­ant (which was respon­si­ble for the attack on Med­Star Health in March). Unlike typ­i­cal ran­somware, which uses human inter­ac­tion and vec­tors like exploit kits or phish­ing cam­paigns, Sam­sam is dis­trib­uted via unpatched net­work servers. On top of that, it has the abil­i­ty to self-prop­a­gate and encrypt back­up files.

The adver­saries are evolv­ing and using dif­fer­ent meth­ods of prop­a­ga­tion to bring entire busi­ness­es down, and they’re going to get more cre­ative with how they do that,” Mar­shall says.

A recent­ly pub­lished white paper by Cis­co Talos gave a hypo­thet­i­cal exam­ple of what a cryp­toworm like Sam­sam may be able to do in the near future: Once it gets a foothold inside a net­work, the ran­somware spreads to more than 800 servers and 3,200 work­sta­tions, forc­ing core appli­ca­tions to fail and crip­pling the abil­i­ty to restore from a backup—all this in just one hour.

Mar­shall says while no one has yet “assem­bled the pieces cogent­ly” to make that sce­nario a real­i­ty, the Dar­win­ian nature and capa­bil­i­ties of Sam­sam could very like­ly lead to that type of evolution.

More vir­u­lent strains

Anoth­er pre­vi­ous­ly undoc­u­ment­ed strain was observed by Proof­point research in March. Dubbed Cryp­tXXX, this ran­somware not only encrypts files, but also steals the data.

It’s like kid­nap­ping you and steal­ing your wal­let at the same time,” says Epstein, adding that this is clear­ly an evo­lu­tion from the typ­i­cal “cyber kid­nap­ping” where peo­ple were assured to get their files back safe­ly if they paid the ransom.

The Cryp­tXXX dis­cov­ery came on the heels of Proofpoint’s dis­cov­ery that the same actors who orches­trat­ed the Dridex campaign—distributing ran­somware through Word doc­u­ments and macros—also were behind the new­ly dis­cov­ered strain dubbed Locky.

If the trend con­tin­ues, this will cer­tain­ly be an inter­est­ing year,” Epstein says.

While the newest tac­tics seem to angle for the big­ger fish, small and medi­um busi­ness­es are far from being off the hook. Con­sid­er­ing the over­sat­u­ra­tion of stolen cred­it card num­bers on the black mar­ket, experts says the sim­ple eco­nom­ics of ran­somware means there’s no end in sight, includ­ing in the con­sumer category—which is where most SMBs fall.

Bam­be­neck points out that unlike a cor­po­rate data breach, it’s up to the indi­vid­ual end users—like small­er businesses—to pro­tect them­selves from ran­somware attacks. And cyber crim­i­nals are often exploit­ing vul­ner­a­bil­i­ties that are a year or two old because those end users are not patch­ing their computers.

The good news is that the aware­ness is grow­ing for con­sumers, and small and medi­um busi­ness­es are part of that,” he says.

Mar­shall says that defense often comes down to basic cyber­se­cu­ri­ty hygiene—even sim­ple steps like apply­ing patch­es reg­u­lar­ly or copy­ing data to a remov­able hard dri­ve that’s unplugged from the net­work and stored in a fire­proof safe.

It doesn’t have to be a cost-pro­hib­i­tive thing for small or medi­um busi­ness­es,” he says. “Some­thing is bet­ter than nothing.”

More sto­ries relat­ed to ransomware:
SMBs in cross-hairs as ran­somware becomes more dif­fi­cult to dodge
Ran­somware is a real and per­sis­tent threat, even to Apple users
Hos­pi­tals show lit­tle resis­tance to ran­somware virus

Posted in Data Security, Featured Story