Evolving ransomware targets schools, local government agencies

Hackers use malicious email to breach networks and prey on small, midsize entities

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As 2016 draws to a close, ran­somware con­tin­ues to pose a per­va­sive threat to con­sumers and companies.

Ran­somware pur­vey­ors have become stun­ning­ly effi­cient at encrypt­ing com­put­er files, and then demand­ing an extor­tion pay­ment to deliv­er a decryp­tion key. For all too many vic­tims, pay­ing off these cyber extor­tion­ists has become a viable resolution.

Relat­ed info­graph­ic: How ‘malver­tis­ing’ spreads ransomware

Secu­ri­ty ana­lysts at mes­sag­ing secu­ri­ty ven­dor Proof­point have kept a close watch on ran­somware cam­paigns lever­ag­ing the Locky, CryptFile2, and MarsJoke fam­i­lies of ransomware.

One key find­ing: small and mid­size orga­ni­za­tions, such as local gov­ern­ment agen­cies and schools, remain par­tic­u­lar­ly vulnerable.

Third­Cer­tain­ty asked Patrick Wheel­er, Proofpoint’s direc­tor of threat intel­li­gence, to dis­cuss evolv­ing attack pat­terns. This text has been edit­ed for clar­i­ty and length.

3C: At the start of this year, ran­somware was dis­trib­uted main­ly via dri­ve-by down­loads or malver­tis­ing. Email is now the attack vec­tor of choice. Can you explain what happened?

Patrick Wheeler, Proofpoint director of threat intelligence
Patrick Wheel­er, Proof­point direc­tor of threat intelligence

Wheel­er: Web and exploit kit-based cam­paigns peaked in Jan­u­ary 2016 and fell 96 per­cent over the course of the fol­low­ing months at the same time that Locky email cam­paigns were explod­ing in vol­ume. By June, email attacks sta­bi­lized at a lev­el that held through September.

This shift prob­a­bly was due to a com­bi­na­tion of fac­tors: the dif­fi­cul­ty and expense of acquir­ing new, effec­tive exploits; improved patch­ing by orga­ni­za­tions; and brows­er improve­ments such as decreas­ing the use of Flash and JavaScript. Height­ened inter­est in evad­ing researchers and law enforce­ment appear to have been fac­tors, and email’s greater ease of incor­po­rat­ing social engi­neer­ing also was a like­ly factor.

Tak­ing a dif­fer­ent tack

3C: CyrptFile2 real­ly embod­ied this shift in tactics.

Wheel­er. Yes. The ini­tial iter­a­tion of CryptFile2 appeared last March, deliv­ered by Nuclear and Neu­tri­no exploit kits. That was fol­lowed in August by the first cam­paigns to dis­trib­ute CryptFile2 wide­ly by email. In a slight­ly unusu­al twist at the time, rather than use a doc­u­ment attach­ment, these email mes­sages used a URL that linked to a host­ed mali­cious Word document.

The CryptFile2 gang then began tar­get­ing indi­vid­u­als at local gov­ern­ment and schools. And instead of using viral attach­ments, they embed­ded mali­cious web links in email mes­sages pur­port­ing to offer dis­counts and awards from Amer­i­can Airlines.

3C: Can you tell us about MarsJoke?

Wheel­er: The MarsJoke gang fol­lowed up in late Sep­tem­ber also deliv­er­ing ran­somware via a mali­cious web link. How­ev­er, they used a slight­ly dif­fer­ent ruse, lur­ing vic­tims to click on pack­age track­ing information.

Both MarsJoke and the lat­er vari­ants of CryptFile2 relied on embed­ded links to mali­cious files, used trans­porta­tion-relat­ed lures to entice users to click on the links, and tar­get­ed local gov­ern­ment and edu­ca­tion­al insti­tu­tions in the U.S. Both appeared to be exper­i­ment­ing to increase the payoffs.

Quick triage

3C: What’s it like for an orga­ni­za­tion to get hit abrupt­ly by a ran­somware attack?

Wheel­er: You have short-term prob­lems to resolve like get­ting com­put­ers, phones and net­works back online, and deal­ing with ran­som demands. A nec­es­sary first step is to noti­fy the prop­er author­i­ties, call the FBI. If an employ­ee is con­front­ed with ran­somware or notices some­thing odd, they should dis­con­nect from the net­work and take the infect­ed machine to the IT depart­ment. Only the IT secu­ri­ty team should attempt a reboot, and even that will only work in the event it is fake scare­ware or rudi­men­ta­ry mobile malware.

Next, secu­ri­ty teams need to deter­mine the scope of the prob­lem. A company’s response—including whether to pay the ransom—hinges on sev­er­al fac­tors: the type of attack, who in your net­work is com­pro­mised, and what net­work per­mis­sions have been com­pro­mised. A big part of your response is decid­ing whether to pay the ran­som. The answer can be com­pli­cat­ed, and may require you to con­sult law enforce­ment and your legal coun­sel. Pay­ing may be unavoidable.

Fore­warned is forearmed

3C: What should orga­ni­za­tions be pre­pared to do about ran­somware in 2017?

Wheel­er: The best ran­somware strat­e­gy is to avoid it in the first place by invest­ing in advanced email secu­ri­ty solu­tions that pro­tect against mali­cious attach­ments, doc­u­ments and URLs in emails that lead to ran­somware. Also invest in mobile attack pro­tec­tion prod­ucts to stop mali­cious mobile appli­ca­tions from com­pro­mis­ing your environment.

The most impor­tant part of any ran­somware secu­ri­ty strat­e­gy is reg­u­lar data back­ups. Sur­pris­ing­ly few orga­ni­za­tions run back­up and restore drills. Both halves are impor­tant; restore drills are the only way to know ahead of time whether your back­up plan is working.

3C: Should we expect ran­somware to con­tin­ue at the same lev­el in 2017?

 Wheel­er: Ran­somware is the gold­en egg-lay­ing goose for cyber crim­i­nals: it is rel­a­tive­ly easy to cre­ate, easy to dis­trib­ute, and can be rapid­ly mon­e­tized with­out rely­ing on bank trans­fers, mon­ey mules, and oth­er third par­ties or part­ners. While there are some signs that the 2016 suc­cess of ran­somware might be start­ing to kill that goose, so to speak, the abil­i­ty of threat actors to inno­vate in deliv­ery, eva­sion and infec­tion makes it like­ly that ran­somware cam­paigns will con­tin­ue to cap­i­tal­ize on ‘the human fac­tor’ for some time.

More sto­ries relat­ed to ransomware:
Under­stand­ing ran­somware helps orga­ni­za­tions devise solutions
With rise of ran­somware, keep­ing intrud­ers out of net­work is crucial
Your mon­ey or your data: Ran­somware attacks leave every­one vulnerable

Posted in Cybersecurity, Data Security, Featured Story