SMBs in cross-hairs as ransomware becomes more difficult to dodge

Malware that can be used across platforms gives cyber criminals more targets to attack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ran­somware, a cyber scourge that appears on the verge of inten­si­fy­ing, pos­es an increas­ing­ly dire threat to small- and medi­um-size busi­ness­es in 2016.

In a ran­somware attack, vic­tims are pre­vent­ed or lim­it­ed from access­ing their sys­tems. Cyber crim­i­nals attempt to extort mon­ey by first using mal­ware to encrypt the con­tents of a victim’s com­put­er and then extract­ing a ran­som in exchange for decrypt­ing the data and allow­ing the vic­tim to regain access.

Until now, most attacks have tar­get­ed con­sumers, and to a less­er extent busi­ness­es, work­ing on Win­dows plat­forms.

That’s about to change. Small- and medi­um-size busi­ness own­ers and users of non-Win­dows plat­forms can expect to be increas­ing­ly tar­get­ed in attacks that seek to extort mon­ey from them via sophis­ti­cat­ed ran­somware tools, secu­ri­ty experts cau­tion.

Upcom­ing webi­nar: Nav­i­gat­ing Iden­ti­ty Theft: How to Edu­cate and Pro­tect Your Employ­ees and Clients

Many of the mali­cious cam­paigns like­ly will be car­ried out by oppor­tunis­tic attack­ers and new­bie extorters try­ing to take advan­tage of inex­pen­sive do-it-your­self ran­somware kits that are begin­ning to become avail­able in under­ground mar­kets, experts say.

Esti­mates about the cost to vic­tims from the more wide­ly used ran­somware tools like Cryp­toWall and Cryp­toLock­er range from tens of mil­lions to hun­dreds of mil­lions of dol­lars.

Now ana­lysts are con­cerned that cyber crim­i­nals are on the verge of widen­ing the scope of their attacks. Ear­li­er this month, researchers at secu­ri­ty ven­dor Emsisoft ana­lyzed a mal­ware tool dubbed Ran­som32 that many believe is a har­bin­ger of things to come on the ran­somware front.

Few­er are immune to attack

Ran­som32 is the first ran­somware tool writ­ten entire­ly in Javascript. That makes it eas­i­ly portable to oth­er plat­forms like Lin­ux and Mac OS X.

Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Men­lo Secu­ri­ty chief tech­nol­o­gy offi­cer

Unlike the JavaScript in a brows­er that is sand­boxed to pre­vent access to the file sys­tem and oth­er local resources, Ran­som32 also is designed to have unfet­tered access to the sys­tem, says Kowsik Guruswamy, chief tech­nol­o­gy offi­cer at Men­lo Secu­ri­ty.

Ran­som32 is one of a kind in that it’s cross-plat­form, which alone increas­es the tar­gets for the mal­ware authors,” Guruswamy says. “Since the under­ly­ing Chromi­um inter­preter is cross-plat­form, this allows Ran­som32 to tar­get users across all of the (oper­at­ing sys­tems) and devices in one go. This is the wor­ri­some part.”

Relat­ed video: A case for mak­ing soft­ware more resis­tant from the start

Sig­nif­i­cant­ly, the authors of the mal­ware appear to have adopt­ed a ran­somware-as-a-ser­vice mod­el in their dis­tri­b­u­tion approach. Ran­som32 is avail­able via a hid­den serv­er on Tor to any­one with a bit­coin account.

The mal­ware does not require any spe­cif­ic skills to oper­ate and comes with a man­age­ment inter­face that the attack­er can use to cus­tomize ran­som mes­sages and spec­i­fy the ran­som amounts. The inter­face sup­ports a fea­ture that lets the authors of Ran­som32 track how much mon­ey is being col­lect­ed via the tool and to take a 25 per­cent cut from the total.

DIY kit for bad guys

Ran­som32 is the sec­ond pub­licly dis­closed ran­somware in recent months that is being dis­trib­uted as a do-it-your­self kit in the cyber under­ground. The first was a mal­ware tool dubbed Tox, dis­cov­ered by a researcher at Intel’s McAfee Labs that, like Ran­som32, was dis­trib­uted via Tor to any­one inter­est­ed in launch­ing a ran­somware attack.

Ran­somware as a ser­vice is an increas­ing and wor­ri­some trend,” says Fabi­an Wosar, a secu­ri­ty researcher at Emsisoft. “For­tu­nate­ly, most schemes are of poor qual­i­ty, but the peo­ple writ­ing these types of frame­works are learn­ing.”

Each time a secu­ri­ty ven­dor finds a weak­ness in a ran­somware tool, the threat actors fig­ure out what mis­takes they are mak­ing and plug it imme­di­ate­ly, Wosar says.

Going for­ward, expect to see the emer­gence of tools like Ran­som32 and trends like ran­somware-as-a-ser­vice pose a big­ger threat for busi­ness­es, espe­cial­ly the small and medi­um ones, which gen­er­al­ly don’t have the same resources that large com­pa­nies have to defend them­selves, the experts say.

Late­ly, there have been an increas­ing num­ber of reports about com­pa­ny servers being attacked direct­ly through the Remote Desk­top Pro­to­col (RDP) that is used to remote­ly admin­is­ter and man­age sys­tems.

SMBs have lim­it­ed defens­es

Most SMBs don’t have the bud­get to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ out­side com­pa­nies to take care of their IT infra­struc­ture, and these com­pa­nies often use remote con­trol tools like RDP to admin­is­trate the net­work and serv­er [remote­ly].”

One result is that a lot of SMBs are exposed to attacks that take advan­tage of weak­ly pro­tect­ed remote con­trol inter­face to gain access to inter­nal sys­tems and data. In such sit­u­a­tions, it is just a mat­ter of time before an attack­er stum­bles upon a crit­i­cal serv­er and hijacks it for ran­som, Wosar says.

Since the attack­ers typ­i­cal­ly gain access to the serv­er itself, they also can turn off any secu­ri­ty soft­ware that might be installed on it, and become vir­tu­al­ly unde­tectable in the process. “All that is left behind is usu­al­ly a note that informs the admin about the hack with a means of com­mu­ni­ca­tion to nego­ti­ate the price.”

There already has been an increased inter­est from cyber crim­i­nals in specif­i­cal­ly tar­get­ing com­pa­nies, because of the poten­tial­ly big­ger pay­outs involved, says Chris­t­ian Funk, who heads Kasper­sky Lab’s glob­al research and analy­sis team in Ger­many.

A busi­ness is depend­ing on its dig­i­tal assets and, there­fore, often more will­ing to pay the ran­som,” Funk says. “There have been cas­es where cyber crim­i­nals noticed that a com­pa­ny has been suc­cess­ful­ly infect­ed and, there­fore, the crim­i­nals decid­ed to charge up to eight times the orig­i­nal ran­som. I sus­pect such meth­ods, as well as tar­get­ed attacks, are like­ly to increase in future.”

More sto­ries on ran­somware and extor­tion:
Microsoft’s Win­dows 10 update mir­rors ran­somware attack
Ash­ley Madi­son, ‘data kid­nap­ping,’ and a new era of hack­ing
Cyber insur­ance ris­es to meet increas­ing secu­ri­ty chal­lenges


Posted in Cybersecurity, Data Security, Featured Story