Ransomware rampage takes aim at business targets

Next generation of malware targets corporate victims and is more sophisticated, pervasive and resilient

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

After years of extort­ing indi­vid­ual con­sumers on a glob­al scale, ran­somware  pur­vey­ors have turned their atten­tion to much big­ger fish: busi­ness­es.

For years, now, ran­somware extor­tion­ists have prof­it­ed hand­some­ly ini­tial­ly by lock­ing up the com­put­er screens of mil­lions of con­sumers with scams to sell bogus $79 antivirus cleanup ser­vices, and then pro­gress­ing to encrypt­ing files, and sell­ing the decryp­tion keys for a few hun­dred dol­lars.

Now fresh intel­li­gence from con­sul­tan­cy Deloitte, net­work­ing giant Cis­co, and cloud secu­ri­ty ven­dor Arc­tic Wolf Net­works under­score an alarm­ing par­a­digm shift. Ran­somware gangs have turned their atten­tion to access­ing, then encrypt­ing, valu­able data stored deep inside cor­po­rate net­works. They then demand—and get paid—six- and sev­en-fig­ure ran­soms to restore access to the cor­po­rate vic­tims.

Relat­ed: Ran­somware routes through mobile phones

 David Goeckeler, senior vice president and general manager of Cisco’s networking and security divisions.
David Goeck­el­er, senior vice pres­i­dent and gen­er­al man­ag­er of Cisco’s net­work­ing and secu­ri­ty divi­sions.

Ran­somware is just every­where,” says David Goeck­el­er, senior vice pres­i­dent and gen­er­al man­ag­er of Cisco’s net­work­ing and secu­ri­ty divi­sions. “It’s going after every ver­ti­cal. It’s one of the most pro­lif­ic forms of attack­ing that’s out there. Attack­ers are mak­ing lots of mon­ey.”

Malver­tis­ing new tool for crooks

In its 2016 Midyear Cyber­se­cu­ri­ty Report, Cis­co details how cyber crim­i­nals have turned to using malver­tis­ing to scale up ran­somware attacks against busi­ness­es.

Steve Martino, Cisco chief information security officer
Steve Mar­ti­no, Cis­co chief infor­ma­tion secu­ri­ty offi­cer

Essen­tial­ly attack­ers are set­ting up legit­i­mate ad ser­vices and they’re using that to inject mal­ware into ads, or redi­rect peo­ple into mali­cious sites,” says Steve Mar­ti­no, Cisco’s chief infor­ma­tion secu­ri­ty offi­cer. “This is fast becom­ing the No. 1 way that attack­ers are deliv­er­ing ran­somware.”

Deloitte reports that ran­somware attacks on busi­ness net­works are much hard­er to detect and block than tra­di­tion­al breach­es. That’s because the fun­da­men­tal way cor­po­rate net­works are defend­ed today revolves around detect­ing mal­ware as it attempts to com­mu­ni­cate with a com­mand-and-con­trol serv­er out­side of the perime­ter, says Scott Keoseyan, threat intel­li­gence leader at Deloitte Cyber Risk Ser­vices.

How­ev­er, once the net­work is breached, ran­somware does its dirty work inside the perime­ter, con­nect­ing only briefly, if at all, with an out­side con­troller, and thus leav­ing only the slight­est detectable sig­na­ture.

Recent vari­ants com­plete their dirty work with­out mak­ing a sin­gle call to the inter­net,” Keoseyan says. “Oth­er vari­ants attempt to elim­i­nate the data recov­ery options by encrypt­ing addi­tion­al con­nect­ed dri­ves and net­work shares, delet­ing files and sys­tem restora­tion points, or even remain­ing dor­mant until after a back­up cycle.”

Cis­co ana­lysts found that the bad guys also are using cryp­tocur­ren­cy, Trans­port Lay­er Secu­ri­ty and Tor to com­mu­ni­cate with vic­tims and to facil­i­tate untrace­able extor­tion pay­ments. Cis­co also found that many orga­ni­za­tions are doing a poor job keep­ing secu­ri­ty patch­es up to date, and are unpre­pared for future strains of more sophis­ti­cat­ed ran­somware.

That makes get­ting inside the net­work perime­ter com­par­a­tive­ly easy. Ran­somware dis­tri­b­u­tion tech­niques include email­ing viral attach­ments and deploy­ing auto­mat­ed attacks designed to seek out and infect weak­ly defend­ed web servers.

New pat­tern of attack

Once installed on the net­work, ran­somware does not lie dor­mant and unde­tect­ed, typ­i­cal behav­ior of oth­er types of mal­ware designed to breach, then go under cov­er to evade detec­tion, accord­ing to a report from Arc­tic Wolf Net­works.

Ran­somware does its dirty work instant­ly. With­in just a few sec­onds, a typ­i­cal ran­somware vari­ant will unpack and exe­cute itself, then briefly call out to a com­mand and con­trol serv­er to retrieve a key, which it will use to encrypt the files, says Bri­an NeSmith, co-founder and CEO of Arc­tic Wolf Net­works.

Brian NeSmith, Arctic Wolf Networks co-founder and CEO
Bri­an NeSmith, Arc­tic Wolf Net­works co-founder and CEO

Instead of steal­ing data and hav­ing to find a buy­er for it in the cyber under­ground, the attack­er focus­es on locat­ing and encrypt­ing caches of sen­si­tive data, or block­ing access to a web serv­er or oth­er key sys­tems. The pay­day comes by restor­ing access—for a price. The beau­ty, from the criminal’s per­spec­tive, is that a high­ly moti­vat­ed pur­chas­er stands at the ready: the orig­i­nal own­er, says Liviu Arsene, a senior ana­lyst at Roman­ian anti-mal­ware ven­dor Bit­de­fend­er.

Arsene says it’s clear the bad guys rec­og­nize how lucra­tive ran­somware attacks against busi­ness­es can be. He too expects these cyber extor­tion­ists to con­tin­ue tak­ing full advan­tage of orga­ni­za­tions that make them­selves easy tar­gets.

Cyber crim­i­nals could even try extort­ing the same vic­tim more than once,” Arsene says. “Prob­a­bly the most like­ly tar­gets will be small and medi­um-size busi­ness­es that work with large orga­ni­za­tions, as they’re less like­ly to invest a great deal in cyber­se­cu­ri­ty.”

Big mon­ey is big lure

Indeed, ran­somware attacks are so prof­itable that it is inspir­ing the best and bright­est mali­cious hack­ers to new heights of inno­va­tion.

For instance, Bit­de­fend­er recent­ly detect­ed and has begun block­ing ran­somware craft­ed to encrypt the NTFS Mas­ter File Table, buried deep inside the Microsoft Win­dows oper­at­ing sys­tem. This sev­ers access to the oper­at­ing sys­tem and con­se­quent­ly to every­thing stored on the disk, instead of just restrict­ing access to par­tic­u­lar files.

Liviu Arsene, Bitdefender senior analyst
Liviu Arsene, Bit­de­fend­er senior ana­lyst

Not being able to access any infor­ma­tion might scare peo­ple into pay­ing, as they could lose much more than just work doc­u­ments, but per­son­al infor­ma­tion as well,” Arsene observes.

Infect­ing an indi­vid­ual user can bring a dou­ble pay­day. The attack­er can extort the indi­vid­ual user, and also use his or her infect­ed com­put­er to gain admin­is­tra­tive access to the victim’s com­pa­ny net­work. From there, ran­somware can be spread across cor­po­rate sys­tems.

Implant­i­ng ran­somware on a web serv­er also has mul­ti­ple pay­offs. The attack can acti­vate dri­ve-by down­loads and malver­tis­ments to spread ran­somware to vis­i­tors. Or he can direct­ly encrypt any­thing of val­ue with­in reach: web pages, doc­u­ments, images, scripts, etc. In such attacks, a mes­sage fol­lows announc­ing the infec­tion and giv­ing instruc­tions on how to pur­chase a decryp­tion key to restore nor­mal func­tion­al­i­ty.

Tech­niques such as auto­mat­i­cal­ly rolling com­mand func­tions from one serv­er to the next, on a rotat­ing basis, help attack­ers stay one step ahead of search engine and antivirus crawlers on the hunt for mali­cious traf­fic.

Threat too seri­ous to ignore

Due to its high poten­tial to mas­sive­ly dis­rupt core busi­ness oper­a­tions, ran­somware clear­ly should be con­sid­ered a major secu­ri­ty con­cern by infor­ma­tion secu­ri­ty pro­fes­sion­als.

With ran­somware attacks against busi­ness­es on a ris­ing curve, CIOs, CSOs and IT depart­ment heads need to ful­ly famil­iar­ize them­selves with the dynam­ic risks asso­ci­at­ed with this type of infec­tion, and pre­pare their orga­ni­za­tions accord­ing­ly.

It is more imper­a­tive than ever to deflect as much incom­ing mal­ware as pos­si­ble, and to detect and neu­tral­ize mal­ware that does get inside net­work perime­ters as quick­ly as pos­si­ble.

This means aggres­sive­ly fil­ter­ing email, mon­i­tor­ing web­site traf­fic, and keep­ing cur­rent with secu­ri­ty patches—in both licensed and open-source busi­ness appli­ca­tions.

Ran­somware will grow in sophis­ti­ca­tion and become more wide­spread as it con­tin­ues to plague indi­vid­ual users, as well as enter­prise,” warns Deloitte’s Keoseyan. “The suc­cess­es thus far in the extor­tion of mon­ey from vic­tims is paving the way for more cyber crim­i­nals to uti­lize ran­somware as their main tac­tic.”

More sto­ries relat­ed to ran­somware:
Cyber crim­i­nals use ran­somware to hook big fish
Under­stand­ing ran­somware helps orga­ni­za­tions devise solu­tions
Your mon­ey or your data: Ran­somware attacks leave every­one vul­ner­a­ble