Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //


08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Ransomware: Still a Security Threat & Still Evolving

While ransomware may have faded from the headlines a bit during the first four months of 2018, a bevy of reports from Verizon, Symantec and Webroot find that not only does it remain a top security threat, but it continues to evolve as well.

Ransomware continues to be a significant security threat to businesses and consumers alike, as the high-profile WannaCry and NotPetya attacks that have spilled over from 2017 into this year clearly illustrate, but it is evolving as it matures.

Several reports released in recent weeks that examine the cybersecurity landscape of 2017 noted that ransomware remains among the most prevalent malware threats worldwide. In its annual Data Breach Investigations Report (DBIR), Verizon Enterprise noted that in 2013, ransomware made up less than 5% of the malware incidents reported that year.

In 2017, the percent was up to about 45%.

"Ransomware was first mentioned in the 2013 DBIR and we referenced that these schemes could 'blossom as an effective tool of choice for online criminals,' " the researchers wrote in the report. "And blossom they did! Now we have seen this style of malware overtake all others to be the most prevalent variety of malicious code for this year’s dataset."

(Source: iStock)\r\n\r\n
(Source: iStock)\r\n\r\n

It's not surprising, given the low level of effort and the high return on investment that ransomware represents to the cyber-criminal. The Verizon report notes that there is little risk or cost to the attacker, who essentially sends out phishing emails, and when it works, they don’t have to concern themselves with monetizing the data they capture. Instead the money comes when the victimized business or consumer pays the ransom, usually through bitcoin. In addition, those ransoms can be even larger by deploying the malware across multiple devices within the same organization.

Still evolving
WannaCry and NotPetya were the largest and most prolific ransomware attacks and represent an escalation in the damage this type of malware can do, according to researchers at Webroot. In 2017, the two ransomware variants hit 200,000 machines in more than 100 countries within a 24-hour period, they said in the 2018 Webroot Threat Report. The estimated damage from the NotPetya attacks reached $1.2 billion, researchers said. Kapersky Labs has said that before it was contained, WannaCry impacted about 400,000 computers in 150 companies, causing about $4 billion in damage.

Symantec researchers in their 2018 Internet Security Threat Report said that the vendor had blocked 5.4 billion WannaCry attacks.

"These attacks used the EternalBlue exploit to attack the server message block (SMB), which is essentially a filesharing vulnerability on Windows XP and newer," the Webroot researchers wrote. "The malware was then able to move laterally through the network just like a worm, reaching any computer running SMB, even those not connected directly to the network, but to another network-connected device."

Ransomware in 2018
And the attacks are continuing. Last month, a Boeing aircraft plant in South Carolina sustained a ransomware attack that apparently was related to the WannaCry virus. Meanwhile, both Atlanta and Baltimore also were hit by ransomware attacks on government agencies. (See WannaCry Ransomware Hits Boeing, but Company Claims It's Contained.)

Ransomware variants have evolved over the past year or two, changing how they operate. Verizon researchers noted that attacks have increasingly focused on servers, and that the attackers are looking to extend the malware’s reach beyond the first infected system.

"Focusing on the increase in server assets that were affected over time we see that infections aren’t limited to the first desktop that is infected," according to the report. "Lateral movement and other post-compromise activities often reel in other systems that are available for infection and obscuration. Encrypting a file server or database is more damaging than a single user device."

In an earlier interview with Security Now, Risk Expert Gabe Bassett noted that ransomware attacks involving databases jumped in one year from 4.1% to 12%, and that breaches involving backup systems went from essentially nothing to 4%. (See Verizon: Change the Attacker's Value Proposition.)

RDP weakness
Webroot researchers also found that ransomware attackers also are evolving their methods, expanding attack vectors beyond spam email campaigns to include exploiting unsecured remote desktop protocol (RDP).

"A convenient way to control servers and other machines remotely, RDP suffers from several security weaknesses, such as leaving port 3389/TCP open to any inbound connection (more than 11 million endpoints do so); not requiring administrators to change the default admin account credentials; and allowing a very large number of login attempts before triggering an alert or account lockout," they wrote. "Cybercriminals can use specialized tools equipped with large username and password lists to eventually make their way in."

Once they're inside, the criminals can use specialized tools or custom malware to move past or disable security measures. Leveraging an RDP campaign for ransomware creates "an especially potent infection, since the attacker can also view other computers on the network and gather information for future campaigns. Whether for profit or destruction, new developments in ransomware are causing the industry to reevaluate the role and intentions of ransomware in future global attacks."

There also are questions about the long-term impact of ransomware, with some anticipating a decline in such attacks. WannaCry, which many researchers believe started in North Korea, was able to spread in part by attacking machines with older versions of Microsoft Windows that enterprises had not patched. Once WannaCry hit the scene, Microsoft rolled out new patches and also sent out alerts urging users to update their older systems.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

In addition, cybercriminals appear to be shifting their efforts to other crimes, including "coin mining as an alternative to cash in while crypto currency values are high. Some online banking threats have also experienced a renaissance as established ransomware groups have attempted to diversify," Symantec researchers wrote.

Malwarebytes saw a similar trend during the first three months this year. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)

'Market' adjustment
Symantec researchers also wrote that the profits that ransomware attackers reaped in 2016 led to a land rush on the space last year, creating a crowded market and overpriced ransom demands. The company in 2017 saw a 46% in new ransomware variants, but the market saw what researchers called a "correction," with fewer ransomware families and lower ransom demands, indicating that ransomware was becoming commoditized.

"Last year, the average ransom demand dropped to $522, less than half the average of the year prior," the report found. "And while the number of ransomware variants increased by 46%, indicating the established criminal groups are still quite productive, the number of ransomware families dropped, suggesting they are innovating less and may have shifted their focus to new, higher value targets."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.