It might surprise you to know that most ransomware victims choose to pay a ransom to have their data restored. As long as victims continue to pay up, ransomware will continue to be a go-to strategy for cybercriminals. Furthermore, Forrester Research predicts that cybercriminals will increasingly use ransomware in 2018 to monetise attacks, as end-to-end encryption in payment systems often prevents them from stealing credit card data. In 2018, ransomware will be used as a backup method for when initial attacks fail. Adversaries will adopt a number of new strategies, which I will outline in this article. Interestingly, ransomware is also likely to be used to leave a false trail to conceal other attacks.
So here are our top seven predictions for this year. Ransomware will:
- Target Linux systems
- Become more targeted
- Exfiltrate data
- Be used as a smokescreen
- Be an attack of last resort
- Be used as a false flag
- Leverage social media
Last year, we observed attacks hitting MongoDB which suggest that ransomware will increasingly target Linux systems in 2018 in an effort to further extort larger enterprises. Overall, ransomware will become more targeted by looking for certain file types and targeting specific companies such as legal, healthcare, and tax preparers rather than the “spray and pray” attack we largely see now. There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs.
While most ransomware samples simply encrypt files in place and transmit encryption keys for the purpose of decryption, there will be ransomware samples that will take the extra step of exfiltrating data prior to encryption. Not only would such an evolution put stress on companies to restore their data but also incorporate the loss of proprietary data that could be sold on the black market. Ransomware will emerge as a secondary method when initial forms of attack fail. Adversaries that rely upon more crafted and targeted attacks may use ransomware as an attack of last resort.
Ransomware will increasingly leverage social media to spread either intentionally or unintentionally. Similar to malware such as Koobface, maliciously shared content on sites such as Facebook could lead victims to click enticing links. Attackers are known to use social engineering to influence people to unknowingly spread ransomware over the internet. Intentionally shared ransomware, seen in prior concepts, such as Popcorn Time, where victims could share to reduce or eliminate their ransom, could see larger-scale use.
In addition the greater sophistication of ransomware attacks that is inevitable in 2018, cybercriminals are likely to use ransomware as a way of throwing defenders off the scent. Ransomware will increasingly be used as a smokescreen. For example, in the past, Zeus botnet operators hit victims with DDoS attacks after an infection to take investigators off the trail. A similar trend is emerging with ransomware attacks where the encryption of files could take place after more damning actions are taken by adversaries. Using already existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated.
Also, ransomware will be used more commonly as a false flag, as seen with NotPetya. Solely from dynamic analysis it was perceived to be Petya, when a more detailed review showed it wasn’t. Such quick analysis also insinuated it to be obvious ransomware, but a greater depth of disassembly showed that data was not held at ransom; it was simply destroyed.
Ransomware is now estimated to be a $5 billion crime, according to a Cybersecurity Ventures Report. In 2015, the estimate was a mere $24 million. In 2017, the industries most targeted were technology, government, non-profit and legal. However, no industry was, or is, immune. As attacks become more targeted and increasingly exploit the methods described above, having a strong defence system is more important than ever.
Therefore it is critical that anyone looking to combat ransomware chooses a defence system that has undergone a comprehensive ransomware test. To test their effectiveness, defence products should be tested against ransomware samples selected from multiple crypto-ransomware families collected in the wild. For more information on non-malware attacks, ransomware and the evolving threat landscape in 2018, download Carbon Black’s 2017 Threat Report Carbon Black’s Threat Analysis Unit (TAU) has researched the current state of ransomware, malware and non-malware attacks with a particular focus on how frequently organisations are being targeted.
Written by Param Singh, Director of Threat Research, Carbon Black