Story image

What's ahead for ransomware: Seven predictions about its evolution

25 Sep 17

During the past six months, the Carbon Black Threat Analysis Unit (TAU) analysed more than 1,000 ransomware samples, categorising them into 150 families, and found attackers are looking to make quick, easy money with unsophisticated malware, combined with sophisticated delivery methods.

Our sampling has given insight into the future direction of ransomware. Following our analysis, we compiled seven predictions for the evolution of ransomware.

1. Based on the direction ransomware is trending in our sample set, we believe ransomware will increasingly target Linux systems in an effort to further extort larger enterprises. For example, attackers will increasingly look to conduct SQL injections to infect servers and extort a higher ransom price. We have already observed attacks hitting MongoDB earlier this year which provides an excellent foreshadowing.

2. Ransomware will become more targeted by looking for certain file types and targeting specific companies such as legal, healthcare and tax preparers rather than the ‘spray and pray’ attacks we largely see now. There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs. A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders.

3. While most ransomware samples we analysed simply encrypt files in place and transmit encryption keys for the purpose of decryption, there will be ransomware samples that take the extra step of exfiltrating data prior to encryption. Not only would such an evolution put stress on companies to restore their data, but would also incorporate the loss of proprietary data that could be sold on the black market.

4. Ransomware will be used increasingly as a smokescreen. For example, in the past, Zeus botnet operators hit victims with DDoS attacks after an infection to take investigators off the trail. A similar trend is emerging with ransomware attacks where the encryption of files could take place after more damning actions are taken by adversaries. Using existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated. 

5. Ransomware will emerge as a secondary method when initial forms of attack fail. Adversaries that rely upon more crafted and targeted attacks may use ransomware as an attack of last resort. Failing to entrench in an environment with a Remote Access Tool (RAT) or exfiltrate data, adversaries can push a ransomware attack across the environment to ensure at least a minimum return for their effort invested. 

6. Ransomware will be used more commonly as a false flag, as seen with NotPetya. Solely from dynamic analysis it was perceived to be Petya, then more detailed analysis showed it wasn’t. Such quick analysis also insinuated it to be obvious ransomware, but a greater depth of disassembly showed that data was not held at ransom, it was simply destroyed.

7. Ransomware will leverage social media increasingly to spread either intentionally or unintentionally. Similar to malware such as Koobface, maliciously shared content on sites such as Facebook could lead victims to click enticing links. Intentionally shared ransomware, seen in prior concepts, such as Popcorn Time where victims could share to reduce or eliminate their ransom, could see larger-scale use.

Article by Brian Baskin and Paramjeet Singh, Carbon Black.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.