There’s good news for commentators that really “phoned it in” on their 2017 predictions: ransomware is becoming even more of problem. While you’ll be hard pressed to find analysts who thought otherwise, the reason that malware has become more dangerous may be less obvious to those not in the trenches. It’s time to put the forecasts for 2017 aside and start looking at the reality of what’s being perpetrated against the victims of cybercrime this year.
While it’s tempting to assume that the technical sophistication of ransomware would steadily increase, this isn’t the case. While I will soon make a whitepaper available with a full analysis of a ransomware campaign we’ve dealt with in recent incident response engagements, I want to go ahead and discuss some of the operational aspects of recent ransomware campaigns that make them so dangerous.
Infection vectors are changing, not just in terms of specific vulnerabilities, but in attack surface. Most ransomware attacks we have historically seen during incident response were spread via client-side exploits in web browsers and plugins (typically exploited through malicious advertising), as well as through email. Recent campaigns have switched to using attacks on organizations’ external network attack surface. The amount of ransomware installed as a result of weak Remote Desktop (RDP) credentials, while not unheard of before, has seen a sharp increase in the past month. Attackers are also looking at web vulnerabilities, and other remote attacks.
If you have a background in IT, you might find this counterintuitive. Surely, you’d infect more systems, more quickly with client-side attacks and email. It takes much more work (through brute forcing, or vulnerability identification) to compromise each victim through their external attack surface. It seems like a bad move.
If you’re wired to think like a cybercriminal, however, it starts to make more sense. You take a more pragmatic approach, as is necessary when you put food on the table through your crime. Here’s some benefits of the external attack surface approach that have caused attackers to adapt:
- Higher-value victims – Individuals, with their personal computers, don’t frequently have much infrastructure or external attack surface. When an attacker finds a vulnerable remote service, it is far more likely to be an organization, with more to lose and the funds to support a ransom.
- More connectivity – With victims that are more likely to be organizations (than individuals), the targeted systems are more likely to be connected to files shared on other systems in the organization. A single infected host can have a significant impact.
- Opportunity for research – Attackers have been observed exploring the compromised systems before installing ransomware. Recent ransoms reflect this additional research, and are trending higher, based on the criminal’s assessment of data’s value and the organization’s potential to pay.
- Agility – Ransomware spread in an automated fashion through client-side exploits often get tangled up in antivirus and other end-point security solutions. Attackers more often wind up with higher levels of privilege on the systems they attack on the external attack surface, giving them the ability to simply disable antivirus products that detect their payloads.
Older ransomware made use of command-and-control servers, often on the dark web, to coordinate encryption key distribution and handle ransom payments. While this is far from being considered technically sophisticated, recent (and successful) campaigns have simplified this process even more. Instead of “phoning home” to a server, the encrypted files themselves carry the information the criminals need to provide keys to paying victims.
When infected, a victim provides an encrypted file to the criminal that is used to extract the key that will be used to decrypt the rest of the encrypted files. The victim interacts with the criminal in this process via email, in a much more personal manner than previous campaigns that were more automated. This approach is not subject to a command-and-control server’s availability.
This email interaction also provides the attacker with the ability to perform more research on the victim’s capacity and willingness to pay. The “sample” file provided by the victim may reveal information about the victim that informs the criminal about the victim’s identity, and, in turn, the ransom amount. The interaction may represent another attack surface for further compromising the target organization (through infected “decryption tools”), making it dangerous to directly interact with the criminals.
I’m looking forward to sharing more details on these malware campaigns in an upcoming whitepaper. Ransomware operators have found that reintroducing the “human” element to their campaigns, becoming more strategic and tactical with their approach to compromising organizations, is more profitable than pure automation. In the same way, your best practices in network security and endpoint protection must be supplemented with security testing that goes the extra mile in using human experience and ingenuity to find vulnerabilities, exploit them, and determine impact.
For weekly insights into cybersecurity, please sign up here: