Article

Decoded: Next-generation ransomware

Organisations are well aware of the threat posed by ransomware following a series of high profile attacks. But they also need to understand how the threat is evolving.

By Tim Ferguson

Tue 10 Oct 2017 @ 11:50

Ransomware is a phenomenon that has quickly grown from relative obscurity into one of the major global cybersecurity risks today.

It's made it to the mainstream news through the WannaCry and Petya/NotPetya ransomware outbreaks, which in the first half of 2017 caused havoc in several high-profile organisations, including the NHS, FedEx and container shipping giant Maersk.

According to research by the Department for Culture, Media and Sport, 17 per cent of businesses have fallen victim to ransomware. Meanwhile, ransomware-related losses reached $1bn in 2016, according to the FBI.

What does ransomware do exactly?

It's malware that encrypts data or disables corporate systems and demands a ransom – often in a cryptocurrency such as Bitcoin – for normal service to be resumed. It enters corporate networks via malicious email attachments commonly using phishing techniques or via compromised sites, also known as 'watering holes'.

Organisations are well aware of the threat posed and the need to protect their systems at the various entry points for the malware. Good software hygiene and staff education are helpful forms of defence but organisations shouldn't become complacent. Cybercriminals are working to stay a step ahead of defences. The threat is evolving.

So, how is ransomware changing?

Let’s talk about five areas of ransomware development that organisations need to be aware of: targeted ransomware attacks, mobile ransomware, zombie ransomware, ransomware-as-a-service and wiper variants.

OK, let’s start with targeted ransomware.

Cyber criminals are refining the way they distribute ransomware by targeting organisations that offer potential for a large pay-out – financial institutions, for example. Previously, ransomware gangs would send their wares out as widely as possible in the hope of hitting numerous organisations. Now, an increasingly common approach is to identify organisations that depend on mission-critical files and are therefore prepared to pay large ransoms to limit the time these files are out of action.

And you’re suggesting my smartphone isn’t safe anymore, either?

The surface area of organisations vulnerable to cyber criminals has grown in recent years, with mobile devices increasingly becoming an entry point to corporate networks. Mobile ransomware aims to stop users from accessing files on their connected and mobile devices. Although a relatively low-profile threat at the moment, ransomware variants that target mobile platforms are being detected in growing numbers.

Tell me more about zombie ransomware

This type of ransomware uses strains of malware thought to be extinct, and equips them with new ways to attack. Ransomware groups update malware variants with different cryptography or malicious extensions to help them spread more effectively and to stop files being decrypted without the payment of a ransom.

Ransomware-as-a-service – it almost sounds like a joke?

Nobody’s laughing. Cyber criminals with minimal technical ability can sign up to use existing ransomware and tweak it to suit their purposes before distributing it. In return for enabling this democratisation of cybercrime, ransomware-as-a service providers receive a share of the profits generated. Some criminals even offer customer support.

And what about ‘wiper' ransomware?

It’s the worst. The 'wiper' form of ransomware is produced by cyber criminals who want to create havoc. It’s not really a kind of ransomware, the malware wipes the hard drives of infected devices. These kinds of attacks are often politically motivated and aimed at causing economic damage by disrupting vital systems, leaving organisations to clear up the mess. A wiper doesn't give organisations a means to decrypt data once a ‘ransom’ has been paid.

Scary stuff – so how can organisations protect themselves?

The key is to remain vigilant and not be complacent, despite the depressing familiarity security teams have with the threat. Ransomware is a fast buck for cyber criminals, so they will always be willing to adapt their tactics to get through strengthened defences or dupe staff, however well-educated they may be.

New variants, technologies and evolving social engineering techniques mean there is always the possibility of ransomware making its way onto a corporate network. As a result, keeping up with the latest capabilities in threat defence and detection is vital in the fight against this ever-changing threat.


Learn more in our Next-Generation Ransomware Guide.