Article

The rising threat of targeted ransomware

As cybercriminals become more adaptable in their approach, ransomware stands a greater chance of breaching defences, meaning organisations must have the tools to fight it.

By Tim Ferguson

Mon 14 Jan 2019 @ 10:06

While 2017 saw some of the most high profile and damaging ransomware attacks in history – with WannaCry hitting the UK’s National Health Service and Petya/NotPetya affecting numerous other organisations, 2018 was much quieter.

However, a certain type of ransomware looks set to become a feature of the cyberthreat landscape in 2019.

The UK National Cyber Security Centre (NCSC) published an advisory in November last year warning that targeted ransomware attacks are an ongoing threat. The advisory highlighted a rising trend in attacks “where victim networks are analysed to understand their ‘value’ and ransom demands set based on that perceived value”.

The NCSC also warned that criminals want their attacks to have a “maximum impact”, including potentially “denying the victim access to business-critical files and systems and disrupting the operations of the victim organisation”. Any organisation without the appropriate defences could be affected by these types of attacks, the advisory added.

As the NCSC alluded to, targeted ransomware sees cybercriminals identify organisations that depend on mission-critical files and are therefore prepared to pay large ransoms to limit the time these files are out of action.

While other types of ransomware attacks are opportunistic and use automation – for example, using code contained within email attachments – there is evidence that more manual control is being used with targeted ransomware. Although harder to scale, this method is also harder to predict and stop as cybercriminals are able to adapt their approach depending on the defences they come up against.

The SamSam ransomware has been used in this way to extort money from victims. The group behind its use has been asking for larger ransoms than the more opportunistic attacks – as much as $50,000 per attack – due to the fact that the attacks are able to cause more serious compromises.

Similar ransomware strains being used in this way are Dharma, BitPaymer – which has seen ransom demands as high as $500,000 – and most recently, Ryuk.

With awareness around widespread ransomware attacks like WannaCry now high, organisations are much more focused on ensuring their software patches are up to date to reduce the potential for malware to get through.

But due to the way cybercriminals adapt their tactics with targeted ransomware, organisations selected for an attack are much more likely to be compromised.

Putting the most cutting-edge perimeter defence technology in place, addressing vulnerabilities as soon as possible and ensuring good awareness among employees will offer better protection from this new strain of ransomware. But this may do little more than delay the inevitable.

It is essential that organisations put the appropriate network monitoring and detection technology in place. With the help of machine learning, this will help flag any unusual activity, such as widespread file encryption, as quickly as possible, and ensure it is qualified for further investigation via a security incident and event management system.

While security teams will need to deal with compromises, the speed at which ransomware can take hold means their response may be too late.

To minimise this risk, automation technology automatically keeps malware in check so that it isn’t able to travel across the network and cause the level of havoc intended by cybercriminals. This should reduce the risk of organisations being put in a position where they need to pay a ransom to keep their operations running.

While it looks like targeted ransomware will be a rising threat in 2019, organisations that proactively prepare for such an attack stand a much better chance of protecting their operations and bank balance.