Ransomware attacks have matured over the years, adopting more stealthy and sophisticated techniques, while at the same time fixing many of the implementation errors that earlier iterations had.
Moreover, some attacks are now gaining a new data leak component, which exposes companies to more than the traditional data loss associated with ransomware.
The trends observed over the past year indicate that these attacks are not going away and are likely to increase in frequency.
Ransomware started out as a consumer threat, representing an aggressive evolution over the scareware attacks that used to trick people into paying fake fines or buying rogue software to fix non-existent issues.
While the early campaigns proved profitable for cyber criminal gangs, the consumer ransomware landscape became crowded. As consumer antivirus firms improved their ransomware detection capabilities, casting a wide net to gain as many victims as possible became a less effective technique.
In a report released in August 2019 that looked at the ransomware evolution between Q2 2018 and Q2 2019, security firm Malwarebytes noted that "this once dangerous but recently dormant threat has come back to life in a big way, switching from mass consumer campaigns to highly targeted, artisanal attacks on businesses."
Over the analysed period, the number of ransomware detections in business environments rose by 365 per cent, while consumer detections declined. That trend continued for the rest of the year, according to Adam Kujawa, director of Malwarebytes Labs.
"We're seeing an overall focus on businesses and an increase in all kinds of infection methods," he tells CSO. "A big part of that is that it's easier today to infect a business than it was a few years ago and the EternalBlue and other exploits certainly had something to do with that."
EternalBlue is an exploit for a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol that was patched in March 2017 and affected all versions of Windows. It was the primary propagation method through corporate networks for the WannaCry, NotPetya and other ransomware worms that crippled many organisations worldwide during 2017.
"It might not be the sole reason why we see such an increase in business focus for these types of attacks, but I think that what happened with WannaCry and NotPetya revealed the underbelly of enterprise security," Kujawa says.
Before that, many people might have assumed that these are big companies, with security teams and it's hard for hackers to break in, but seeing how massive and damaging those attacks were — and not because of misconfigurations, but because of not patching in time — might have convinced more cyber criminals that it's worth going after businesses instead of consumers, he says.
Since private companies are not always required legally to disclose ransomware incidents, the impact of ransomware attacks on the business sector is hard to quantify, both in terms of cost and prevalence. It's also hard to say how often such victims decide to pay the ransom, but it's clearly enough for cyber criminals to keep investing in this threat.
In an alert issued in October 2019, the FBI's Internet Crime Complaint Center (IC3) warned that "since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information."
"Ransomware attacks are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent," the organisation said.
Publicly traded companies sometimes release information about the impact of ransomware attacks in their Securities and Exchange Commission (SEC) filings as part of their obligations to disclose significant cyber attacks to their shareholders. Companies might be forced to disclose such incidents when they need to explain serious business disruptions to their customers and partners.
For example, as a result of the 2017 NotPetya attack, transport giant Maersk had to suspend operations at 17 port terminals causing huge waiting lines for cargo loading and a logistical nightmare that took months to sort out. The incident cost the company over $200 million, but it also had a serious impact on its customers' business.
When ransomware hits public institutions such as municipalities, hospitals, schools or police departments, there is greater visibility into the impact — and the statistics are worrying.
According to a report released by security firm Emsisoft in December, during 2019, ransomware attacks affected 113 government agencies, municipalities and state governments; 764 healthcare providers and 89 universities, colleges and school districts with up to 1,233 individual schools were potentially impacted.
An argument could be made that public institutions don't have the same level of security as large companies because of budget constraints and outdated IT infrastructure, which is why they're easier targets for attackers.
In a report released in October 2019, the state auditor for Mississippi said that "several state agencies, boards, commissions, and universities are failing to adhere to state cyber security laws, leaving Mississippians’ personal data vulnerable to hackers" and concluded that "many state entities are operating like state and federal cyber security laws do not apply to them."
According to Emisoft, Mississippi was actually one of the states least affected by ransomware in 2019 based on public reports.
An APT-level threat
Even if public institutions are easier targets, the risk of ransomware infections is not lower for private companies.
Over the past couple of years, ransomware gangs have adopted sophisticated techniques including targeted delivery mechanisms, manual hacking using administrative tools and utilities already available on systems (a tactic known as living off the land), stealthy network reconnaissance, and other attack procedures that used to be primarily associated with cyber espionage groups and nation-state actors. This is part of a larger trend of traditional cyber criminals adopting advanced persistent threat (APT) techniques.
"We've seen an increase in what I like to call manual infections," Kujawa says. These are attacks where there's a vulnerability in an internet-facing server or protocol, or some other way in which attackers can get access to a system terminal and use it as a backdoor.
"This allows cyber criminals to disable security software, perform various tasks and deploy ransomware on very specific targets, instead of just relying on an automated malware program that's otherwise limited in functionality, he says.
SamSam, a ransomware program that dates back to 2016, is known for being exclusively deployed in that way, but the same tactic has been adopted by newer groups observed over the past year like Ryuk, RobinHood and Sodinokibi.
Moreover, there are signs that ransomware is evolving into a new type of threat where cyber criminals are not just encrypting data but are also stealing it and threatening to release it on the internet. This exposes organisations to damaging public data breaches and the associated regulatory, financial and reputational implications.
In December 2019, a hacker group called Maze threatened to release data that was stolen from organisations the group infected with ransomware if those organisations refused to pay the ransom. The victims included the city of Pensacola, Florida, which was hit on December 7 in an attack that disrupted its phones, municipal hotline, email servers and bill payment systems.
Other hacker groups have used data leaks as an extortion technique. In 2015, a ransomware program called Chimera that targeted consumers also threatened to release private information stolen from victims. However, in the case of Chimera, it was just a scare tactic and the attackers did not actually steal any data from infected systems.
Many of the threats made over the years by cyber criminals to release stolen information turned out to be bogus because exfiltrating large quantities of data has historically been hard to scale.
To do that for a large number of victims, hackers need infrastructure capable of receiving and storing hundreds of terabytes of data. That adds significant overhead to their campaigns. However, the rise of cloud infrastructure, which provides easier maintenance and lower cost for storage and data traffic, is beginning to make those attacks much more viable.
In late December 2019, the Maze group published parts of data they claim to have stolen to prove that they really were in possession of potentially sensitive information exfiltrated from victims. Their first website, hosted at an ISP in Ireland, was taken down, but they were soon back online with a different website hosted in Singapore.
"That's an unexpected evolution of this threat," Kujawa says. "It does expose the criminals more, for sure, but it's also an effective method of putting pressure on. It's utilising the media and awareness of a threat."
Read more on the next page...