After a year of massive growth, what changes are on the horizon for ransomware in 2017?
Ransomware exploded into a billion-dollar industry in 2016. That type of money is creating a gold-rush atmosphere for cyber criminals, with demand for and supply of new ransomware variants and delivery platforms both booming.
What's in store for organizations looking to protect their data from ransomware in 2017? And how will ransomware attacks continue to mature and evolve? Here are five important ransomware trends currently making big waves, along with forecasts for how we see them playing out over the next 12 months.
Photo by Scott Miller
Last year we saw more ransomware attacks target more businesses more often, and there’s no indication of that trend reversing in 2017.
While the majority of ransomware still targets consumers, the number of attacks directed at organizations is growing at a more rapid pace. According to researchers at Kaspersky, attacks on businesses increased 3x in 2016, compared to a 2x rate of increase in attacks on individuals.
(up from every 20 seconds in Q1 2016)
(up from every 2 minutes in Q1 2016)
The reasons for the shift are almost certainly profit-driven. Successful ransomware attacks against individuals typically net the attackers around $500 in Bitcoin. Infecting a business, on the other hand, represents a much bigger potential payday, especially if the attack can disrupt critical services and/or sensitive information.
Recent ransom demands against organizations have ranged from $17,000 in the case of Hollywood Presbyterian Medical Center to $28,000 in the case of Los Angeles Valley College to accounts of ransoms greater than $150,000 reported by respondents to this Osterman Research survey.
More criminals will target businesses with ransomware in 2017 simply because — in the immortal words of American American bank robber Willie Sutton — "that's where the money is."
Photo by Sarah Richter
Pardon the overused cliche, but…
Let’s say your network is a castle. To protect it, you spend a lot of time and resources surrounding it with walls and moats. But can you really be sure when attackers show up in a Trojan horse the folks you’re trying to protect inside won’t open the gates and wheel it in?
Attackers know this, and that’s why email is such a popular and successful infection vector for them. They can reach users directly and — using increasingly believable phishing tactics — trick them into triggering a ransomware payload.
That’s an astonishing commonality among phishing emails, and barring some major prolonged drop-off in botnet traffic*, it’s difficult to imagine email attachments losing their top spot as the most prominent delivery vehicle for ransomware in 2017.
* To date, Locky distribution has been heavily tied to mass phishing campaigns delivered via the Necurs botnet, one of the largest networks of compromised devices in the world. When Necurs experiences outages — such as in June of 2016 and in January of this year — Locky payload delivery plummets.
That said, don’t be surprised to see a resurgence of exploit kits this year and slight increases when it comes to malvertising, drive-by downloads, and malicious URLs. Things have been extremely quiet in terms of exploit kit traffic since several high-profile arrests and the disappearance of the Angler EK… a little too quiet. According to Proofpoint, “total exploit kit activity fell by 65% in Q3 vs. Q2 and by 93% from January to September.”
Exploit kit traffic took a nose-dive in 2016 / Proofpoint
That’s a significant drop-off that could be attributable to any number of factors in addition to the take down of the crew behind Angler. But even if you believe companies and end users have generally gotten better at patching, it’s hard to shake the feeling that we’re due for other kits to rise up and finally start filling the void that Angler left behind in a more meaningful way, especially to power more malvertising.
Photo by Alden Jewell
In addition to number of attacks, another way to chart the growth of ransomware is by looking at the increase in ransomware variants.
Depending on the source you cite, growth in the number of ransomware variants that appeared in the wild during 2016 increased anywhere from a factor of 11x (Kaspersky) to a factor of 30x (Proofpoint). Either way, that's a massive jump.
Criminals know a cash cow when they see one. Experts estimate ransomware generated $1 billion last year. With that kind of money "up for grabs" the demand for ransomware programs and platforms has skyrocketed. Malware authors have been only too happy to provide a ready supply (often just needing to make the slightest, most superficial alterations in the code to have a piece of ransomware slip past antivirus unrecognized and undetected).
Worse, thanks to the arrival of ransomware-as-a-service platforms, it’s easy for criminals with even the most basic technical knowledge to create their own ransomware. By signing up for Cerber ransomware's "affiliate program" for example, they can get everything they need to launch a ransomware campaign (including a management portal) in exchange for agreeing to pay the developers a 40 percent cut of the ransom profits.
The success of this licensing program has made Cerber one of the most prominent and active ransomware families. Researchers at Check Point estimated criminals had used Cerber to infect 150,000 victims in July 2016, generating roughly $195,000 (developer cut: $78,000) in that month alone.
In May, researchers at Invincea analyzed a Cerber campaign in which modified versions of the ransomware with unique hashes (think of them like a malware sample's fingerprints) were being created every 15 seconds.
More recently, researchers at Microsoft reported the number of Cerber infections they had detected during the 2016 - 2017 holiday season had surpassed Locky and every other ransomware variant.
Clearly, "more" is working for criminals. In 2017, the number of variants should continue to rise, spurred on by continued demand as well as the need to stay one step ahead of security software blacklists (learn why we decided to avoid the traditional signature blacklisting game and block ransomware with behavioral analytics).
Photo by James Sutton
For all the headlines and eye-popping statistics, the truth is the majority of ransomware attacks directed at U.S. organizations have only been partially successful.
On one hand, criminals have been wildly effective getting it onto victims' machines and encrypting victim data.
Infection rates are high. According to a survey we recently conducted, 71 percent of organizations that had experienced ransomware attacks suffered successful infections where data was encrypted (and in some cases, lost for good). The vast majority had multiple layers of security in place, but none of it prevented the attack from infecting one or more machines.
But when it comes to convincing victims to pay to regain access to their data, results appear to be fairly dismal. Very few organizations actually pay the ransom, even after successful attacks — results from a Osterman Research survey conducted with ransomware victims indicated that only 3 percent of U.S. companies paid up.
Of course, a skeptical take on that low number is that it could be misleading — a lot of victims might not be comfortable confessing they paid. That may indeed account for a small portion of responses, but it's also true the majority of victims are able to avoid paying the ransom thanks to their ability to recover at least some if not all of their encrypted files from backup.
Are we relying too much on backup recovery? Let's back up...
Backup can certainly provide a handy rescue from some very bad situations, and every organization should absolutely have a regularly tested backup solution in place. But there are a couple of problems with relying on backup as as anything more than a last-ditch fail-safe.
First, it doesn't always work perfectly. According to our survey responses, 58 percent of ransomware victims weren't able to fully recover everything with backup.
Second, backup doesn't do anything to resolve the fact that suffering a ransomware attack means a criminal has successfully compromised and established a foothold on your network. Cyber crooks are well aware of the major kink backup recovery puts in their extortion plans. So what are they doing about it? Experimenting with other ways of leveraging that established foothold to their advantage.
Which brings us to trend #5...
Photo by Robin Corps
Perhaps as a reaction to the low infection to payment ratio, we're seeing several new ransomware tactics designed to do the following:
For example, we're seeing ransomware attacks now exploiting vulnerabilities in servers and databases (see SamSam attacks targeting hospitals with unpatched JBoss servers and the more recent ransacking of 28,000 MongoDB databases).
Not only are criminals able to infect large numbers of victims at once by automating these attacks, they're also able to extend the reach of their infections to multiple systems per victim. That can cause more damage and potential downtime, putting more pressure on victims to resolve the issue quickly.
The biggest change to ransomware in 2017, however, may have less to do with how victims are getting infected and more to do with what happens afterwards. In a significant shift in extortion methods, we've started seeing some criminals threaten not to delete captured files, but to release them publicly (a tactic known as doxing).
For victims that manage sensitive private customer data (healthcare providers, law firms, financial services, etc.), the threat of that data getting posted online for the world to see (and for other criminals to abuse) can completely change the equation of whether or not they decide they have to pay.
Not only are such exposures impossible to deal with quietly or sweep under the rug, they can also open victims up to regulatory fines and all the negative publicity that comes with a public data breach event.
Variants of the ransomware Jigsaw have been spotted incorporating doxing, notifying victims that their data has been uploaded to a server and that copies will be sent to all of their contacts unless payment is made.
In January 2017, hackers attempted to extort an Indiana-based cancer services provider for $43,000 by threatening not only to leak private patient data online but also to send patients, their family members, and the organization's donors harrassing messages.
Examples like these represent dark new developments in the evolution of ransomware. Whether they'll become standard operating procedure is anyone's guess, but one thing is certain — once a new tactic is proven to be profitable it doesn't tend to stay on the fringes for very long.
Get up to speed with how ransomware is evolving and develop a clear action plan for preventing and responding to ransomware attacks. Check out our Complete Guide to Ransomware.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.