News

Report: Business Ransomware Skyrockets

Researchers noted that ransomware took a hiatus after its 2016 and 2017 heyday, but according to the latest report from Malwarebytes, it’s back in a big way—targeting businesses with fierce determination, custom code and brute force.

Ransomeware chartMalwarebytes reports that over the last year, business detections of ransomware rose 365 percent from Q2 2018 to Q2 2019. Meanwhile, consumer ransomware incidents declined both year-over-year (12 percent) and quarter-over-quarter (25 percent), according to the report.

The reason behind this shift: Cybercriminals are searching for higher returns on their investment, and they can reap serious benefits from ransoming organizations over individuals, who might yield, at best, a few personal files that could be used for extortion or identity theft.

“Cybercriminals have decided to pull back on targeting home computers to instead focus on endpoints plugged into larger networks of sensitive and proprietary data,” Malwarebytes said. “Encrypting sensitive proprietary data on any number of endpoints allows cybercriminals to put forth much larger ransom demands while gaining an exponentially higher chance of getting paid.”

The ransomware families causing the most trouble for businesses this quarter were Ryuk and Phobos, which increased by an astonishing 88 percent and 940 percent over Q1 2019, respectively. The Rapid ransomware infections increased 319 percent year over year.

The United States accounted for 53 percent of incidents observed between June 2018 and June 2019, with the three most populous states—California, Texas and New York—experiencing the most infections.

Ransomware map“We’ve seen an increase of over 300 percent in ransomware detections on businesses, and many new, dangerous families are gaining market share as the top dogs of the ransom game,” Malwarebytes concludes in its report. “Yet, despite the success of these new threats, which are using advanced technology and sophisticated attack vectors, we still see remnants of long-dead families, such as Cerber and Locky, which could continue causing damage—or at least mark users as future targets—if not removed.”

When focusing on a new target, the same old tools won’t cut it anymore. Cybercriminals know they must evolve their tactics in order to stay ahead of security researchers and penetrate more sophisticated defenses paid for with bigger budgets.

Malwarebytes reported that the latest ransomware variants observed in second quarter of 2019, including Ryuk and RobinHood, have adopted specific, customized focuses for their targets. Some are deployed only when the time is right, rather than waiting for a user to take the bait. Others are launched as a second or third payload of another Trojan attack. In some cases, ransomware is executed manually, making its identification and removal difficult for those protecting the network. Here’s a look at three ransomware tactics work.

Exploits

WannaCry and NotPetya were two of the first ransomware families to have exploit code as part of their primary functions. These exploits target Server Message Block (SMB) vulnerabilities. SMB is a file sharing protocol that allows Windows systems connected to the same network or domain to share files. SMB also enables computers to share printers and serial ports from other computers within the same network.

The SMB-targeting exploits, including EternalBlue and EternalRomance, allow their viruses to spread laterally through connected systems in a wormlike infection, bringing cybercriminals multiplying returns for little effort. Since the introduction of these exploits in 2017, Malwarebytes has seen EternalBlue and EternalRomance used in other ransomware families and, more commonly, in various forms of Trojan, empowering them to breach entire networks in one swoop.

Blended Attacks

Business-oriented ransomware attacks that began in late 2018 have relied upon extra help from some popular and dangerous Trojan families.

Ryuk ransomware, for example, is after endpoints that are already infected with Emotet and TrickBot. Emotet starts the infection chain, attempts to spread itself via spamming module, and then drops additional malware. One of the common drops Maywarebytes has observed over the last eight months is TrickBot, which is capable of brute-forcing credentials, using the EternalBlue exploit to move laterally through the network, as well as other modular components that gain persistence, propagate, harvest emails and steal Bitcoin wallets.

Likely once all meaningful data has been stolen, these families achieve full network infection. At this point, TrickBot then downloads and executes Ryuk on all affected systems, causing a mass and instant ransoming of hundreds of thousands of files, adding insult to injury.

Manual infection

In 2018 and 2019, Malawarebytes noticed a trend opposite of what it regularly sees with ransomware: the manual execution of ransomware on a network endpoint.

This method requires an already-breached network, which is achieved in any number of ways. Once on the network, the attackers can prepare the environment for a ransomware attack by disabling security software. Families such as SamSam and Robinhood primarily use this attack method.

Manual infection is a step above a “regular” Trojan or ransomware attack, in that the cybercriminal’s ability to ransom, steal, and disrupt organizational operations are far more effective, which in turn yields greater returns. Of course, by manually attacking a network, threat actors put themselves at risk of discovery if they don’t do enough to hide their source location and activity.

The encryption algorithms of the new generation of ransomware, as well as their techniques for avoiding detection, will only become even more difficult for traditional security measures to defeat.

Maywarebytes predicts manual infections will increase, allowing for attackers to disable security tools and launch ransomware on their own. Additionally, the report concludes there will be more blended attacks on the horizon. Rather than relying on downloaded threats from a command and control server, ransomware will include worm-like functionality that allows it to spread, as well as Trojan elements that allow it to go unnoticed on organizational networks and encrypt files offline.

“Today’s ransomware doubles down on previous ransomware techniques by circumventing earlier protections that were developed in 2017 to stop them in their tracks,” according to the report. “Modern ransomware finds new ways onto the network, spreads instantly, sneaks past the programs of many cybersecurity vendors, and achieves persistence.”


Source: ALTA Blog