Ransomware and other Destructive Malware; It Makes You WannaCry

 

Ransomware is often considered the scourge of the cyber-business community. It’s damaging, disruptive, and outright unwelcome. That is unless you are the criminal behind the malware.

At the intersection of two leading-edge technologies – Cryptography and Cryptocurrency – exists exceptional opportunity. The opportunity to develop world-changing technologies such as blockchain and Bitcoin (Can I Buy A BitCoin From You). Also the opportunity to covertly move currency around the world evading taxation, regulation, and oversight. Wherever the leading edge of technology exists, there too exists opportunities for criminals. Ransomware was born of these two technologies and it has blossomed into an amazing business.

 

Consider these statistics;

  • Over $1 Billion paid by U.S. companies in Ransomware Extortions in 2017
  • Return on cyber-criminal’s initial investment of > 2500%
  • Over 6,000 darkweb market places acting as a “secondary market” for stolen data obtained during by malicious malware (Ransomware) infections.
  • Over 85% of U.S. Companies surveyed by CarbonBlack reported that they would pay a ransom if a critical business process or sensitive data were impacted by Ransomware

 

The financial impact to business organizations continues to increase. According to the most current official data at the time of publication, 2017 will be the most costly year on record in terms of ransomware damage to U.S. companies. If we look back to 2015-2016, we can see the exponential growth of this attack vector.

 

In 2015 there were 29 Ransomware families and the average ransom amount was $294. In 2016 there were 247 Ransomware families and the average ransom amount was $1,077. 2017 saw the average ransom increase to over $8,000 mostly tied to the explosive growth of Bitcoin’s valuation.

2017’s data did show an interesting change; the overall decline in the number of unique organizations reporting Ransomware events to Law Enforcement. Even though the number of unique organizations reporting an incident declined, the overall number of Ransomware families increased as did the total reported financial damage throughout the year.

 

Source: FBI Internet Crime Complaint center (IC3)

The decline in reported incidents seems contrary to the seemingly endless news cycle which detailed story after story of Hospitals, Financial Institutions, Schools, and Small Businesses hit with devastating Ransomware attacks. Most interestingly, the data suggests that there were a radical reduction in available exploit kits with a corresponding upward shift in the use of Ransomware-as-a-Service (RaaS).

 

The Evolving Threat

Cyber-criminals are smart business people with principally financially motivated actions. They generally avoid conflict (read this transactional friction) and constantly act to diminish the possibility of getting caught. As Ransomware increased through 2014-2015 so did the difficulty of carrying out attacks on lucrative targets and the monitoring by law enforcement of the major money channels used by the perpetrators of these attacks. This included tracing and following bitcoin (BTC), bitcoin cash (BCH), and MoneyPak/Western Union. Through this increased surveillance, domestic U.S. and international law enforcement has been able to locate, identify, and apprehend many of the foreign actors behind the creation and development of some of the largest ransomware families. The threat is in no way gone and business should pay close attention to the shifting economic factors which support this industry. Ransomware as we’ve come to know it remains a very potent threat to businesses and individuals alike. Today, the threat has begun to shift to other less disruptive yet equally profitable attack vectors. These vectors squarely target business and pose a major risk. International legislation and compliance standards have evolved to require companies to report successful ransomware attacks. This causes the attackers more transactional friction and may lead the loss of their efforts in achieving a compromise due to an organization deciding not to pay their ransom. Combined with the overwatch of law enforcement, the criminals identified the need to shift their methods. One such attack vector which has quickly developed and evolved is the cryptominer or cryptojacking. This attack places software on a victim’s computer system which attempts to solve complex mathematical problems in order to create, or ‘mine’, virtual cryptocurrency. This attack doesn’t disrupt the victim’s organization but rather coopts Graphics Processor (GPU) and Central Processor (CPU) resources away from the legitimate use of the computer system and uses those resources to mine cryptocurrency. This type of attack has already caused system outages and inadvertent disruption of major organizations such as PeopleSoft in 2017.

 

Taking Action

Organizations concerned with limiting their exposure to Ransomware risk should consider implementing the following:

  • Implement strong endpoint (workstation) software control mechanisms such as Microsoft’s Applocker, Application Whitelisting, and/or trusted application execution
  • Restrict the use and ability of scripts to be run across the organization
  • Utilize regular systems performance baselining to evaluate unexplained CPU / GPU utilization
  • Implement and comply with the Foundational (First 6) Critical Security Controls.

Ransomware is an attack vector that is not going away anytime soon; cybercriminals are shifting the threat away from disruption and toward computing resource hijacking.  Their motivation remains largely unchanged – financial gain. The modalities of their attacks are changing.  On the near-term horizon are other similarly related attack vectors such as data weaponization, cascading systems take-down, and cloud/hybrid-cloud systems hijacking (Understanding How Hackers Work: Cyber Killchain) . Organizations have a small window of opportunity to implement appropriate detection and defensive systems as cybercriminals evolve their attack methodologies.

 

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised. 

Contact us to learn more and let us show you how good I.T. can be!