Ransomware is back, and it is smarter and more malicious than ever.
Although the threat of malware seemed to be on the decline toward the end of 2018, the first two quarters of 2019 have seen ransomware attacks come roaring back. The new ransomware actors are less likely to target anyone and everyone: While the overall number of infections is one fifth less than during the comparable period in 2018, the number of infections launched specifically against high-value organizations has grown significantly.
And it’s not just targeting tactics that have changed. Today’s ransomware variants are smart, stealthy, and perfectly designed to inflict high-impact damage on victims for whom downtime can have dire effects.
Targeted Ransomware Overtakes Traditional Variants
Malicious actors used to deliver ransomware via “spray and pray” tactics – attack far and wide and see where it gets in. This model still exists today, but it has taken a back seat to professional threat groups using much smarter tools to penetrate those targets that are most likely to pay.
Ransomware attackers are now far more interested in hitting sensitive organizations such as healthcare facilities, Critical Infrastructure (CI) providers and local, city and state government agencies. These are entities that can hardly tolerate downtime. In the case of CIs, getting hit with ransomware can translate into downed power grids, electricity outages and threats to public safety. In the case of hospitals, downtime can mean loss of life. Organizations such as these may pay up fast to prevent catastrophic results. Ransomware has found its ideal target — organizations that can’t afford to put operations on hold while the attack is dealt with.
Targeting high-value organizations means that threat actors must put in far more legwork in the initial stages of their attacks. To gain initial entry to an organization’s network, the new breed of attacks uses methods that are more commonly associated with the typical espionage attacks and advanced persistent threat attacks, such as prolonged reconnaissance and network mapping, in place of traditional ransomware distribution methods.
Evolution of Targeted Ransomware
In 2016, SamSam ransomware began to make its rounds and soon after, it started displaying a clear preference for city municipalities and hospitals around the US. It hit the city of Atlanta, eventually costing them $7 million in clean up and recovery costs, and then moved onto the Colorado Department of Transportation and the Port of San Diego, among other high-profile victims. SamSam infections decreased toward the end of 2018 but it seems the group is back in full swing in 2019.
Hitting cities is bad enough. But hitting Critical Infrastructure can be well, critically bad. In early 2019, LockerGoga began targeting a number of manufacturing plants, chemical companies and other Critical Infrastructure organizations in the US and Northern Europe. A notably odd feature of the attack is that it changes all the admin passwords and kicks the admin out of his to her account, leaving them unable to get back in. Since they cannot get back inside, they may not be able to see the ransom note or get payment information.
This idiosyncrasy has researchers left wondering if the main goal here is collecting the ransom fee or creating havoc for some other purpose. Another aspect that researchers have not yet been able to pin down is how LockerGoga gets onto systems initially. According to Allan Liska of Recorded Future, “The initial infection was thought to be a phishing attack, but seems like a less likely scenario as no phishing emails have been reported, It is likely some form of remote access, such as an open RDP server.”
Another targeted ransomware variant making headlines is RobinHood. Like SamSam, the variant has been caught targeting cities such as Baltimore, MD and Greenville, NC. It is distributed through Trojans and encrypts the victim’s computer with RSA and AES encryption.
The interesting thing here is that the ransom note waxes on about respecting user privacy. “Your privacy is important for us, all of your records including IP address and Encryption keys will be wiped out after your payment”. Further, it tells the victims that they can choose up to 3 files to be decrypted for free, as an indicator of their “honesty”. It also tells the victim that after the third day of non-payment, the decrypt rate will jump to $10,000.
Just recently, a previously unknown malware variant dubbed MegaCortex began hitting corporate networks in North America and Europe, including cloud host provider iNSNQ. At this point it’s unclear how MegaCortex makes its way onto networks – it may be using a Trojan like Emotet or Qbot. What is known is that infections with this particular variant are still rare but will probably keep occurring until attackers figure out an even more stealthy way to attack their victims.
Fending off Targeted Ransomware
If you fall into the high-value category (and even if you don’t), you may think the best way to deal with a ransomware attack is to pay off the decrypt fee and get the situation over with. Not only is that expensive, but there is no way to guarantee that you’ll get your data back. What’s even worse, it confirms that attackers’ tactics are effective, which encourages them to keep at it.
When it comes to defending against ransomware attacks, prevention is the best possible tool. Here are some tips for preventing ransomware from making its way onto your networks and to help keep your sensitive data secure.
- Patching – Patching is one of the best ways to prevent a myriad of threats from infiltrating your network, ransomware included. Attackers use unmitigated flaws and vulnerabilities to launch attacks, as amply demonstrated by 2017’s WannaCry. A proper patch management strategy ensures that any vulnerability is mitigated as soon as a fix is released.
- Spear Phishing Protection – According to Security firm Cofense, 97% of phishing emails contain a ransomware payload. And whereas it used to be simple to discern phishing emails from legitimate ones, the sophistication of today’s perfectly crafted spear phishing attacks make it easy to go in for the kill. This means it’s critically important to employ an anti-phishing solution along with phishing awareness training.
- Secure your Remote Desktop Protocol (RDP) – While RDP lets admins in to remotely help end users, it needs to be locked down in order to prevent breaches. A few security best practices include port obfuscation, two-factor authentication and use of a secure gateway. Click here for more tips on securing remote desktop connections against ransomware and malware.
- Remote Browser Isolation plus CDR – With RBI, all content, whether clean or malicious, is rendered outside the network, so even if your users open a website containing ransomware, it cannot get onto your endpoints. Make sure your RBI solution includes Content Disarm and Reconstruct capabilities to safeguard against malware penetration via infected downloads.
- Invest in a backup solution – Be sure to have reliable off-site or cloud-based storage. This ensures that if something does make its way through, you can restore most of your data to its previous state.
The main thing attackers look for when targeting ransomware attacks is a vulnerable network. And sadly, once an attack is on your system, there’s little that can be done to reverse the effects. Our advice? Make sure you’re not an attractive target by proactively hardening your environment. Not only will it help you fend off ransomware, but it will help enhance your overall cyber hygiene – and that’s seriously high-value.
To find out more about why governments are attractive targets for cyberattacks, and how to avoid becoming the next victim, read “To Halt Public Sector Cyberattacks, in Internet Isolation We Trust”