While most people know the basics of ransomware, the details of this threat – like all aspects of cyber security – are constantly evolving. In this post, we’ll discuss recent changes we’ve seen in the tools, tactics and procedures used by ransomware attackers, and share new information on detection avoidance, decryption tools and industries that may face the highest risk. Finally, we’ll make some predictions on the future of ransomware (spoiler alert: it’s here to stay).
1. Malware uses new tactics to avoid detection
Traditionally, ransomware has involved gaining access to a computer, quickly encrypting the contents and delivering a message to demand payment. However, we’ve noticed a shift in this process. Recent ransomware variants have begun to use a
CAPTCHA test to ensure they’re interacting with a human target and not an endpoint detection and response (EDR) tool or other malware-blocking software. Similarly, malware may attempt to detect if it’s being executed in a virtual environment, perhaps by a security researcher attempting to reverse-engineer the malware. We’ve seen attackers flip this on its head and deploy their malware inside its own virtual machine, to avoid detection by the host machine’s antivirus tool.
2. Payment extractions are becoming more complex
Another recent change involves how ransomware payments are extracted. Previously, attackers would encrypt host data and offer the decryption key in return for a ransom payment. As more businesses have become better prepared (through mature data backup strategies) or made the ethical decision not to pay ransom demands, attackers are turning up the pressure through a multi-pronged approach. In addition to their customary method of encrypting data and demanding payment for decryption, attackers now frequently ex-filtrate a copy of data in addition to encrypting it locally. If their initial payment request is rebuffed, they’ll threaten to publish the ex-filtrated data unless a payment is made for its deletion. We’ve also seen examples where, when no payment is made, the attacking groups attempted to auction off stolen data on the dark web to the highest bidder.
3. Reputation scores provide helpful info for victims
One of the most uncertain aspects of dealing with a ransomware event is when it’s been determined that a payment must be made. The question becomes, will the criminals uphold their end of the bargain if the payment is made, supplying the decryption key or deleting the data as promised? While there are no certainties, companies have moved into this space with a focus on brokering ransomware payments and affixing a reputation score to each attacker group. This can provide some level of confidence that the attackers will follow through on their part of the deal.
4. Decryption tools can present risks
While decryption tools had been created for many variants of ransomware, we are seeing an uptick in malicious or poorly designed decryption tools that may purposely cause harm or inadvertently corrupt the encrypted data, rendering recovery impossible. Many of these appear in response to simple Google searches for “ransomware decryptor,” offering to decrypt data for free, which obviously sounds very enticing to an affected user. We’ve also seen user error in this area. For example, a user infected with ransomware attempts to run a legitimate decryption tool, but due to incompatibility or the wrong variant, it causes damage and renders recovery impossible.
5. Service providers continue to be a target
There’s been a shift in the targeting of ransomware campaigns, and attacking groups are looking to inflict the most damage possible. Their latest targets are service providers that operate in the information technology, healthcare, legal, and accounting spaces. The breach of a service provider’s back end environment can impact directly customer data in the vendor’s care, but it also might allow malware to spread back to the vendor’s customer’s systems. In all cases, a mature vendor management programme is key. Know your vendors, be aware of what data and access they have, and ensure it is appropriate and well-secured.
The future of ransomware
Where might ransomware go next? While infections on traditional operations systems will continue, there are new areas to watch as well. For example, cellphones running old versions of their operating system may be at risk – especially if they install applications from third-party app stores. Attackers will also continue to leverage malicious web browser extensions. They have become adept at sneaking them into the official extension stores for Google Chrome, so use caution before installing any extensions in your browser. Attackers will also increase their focus on abusing smart home devices, especially devices made by less-familiar companies that aren’t patched for security issues. We recommend purchasing smart devices from well-known manufacturers with a good track record for providing continued security support after the sale. We believe healthcare and law firms will also continue to be targeted due to the value of their confidential data. Regardless of size, companies in these industries should look for ways to fortify their data protection strategy. And finally, the attacking groups are leveraging the current pandemic as a “hook” for their activity, pretending to share information on testing, tracking, cures and remedies with hopes of getting an unwitting user to click their link or open their attachment.
Nick Bellamy
Risk Control Director, Cyber & Tech
CNA Hardy’s cyber proposition
Our cyber solution provides a range of cutting edge risk management and loss prevention services that are designed to mitigate cyber risk and support policyholders with cyber security.
Pre-breach prevention services include IT security analysis and reviews, malware and web vulnerability detection with GamaSec, penetration testing and cyber education for staff.
If a policyholder has a suspected breach then immediate breach assistance is available with just one phone call. Our partners include forensic IT investigators, legal services, crisis and PR agencies who offer guidance and support during and after a cyber attack.
Find out more about our cyber solution.
Further reading:
COVID-19 and Remote Working: Protect your employees and your business from cyber security risk
SME Cyber Threats 101: Phishing & Cyber Attacks
SME Cyber Threats 101: Impersonation Fraud
SME Cyber Threats 101: Malware