8 Types Of Ransomware Attacks You Need To Know About
Here's a look at how everything from database encryption to geofencing and stealer malware to Ransomware-as-a-Service platforms have led to new and emerging types of ransomware attacks.
Solving The Ransomware Riddle
Ransomware installs itself on the victim's computer either encrypting the files or locking the entire system until a ransom is paid. This has forced organizations to increase their investments around securing data, network and endpoints from advanced cyber threats like ransomware.
The healthcare verticals have fallen victim to a large number of ransomware attacks due to the push for rapid digitization of medical records such as electronic patient health information. And the banking and financial services sector continues to be heavily affected by ransomware due to the growing usage of web and mobile applications for banking transactions and payments.
The ransomware protection market is expected to reach $17.36 billion by 2021, representing a compound annual growth rate (CAGR) of 16.3 percent over the previous half-decade, according to research firm MarketsandMarkets. Asia-Pacific offers the biggest opportunity for growth due to increased spending on cybersecurity in places like China, Australia and India.
From encrypting databases and backups to utilizing geofenced and stealer malware to embracing ransomware as a service, here's a look for CRN's Cybersecurity Week 2019 at eight persistent types of ransomware attacks technical and research leaders at Imperva, Malwarebytes, and Proofpoint said organizations need to be on guard against.
Backups In The Crosshairs
Adversaries are now looking not only for critical files, but also to recognize and identify backups of those files, pictures and documents, according to Terry Ray, senior vice president and fellow at Redwood Shores, Calif.-based Imperva. Organizations therefore should avoid storing backups in the same physical location or connected to their production or development system files, Ray said.
Organizations that execute and store their own backups tend to use the same data center where the rest of their data is kept, making it easy for adversaries to lock down the backups, Ray said. Businesses can put themselves in a safer position by using third-party or SaaS-based backups, according to Ray.
Ray cautioned against backing up into AWS or Microsoft Azure, however, saying that adversaries can modify, manipulate or install everything an organization has in their public cloud once they have access to the internal hosts or servers of the victim organization. Even if a backup is taken out of the data center, Ray said the connection need to be completely severed to optimize security.
Combined With Other Threats
Ransomware is increasingly being used in conjunction with other threats such as Emotet, TrickBot and Rootkit to carry out brute force attacks and hijack login or administrative credentials, according to Adam Kujawa, director of Malwarebytes Labs at Santa Clara, Calif.-based Malwarebytes. By utilizing exploits like WannaCry, EternalBlue and EternalRomance, Kujawa said adversaries can spread laterally.
By using malware that's able to move laterally, Kujawa said attackers have evolved from infecting or encrypting a single endpoint to being able to infect or encrypt the entire business. Once the network has been surreptitiously infected for days or even weeks, Kujawa said the threat actors will then push the ransomware out.
When ransomware is able to come through all directions and ports, Kujawa said businesses can't expect to know where it's going to come from or when it's going to hit. For that reason, Kujawa recommended identifying the data that's most valuable or could cause greatest disruption to the organization, and then putting additional security measures in place to make it harder for adversaries to get a hold of.
Databases Now Getting Encrypted
Ransomware has evolved from sitting on laptops and infecting files to encrypting elements of databases or pulling data out of databases altogether and replacing it with a notice directing the victim to call the hackers, said Imperva's Ray.
Adversaries can go after file servers using spray and pray attacks since these servers tend to be highly accessible so that all employees are able to use and store data, according to Ray. Therefore, Ray said adversaries are typically able to gain access to file servers without having to phish high-level people.
Unlike file servers, Ray said databases have a very specific set of users within a business. As a result, Ray said adversaries would likely need to spearphish the database administrator at a specific organization to obtain the username and password of the application server that accesses the database. The actual effort of encrypting or stealing data from a file server or database is virtually identical, he said.
Downloader Or Stealer Malware
Organizations are likely to initially be infected with either stealer or downloader malware, according to Ryan Kalember, executive vice president of cybersecurity strategy at Sunnyvale, Calif.-based Proofpoint. Stealer malware is focused on grabbing credentials, web logins and cookies, Kalember said, as well as trying to identify where in the victim's business the crown jewels are located.
Downloader malware, meanwhile, gains a foothold on the victim's systems and attempts to maintain its presence so that the adversary can load an exploit at a future point in time. The use of downloader malware has ticked up as ransomware attacks have become more lucrative, Kalember said, while the use of stealer malware has trailed off after Emotet went dark at the end of May.
Ultimately, Kalember said threat actors will leverage the access provided by stealer or downloader malware to launch a broad-reaching ransomware attack against the organization in question. Therefore, Kalember said the initial function of malware in a phishing attack is to set the stage for the deployment of ransomware.
Encryption Being Used Correctly
Most ransomware families historically didn't use encryption algorithms correctly, meaning many victim organizations were able to decrypt the data without actually having to pay, according to Malwarebytes' Kujawa.
A lot of the threat actors are new to the space and not professional developers, and struggled with manually creating encryption keys, according to Kujawa. As a result, Kujawa said attackers were often unable to create decryption tools that worked correctly, meaning the victim wouldn't get their data back even if they paid the ransom.
The accuracy of encryption has improved since Microsoft created a new framework for cryptography in Windows and CryptoLocker executed its encryption perfectly, Kujawa said. Ransomware today is typically solidly designed, with most threat actors figuring out how to do encryption correctly en masse.
Geofenced malware only executes on particularly IP address, allowing adversaries to better tailor their attack to the geographic areas they wish to monetize, according to Proofpoint's Kalember. Historically, observers have noticed that many strains of malware would never hit Russia or any of the other former Soviet republics, Kalember said.
Nowadays, Kalember said many threat actors want to target specific countries with ransomware variants. For instance, Kalember said financially-motivated attackers might have created an Italian-language or a German-language lure, and therefore only wish to bait individuals or organizations based in in Italy or Germany.
Kalember said having the malware appear for IP addresses based outside of Italy or Germany increases the risk of detection with little payoff since the people being hit in other countries likely wouldn't understand the message.
Less Sophisticated Entities Targeted
Ransomware used to hit all businesses pretty indiscriminately, but as sophisticated organizations improved their defense and backups, they were increasingly able to recover without having to pay, Kalember said. As a result, Kalember said adversaries have shifted to targeting smaller organizations and municipal governments who would be less equipped to defend themselves.
Threat actors have primarily relied on demographic profiling to identify smaller organizations in sectors with historically low budgets and staffing levels, according to Kalember. From there, Kalember said the hackers will often search for publicly-available email addresses to a shared mailbox to increase the likelihood of a click since the message is ending up in front of multiple people.
Adversaries have also moved a little away from attempting to compromise the initial endpoint via phishing to picking a target inside the victim's environment and hammering on it using brute force attacks. Hackers have also seized on remote desktop protocol to infiltrate obvious things in an organization's ecosystem that have been exposed to the internet, Kalember said.
Ransomware As A Service
Ransomware creators have begun hiring botnet operators and offer affiliates to spread and distribute their malware, according to Malwarebytes's Kujawa. If an organization is successfully ransomed and pays up, Kujawa said the affiliate will get a certain cut of the proceeds with the rest of the money going to the creator of the ransomware.
A single operator that attempts to both create and spread ransomware on their own is dependent on a single distribution method, Kujawa said. But an affiliate network makes it far more difficult to wipe out particular types of ransomware since 15-to-20 people are spreading the ransomware in different ways and going after different targets, according to Kujawa.
Creating a supply chain for ransomware has helped authors monetize their creation and keep their strains of ransomware alive for years after the fact, Kujawa said. But getting an affiliate network does require ransomware creators to put trust in people they don't really know, putting them at risk of an affiliate reverse engineering the source code and starting their own ransomware family.