Search Security reports, that ransomware is big business and it appears as if malware developers are trying out a number of new features in different types of ransomware to make attacks more effective and profitable.
The 2017 Verizon DBIR confirmed the trend that many experts noted of ransomware as a booming malware business, and the real world provides plenty of supporting evidence. It has gone so far that threat actors have been able to use fake ransomware to scare victims into paying.
More recently, an example is Fatboy, a ransomware as a service (Raas) option that can dynamically change ransom prices based on the Big Mac index. According to threat intelligence provider Recorded Future based in Somerville, Mass., this means “victims in areas with a higher cost of living will be charged more to have their data decrypted.”
Ken Spinner, vice president of global field engineering at Varonis, said dynamic pricing in new types of ransomware was inevitable.
“If we continue to think about ransomware as a business, then it makes absolute sense that they would know the types of people, industries and locations that would pay and how much they would be willing to pay — the victim sweet spot,” Spinner told SearchSecurity. “Some RaaS offerings even automate the price based on the Big Mac index, like Fatboy, and this in turn helps them to make their RaaS offerings more appealing to would-be criminal subscribers.”
Ilia Kolochenko, CEO of High-Tech Bridge, a web application security testing company based in Geneva, said the ransomware-as-a-service model will continue to grow.
“Many cybercriminals don’t want, or simply don’t have enough skills, to do all the administrative work involved in ransomware — billing, support, money laundering, etc. With the RaaS model, even a kid can successfully receive payments from the victims without bothering about anything but hacking user machines,” Kolochenko told SearchSecurity. “There is nothing sophisticated in the RaaS model; it’s just about making this type of cybercrime more accessible and affordable. This is a sign that the cybercrime industry is maturing, like a legitimate business.”
There has also been a number of types of ransomware to try innovative new features, such as offering the decryption key in exchange for the victim spreading the infection to others and deleting the decryptor if researchers attempt to sandbox or study the malware.
Researchers also found CryptFile2, an updated version of the CryptoMix ransomware that changes file extensions of encrypted files to avoid detection and make decryption more difficult.
Travis Smith, principal security research engineer at Tripwire, said the level of innovation in new types of ransomware could be because ransomware is, by design, intended to be discovered quickly which means more samples are available to be inspected by defenders.
“That being said, many of the innovations that ransomware is adopting have been used by other malwares for quite some time. For example, sandbox detection and malware as a service have been leveraged by other campaigns long before being used by ransomware,” Smith told SearchSecurity. “There are valid reasons why malware authors are spending time putting these features in. Many ransomware families have been reverse engineered by white hat researchers and had their decryption keys released to the public for free.”
Tim Prendergast, CEO at Evident.io, a cloud infrastructure security company based in Pleasanton, Calif., said what sets ransomware apart is that “there’s no attempt to acquire any intelligence or restricted data; it’s all about profits,” and the innovation in the space reflects that.
“Unfortunately, it has proven to be a lucrative activity. Therefore, the profit motive is driving some major technology developments. We’re seeing more attacks across a broader scope of targets; even nonprofits, churches and small governments aren’t safe,” Prendergast told SearchSecurity, adding that “the cloud has long [been] thought to be a safer haven, but it is far from immune.”
While the ransomware space may change and ransomware developers may innovate, experts noted that the best ways to combat ransomware are still relatively unchanged.
Smith said if a company is infected with ransomware, “the best option is to rely on valid backups to get your data back.”
“However, training users on safe and secure internet habits will go a long way in preventative maintenance against ransomware. Most infections will come in via a malicious link or attachment. Raising awareness around this type of attack path is critical for avoiding not only ransomware, but any other malware family,” Smith said. “The Google Docs phishing campaign from earlier this week is a great learning tool for the masses to teach them the dangers of clicking on unsolicited links.”
Morgan Gerhart, vice president of marketing at Imperva, warned that a major component of the cost of ransomware isn’t the ransom, “it’s the disruption and downtime.”
“Theoretically, if you can recover your data in real time, the backup is effective. Most people can’t. And even a few hours of downtime is hugely disruptive to an enterprise,” Gerhart told SearchSecurity. “We believe the most effective solution is to monitor the data in real time to detect when it’s being accessed by ransomware so you can stop the attack.”
Spinner said the proactive approach is with a defense in depth.
“Organizations need to look between the endpoints and the backups at the … actual data that is at risk. First, they need to restrict access to data on a need-to-know basis to reduce the attack footprint. Next, organizations need to monitor, alert and stop suspicious behavior as it’s happening with user behavior analytics (UBA),” Spinner said. “Ransomware, no matter how innovative, will never perfectly imitate the normal behavior of the user it is infecting. UBA is a surefire way to find and stop an attack in progress.”