About the Author
Kelvin Murray is Principal Threat Researcher at Webroot.
Ransomware is malicious software that contains your data ransom. Today, it generally involves encrypting a victim's data before asking for money (usually a cryptocurrency) to decrypt. Ransomware has ruled the malware world since late 2013, but it finally saw a decline last year. The overall decrease in the number of malware, as well as the defensive improvements made by the IT world in general (such as the more widespread adoption of backups), have been factors, but have also led this threat to be more specific and relentless.
Delivery methods
When ransomware software first appeared, it was typically distributed through massive email campaigns and operational kits. Consumers and business users were affected without much discretion. Today, many ransomware criminals prefer to choose their targets to maximize their profits. Doing business comes at a cost to infect people. The larger the group of people you are trying to reach, the more expensive it will be.
Operation Kits
Just visiting some websites can infect you, even if you don't try to download anything. This is generally done by exploiting weaknesses in the software used to browse the web, such as your browser, Java, or Flash. Content development and management tools like WordPress and Microsoft Silverlight are also common sources of vulnerabilities. But many software and websites are involved in transmitting infections in this way. Most of this work is included in an exploit kit that can be rented to criminals to help spread their malware.
Renting an operating kit can cost € 1,000 a month. This delivery method is not for everyone. Only sufficiently motivated and funded cybercriminals.
Eric Klonowski, Senior Threat Research Analyst at Webroot, said: "As the cost of operations has risen so dramatically in the last decade, we continue to see a decrease in the cost of doing business. Using the 0-day period in nature (as an associated private exploitation leak).
"Without a doubt, state actors will continue to store them for use in the most profitable targets, but they hope the occurrences of Shadowbrokers will cease." The aforementioned leaks have probably served as a powerful internal awakening tool. you have access to these utilities (or perhaps where they are left behind). "
Operations that are intended to be used by both malware and web threats are more difficult to obtain today and as a result we see a decrease in the number of operational kits and an increase in the cost of operations in the wild. This threat is going nowhere, but it is decreasing.
Email campaigns
Spam emails are a great way to spread malware. They are good for criminals because they can hit millions of victims at once. However, bypassing email filters, creating a compelling phishing message, creating an eyedropper, and bypassing overall security is hard to do on a grand scale. Managing these large campaigns takes work and experience, so they cost expensive, just like an operational kit.
Targeted attacks
The probability that a target will pay a ransom and the amount of that ransom is subject to a number of factors, including:
- The country of the victim. The GDP of the victim's country of origin is correlated with the success of an electoral campaign, and victims from richer countries are more likely to pay a ransom;
- The importance of encrypted data;
- Costs associated with downtime;
- The operating system used. According to Webroot data, Windows 7 users are twice as likely to be exposed to malware as Windows 10 users.
- Whether the target is a business or an individual. Business customers are more likely to pay and pay big.
Since the probability of success will vary depending on the circumstances of the target, it is important to note that there are ways to narrow down the selection of targets using exploit kits or email campaigns, but these attacks are more dispersed than other more targeted attacks.
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is a popular Microsoft system that administrators primarily use to remotely connect to servers and other endpoints. When enabled by poor password settings and policies, cybercriminals can easily hack them. Violations of the PDR are not new, but unfortunately the business community (and especially the small business community) has ignored the threat for years.
Recently, government agencies in the United States and the United Kingdom have warned of this totally avoidable attack. Less sophisticated cybercriminals can buy RDP access to already hacked machines on the dark web. Machine access at major airports has been seen on black markets for just a few dollars.
Phishing
If you know your target, you can customize an email specifically to mislead them. This is called harpooning, and it is an extremely effective technique that is used in many cases of ransomware.
Modular malware
Modular malware attacks a system in different stages. Once run on a machine, reconnaissance work is done before the malware resumes communications with its base and additional payloads are downloaded.
Trickbot
We have also seen the Trojan Trickbot Modular Banking Trojan Deposit Ransomware Trojan like Bitpaymer on machines. Recently, it was used to test a company's worth before allowing attackers to deploy remote access tools and Ryuk (ransomware) to encrypt its most valuable information. The actors behind this Trickbot / Ryuk campaign pursue only big, lucrative goals that they know can cripple.
Trickbot itself is often abandoned by another modular malware program, Emotet.
What are the current trends?
As noted, ransomware use may be declining due to increased defenses and heightened threat awareness, but the broader and more noticeable trend is to target more carefully. selected. RDP extensions have been the biggest source of ransomware calls to our support teams in the last 2 years. They are totally devastating to those affected, so ransoms are often paid.
Modular malware involves searching for a target before deciding whether or not to run, and this threat is becoming a threat for the past six months.
automation
When we talk about targeting, you are likely to assume that there is a human involved. But, as far as possible, the attack will be coded to free the workforce. Malicious programs generally decide not to run if they are in a virtualized environment or if scanning tools are installed on computers. Trickbot and Emotet use seamless automation to keep zombie networks running and to spread with the help of stolen credentials. RDP violations are easier than ever due to automated processes that target targets for use on the Internet. Expect increasingly smart automation of ransomware and other malware in the future.
What I can do?
- Secure your RDP;
- Use the appropriate password policy. This is related to RDP ransomware threats and applies particularly to administrators;
- Update everything;
- Save everything. Is this backup physically connected to your environment (such as USB storage)? If this is the case, it can be easily encrypted by malicious actors. Make sure to back up your airmail or cloud.
- If you think you have been the victim of a breach, decryption tools may be available. Despite the researchers' brilliant efforts in decryption, this is only the case in some cases.
Kelvin Murray is Principal Threat Researcher at Webroot.