Ransomware is not a new phenomenon, yet it remains one of the most popular forms of cybercrime due to the ease of its distribution and the good profits it provides to criminals. One of the reasons for the proliferation of ransomware is its diversity. Since ransomware constantly evolves in more sophisticated forms, organizations that do not follow the development of this particularly dangerous form of malware often find their computer networks completely paralyzed by it. The purpose of this article is to raise information security awareness about ransomware by exploring the latest five trends of conducting ransomware attacks. Below, they are examined in more detail.
1. Exploitation of vulnerable web servers
Large-scale ransomware attacks often use security vulnerabilities of web servers to infect other computers with ransomware. In 2016, the largest attack of this type utilized the self-spreading Samsam ransomware. It infected multiple systems connected to a single server, including medical institutions, government agencies, schools, and aviation companies. Samsam is designed to encrypt over 300 types of files by using Advanced Encryption Standard (AES) mechanism and Jexboss tools.
2. Ransomware distribution through Windows Script Files (WSF).
Security researchers have identified a surge in using WSF for distributing file-encrypting ransomware. The tactic relies on the use of malicious .wsf files that contain a mix of scripting languages and are hardly detectable by anti-malware software. For example, in October 2016, crooks submitted fake itinerary messages urging their recipients to open .zip files that camouflaged .wsf files containing the ransomware Locky.
3. Ransomware in cloud platforms.
In the recent months, there has been a steady increase in the number of ransomware attacks on cloud sync-and-share platforms. Such attacks pose significant risks to organizations, as ransomware targeting cloud platforms is usually capable to spread itself throughout the computer network of the affected organizations. The advanced version of Virlock is a typical example of cloud-based ransomware. Unlike traditional ransomware, Virlock does not inform the infected user that his/her computer is infected with ransomware. Instead, it impersonates an anti-piracy FBI warning and requests the victim to pay a fine of USD 250 in order to avoid larger monetary sanctions and imprisonment.
4. Personalized ransomware.
The major difference between personalized ransomware and classic forms of ransomware is that the former type of ransomware utilizes sensitive information in order to better camouflage itself. For example, the ransomware Ransoc uses users’ data collected from Facebook, LinkedIn, and Skype to send them personalized ransomware requests containing information about allegedly illegal files owned by the affected users. Thus, Ransoc misleads its victims into believing that, if they do not pay the requested amount, governmental authorities will commence court proceedings against them.
5. Ransomware mimicking Windows.
Cyber-attackers has recently started using a new form of “tech support” ransomware. The ransomware is designed as a Windows reactivation window inviting users to call a toll-free number in order to reactive their operational system. When the users call the toll-free number, they are usually asked to pay bogus fees for reactivating their Windows.
To mitigate the negative consequences associated with ransomware (e.g., loss of sensitive information, disruption of business activities, and reputational damages), individuals and organizations need to use state-of-art security measures. Raising information security awareness remains the most effective of them.
From time to time, SensorsTechForum features guest articles by cyber security and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.