Considering the impact of ransomware campaigns, being concerned with the future of the file encrypting menace comes natural. Can it get any worse than it already is? The short answer is yes, it can, and it will. Scott Mills, CTO at mobile security company Cyber adapt believes that the severity of ransomware infections will go out of proportions in 2017. The majority of respected security researchers already predicted that 2016 was going to be the year of ransomware, meaning that 2017 infections will only be more damaging. How is that even possible?
Some researchers believe that ransomware will be shifting towards ransomworm (ransomware worm), also known as cryptoworm. A number of security experts say that this is how ransomware distribution is going to become even more successful.
In their attempts to monetize their campaigns as fast as possible, cybercriminals and ransomware operators never fail to establish new ways to further their success, or in the case of the ransomworm, re-establish old techniques.
Malicious spam and phishing campaigns are still key but they are not as sufficient as before. Ransomware gets a lot of attention and media coverage, and as a result users are more informed about the tricks cybercriminals deploy to spread their malicious payloads. In addition, most browsers and anti-virus programs have already been programmed to detect and block malicious URLs and malware-related spam. Thus, ransomware may be embracing the good old worm technique to advance even further.
Researchers believe that the next stage of ransomware evolution is indeed the cryptoworm, or the ransomworm.
ZCryptor Ransomworm was detected in June, 2016. It perfectly depicts how a ransomworm campaign unfolds.
So, what is a ransomworm? It’s the perfect amalgam of self-propagating malware and ransomware. This new malicious kind combines the best of both threats and forms a new devastating species that copies and spreads itself via infected computers, meanwhile encrypting data and demanding ransom.
It could both encrypt files and self-propagate to other systems and network devices. ZCryptor didn’t need spam emails or exploit kits, as it copied itself onto infected machines and portable devices, Kaspersky researchers explain. The ransomworm pretended to be an installer of a well-known program such as Adobe Flash.
Another example of a ransomworm is SamSam, which too didn’t rely on users clicking on infected email attachments or visiting malicious websites. SamSam was spread via unpatched server vulnerabilities. Researchers discovered that hospitals were the primary targets of SamSam. The infection could go undetected for unspecified time, meanwhile causing maximum damage to the target’s internal infrastructure.
In other words, experts are expecting ransomware to keep on mixing ransomware with network worms, as seen in old infection worm cases like CodeRed, SQL Slammer, and Conficker. In these examples, attackers exploited network vulnerabilities to make the malware spread automatically over networks.
As pointed out by Nir Polak, Co-Founder & CEO of Exabeam, “ransomware is already big business for hackers, but ransomworms guarantee repeat business“.
How to Prevent Ransomworm (Cryptoworm) Infections
As with any ransomware, the best protection method to counter ransomworm attacks is prevention. Cisco Talos has recommended the method of DMZ hardening which means increasing security on a company’s perimeter and public-facing network.
- Periodic port scans;
- Vulnerability scans/remediation;
- Regular system maintenance;
“If enterprises don’t start making strides towards defensible architecture today, massive ransoms may end up getting paid tomorrow,” Cisco Talos concluded.