It’s 2018, and security professionals across the globe are on standby, waiting for next big wave of ransomware attacks to make landfall. According to Symantec’s Ransomware 2017 report, the number of ransomware infections is continuing to rise. During the first half of 2017, 42% of ransomware attacks targeted organizations – up from 30% in 2016.
Unfortunately, there is no universal formula that can be used to thwart the anticipated surge in ransomware infections. After all, the execution of ransomware is usually initiated as a result of human error. It is in many ways a game of cat and mouse. As such, we must always try to stay ahead of the game.
So, what developments are likely to transpire in 2018?
Ransomware-as-a-service (RaaS)
Ransomware-as-a-service (RaaS) gives novice hackers an opportunity to launch their own ransomware attacks with practically no technical expertise. Would-be criminals can log on to a RaaS portal, usually on the dark web, where they can customize and configure their deployment. It has been said that the rise of RaaS was largely responsible for the spike in ransomware attacks last year. For example, SonicWall reported a staggering 638 million ransomware attacks in 2016. That’s more than 167 times the number of attacks in 2015.
Attacks on the healthcare industry
A recent ransomware attack on Allscripts Healthcare Solutions Inc, which includes 2,500 hospitals, has cost one hospital thousands of dollars, and affected 1,500 clients. According to one physician, “It’s really pretty much shut down things in our offices.” The healthcare industry is still a prime target for cyber-criminals for a number of reasons. Firstly, healthcare service providers hold lots of valuable personal data. Secondly, many hospitals have relatively limited budgets and thus do not have the resources to invest in training staff members and keeping their systems up-to-date.
According to the 2016 Annual Healthcare Industry Cybersecurity Report, more than 75% of the entire healthcare industry has been infected with malware during 2016. Also, according to a recent article published by Healthcaredive, the healthcare industry was the victim of 88% of all ransomware attacks in US. It has also been suggested that part of the reason why the healthcare industry attracts a lot of cyber-criminals is because service providers tend to be more likely to pay the ransom than in other industries.
Infections will spread more quickly and easily
If an attacker is able to encrypt the files on a victim’s device, it would make sense for them to first extract as much data as possible from the device before starting the encryption process. This is exactly what newer strains of ransomware do. For example, some types of ransomware scan the victim’s device for email addresses which can be used to initiate further attacks. Some seek to steal credentials, extract information about the device – including the Windows operating system key – and send this information back to their C&C servers. There have also been recent cyber-attacks where the attacker was able to steal credentials for TeamViewer, which allowed them to establish a remote connection with the network in order to leak even more sensitive information. It is likely that most, if not all ransomware attacks in the future, will attempt to harvest as much data as possible before encryption takes place.
The rise of Linux ransomware
Linux is becoming an increasingly popular operating system. However, it still captures a relatively small share of the market compared to Windows. As such, until recent times, Linux ransomware was practically non-existent. As more businesses start to use Linux, we are seeing an increase in the number of Linux ransomware strains, as hackers test the water to see what kind of returns can be achieved.
One recent example of a Linux based ransomware attack took place on June 10, 2017, where a South Korean hosting company called NAYANA, fell victim to a ransomware attack which affected 153 Linux servers. This ransomware variant was called “Erebus”, and is one of many strains that target the Linux OS, including Linux.Encoder, Encryptor RaaS, a version of KillDisk, Rex, Fairware, and KimcilWare.
Ransomware will be used as a smokescreen
Smokescreen attacks are used as a decoy to cover up even more sophisticated and malicious forms of attack. Traditionally, denial-of-service (DDoS) attacks were used as smokescreens to distract attention while more malicious activities took place. However, ransomware is becoming increasingly favourable for this purpose.
The rise of Fileless ransomware
Fileless ransomware is becoming increasingly popular. What makes Fileless ransomware so troublesome is that it is very hard to detect using antivirus software, sandboxing, AI, or any other signature-based methods, as the ransomware program is not written to disk. Instead, it is written to memory using native command-line tools such as PowerShell. This technique enables cyber-criminals to use the malicious program to harvest as much data as possible without getting noticed, before encrypting the victim’s files.
Ransomware attacks on the Internet of Things (IoT)
It’s likely that the number of attacks on IoT devices will rise in 2018. There’s an increasing number of IoT devices entering the market, ranging from smartwatches to pet feeders, smart cars, and dishwashers. However, hackers will likely focus on industrial IoT devices such as medical devices, traffic sensors, and even power grids. Many of these devices do not store large quantities of personal information, and they can be easily reset should the data be encrypted with ransomware; however, attacks on such devices could potentially be very disruptive.
The key difference between IoT ransomware and traditional ransomware is that attackers will focus on preventing a device from functioning at a critical point in time. In doing so, the hacker can request that a payment is made within a short time frame, in order to allow the device to function again.
According to research carried out by Tech Pro in 2016, 38% of the companies interviewed said they were currently using IoT devices, and another 30% said they were planning to adopt IoT devices in the near future.
Of the businesses that currently use IoT devices, the majority already use multiple security methods (including encryption) to protect the data stored on these devices. The IoT devices that are the most popular are environmental sensors, which companies use to collect data in order to improve their products and monitor resource allocation.
The threat of public disclosure
As I’m sure you can imagine, for some people the threat of public disclosure will greatly increase the chances of them paying the ransom. People are naturally self-conscious about the information they store on their devices, which may include personal photos, videos, and messages. But it’s not just individuals who are likely to pay the ransom due to the threat of public disclosure, but also many organizations.
According to a survey of 150 IT professionals who have been the victim of a ransomware attack, only 5% of respondents claim that they paid the ransom. This is largely due to the fact that many organizations are taking regular backups of their sensitive data. This suggests that there will likely be an increase in the number of ransomware attacks which carry the threat of public disclosure, in order to increase the chance that companies will pay the ransom.
Wider adoption of ransomware detection and prevention software
With ransomware attacks evolving and increasing in regularity, I expect to see much more interest in 2018 in detection and prevention software. Unfortunately, as ransomware is mainly down to human error, preventing ransomware from ever getting into your systems is difficult. However, there are ways to limit the damage that such an attack can cause. Years gone by, such software was far too expensive and complex for most mid-market and small organizations.
Thankfully, times have changed, and there are numerous solutions on the market that aim to detect ransomware spread in your file servers. Such software utilizes threshold-based alerts to make you aware of when a large number of changes occur over a small period of time (which could be an indicator of files being encrypted). A user-defined script can be executed automatically upon detection of this event to perform countless actions, including shutting down the server involved.
Editor’s Note:
From time to time, SensorsTechForum features guest articles by cybersecurity and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.