By Dean Nicolls
The recent WannaCry ransomware attack paralyzed more than 100,000 companies globally. The bad news is the speed, scope and devastation that WannaCry, and its subsequent variants, wrought. However, the silver lining is the relatively small amount of ransom apparently collected (most estimates peg the figure around $50,000). By my math, that’s just $0.50 per organization.
But, don’t be fooled. The actual damage from WannaCry is massive. Some estimates put the cost of downtime and lost revenue at more than $3B (USD). Just as alarming is the likely response from cybercriminals, now emboldened to raise the stakes and their game with more sophisticated and virulent strains of ransomware.
So, how will the ransomware space evolve over the next 12 months given the global impact of WannaCry?
1. Stop Leaving Ransom Cash on the Table
With WannaCry, the cyber thieves asked for just $300 in Bitcoin when, in most cases, they clearly could have asked for much more. As ransomware publishers get more savvy, they’ll learn how to price discriminate and charge higher ransoms to organizations that cannot afford significant downtime.
2. Account-Based Ransomware
Most modern marketers are embracing account-based marketing — an alternative B2B strategy that concentrates sales and marketing resources on a clearly defined set of target accounts within a market and employs personalized campaigns designed to resonate with each account. Knowing that high-value targets will avoid downtime at all costs, ransomware attackers will take a more targeted approach and go after specific high-value targets (instead of adopting the more popular “spray and pray” approach).
3. Way More Difficult to Detect
Yesterday’s phishing attacks were easy to spot. The emails contained poor grammar and spelling mistakes or included an executable attachment. Most users could sniff these out, like a Nigerian prince scam. Take the recent DocuSign phishing attack. DocuSign, the owner of eSignature, one of the most popular digital signature services had its database of customer email addresses breached. The cyber criminals then targeted these users in a targeted phishing campaign with emails that were designed to look like they were sent by DocuSign. Word document attachments in the emails installed malware if opened. This was world-class spoofing and it worked.
4. Ransomware as a Service
There are a lot more criminal minds out there than there are criminals with deep engineering expertise. Therein lies the danger. New ransomware as a service kits available on the Dark Web are designed to make cybercrime accessible to anyone, no matter how limited their programming skills. This dramatically broadens the “market” for ransomware criminals. Advanced cybercriminals author the malicious code, then make it available for others to download and use. The authors may provide the ransomware at no cost or charge a small fee up front, often opting to take a cut of each ransom. This incentivizes a higher volume of attacks and higher ransom requests.
We’re also seeing ransomware organizations starting to specialize and focus on the user (victim) experience. Joe Maury, CTO with Network Ballistix, a US-based IT security services firm, ended up negotiating with a ransomware publisher on behalf of a local law enforcement agency infected with ransomware. Mr. Maury called the support team by clicking on the Contact Us link on the ransomware message: “Their customer service was top notch – some of the best support I’ve ever experienced.” This is not your father’s ransomware.
5. Threaten Public Exposure
The modern ransomware organization understands the impact of bad PR and knows that most organizations, especially those with strong brands, will do just about anything to avoid bad press. The threat of disclosing private records will greatly increase the odds of victims paying the ransom. We suspect more and more ransomware authors will play this card in order to extract a larger pound of flesh.
6. Encryption at Warp Speed
When it comes to effective ransomware attacks, cyber criminals know that high speed encryption is critical to avoiding detection and magnifying the impact. When security firm, Barkly tested the encryption speed of different ransomware types, there were several strains able to encrypt 1,000 Word documents in less than 20 seconds. And these algorithms are only getting faster.
7. The Growth of Fileless Ransomware
One evolving attack vector is “fileless” ransomware or non-malware ransomware that leverages Microsoft’s PowerShell’s scripting language to target organizations through documents and/or applications that run through macros. In some cases, users are directed to a compromised or malicious website that exploits a vulnerable application; in other cases, socially engineered phishing attacks are sent with a document attachment containing macros with malicious code. Fileless malware bypasses your antivirus on your computer and/or server, making it easier for the infection to take place.
8. Targeting Mission Critical Databases & Applications
Infecting individual files is one thing, but when ransomware infects mission critical applications and databases, the damage and downtime are magnified. It’s just a matter of time before ransomware authors target the index and schema files of mission critical databases. After all, if these files are encrypted it has the same impact as encrypting the entire database. And when a mission-critical database gets infected, an organization’s very viability is threatened.
9. Deny Admin & User Access Control
In the same vein, ransomware publishers may target ERP systems and other important business applications with the express intent of denying Admin and end user access to these programs. Once they seize admin control, they can initiate a SYN flood which is a form of denial-of-service attack that enables the attacker to send a succession of SYN requests to a target’s system in order to consume enough server resources to make the system unresponsive to legitimate traffic. Most companies will happily pay thousands of dollars to avoid this fate.
10. DRaaS Adoption: Heeding the Wake-Up Call
WannaCry, and the resulting media coverage, should have been served as powerful lesson. While many organizations downloaded the Microsoft patch and avoided the ransomware infection. They got off lucky. The game is changing — it’s no longer a question of “if”, but a matter of “when” your organization gets infected. There is a growing consensus that disaster recovery as a service (aka DRaaS) is the only option to quickly mitigating data loss and avoiding downtime post infection. In a nutshell, DRaaS stores and backs up your data, applications and information in a cloud-based program so it can be easily recovered and used in the event of a disaster. DRaaS lets you spin up virtual machines so users can stay productive by accessing their application in the cloud. This means downtime is reduced from hours (or days) to mere minutes. You can’t recover this quickly with a backup or even bare metal (image-based) solution because they each require migrating large amounts of data onto clean hardware which takes time. Plus, the simplicity and affordability of DRaaS make them an appealing option for businesses of all sizes.
It’s a new ballgame. WannaCry has set the stage for a new class of ransomware. Business owners and IT professionals must take this threat seriously by building the processes, expertise, and technology to quickly detect and recover from any attack. The stakes are only going to get higher.