by Bharat Mistry
The cybercrime underground is continually evolving. That’s what makes it so compelling for news editors: there’s always something new to write about. However, the volatility of the threat landscape also makes it difficult to issue accurate long-term predictions about where things are headed. Just take ransomware: we saw a significant decline in detections and new families last year. But in the first half of 2019, several well publicised attacks on major organisations have raised the profile of the threat yet again.
The bad news is that the techniques used to distribute ransomware are becoming arguably more sophisticated. To combat the scourge, IT security bosses are urged to adopt defence-in-depth across all layers of the infrastructure.
Down but not out
As reported in our 2018 roundup report, Trend Micro noted a 91% year-on-year decline in ransomware-related components such as emails, URLs and files, and an accompanying 32% decrease in the number of new families detected. We believe part of the reason for this drop is the improved range of anti-ransomware solutions on the market, and general improvements in awareness of the threat. However, even then, we noted that ransomware remains an effective way for cyber-criminals to generate large profits, and as such will be hard to shake.
So it seems thus far in 2019. A continued stream of high-profile victim organisations should serve as a reminder of the devastating business impact the threat can have. Aluminium producer Norsk Hydro suffered a financial hit of $40m in just a week after the LockerGoga variant caused outages in March. US cities have also come under increased attack in recent months: Baltimore has been landed with a bill for at least $18m thanks to a major outage which affected hospitals, factories airports and ATMs. Most recently, Belgian manufacturing firm Asco warned of a “serious disruption on all of our activities” caused by an attack.
Attacks get smarter
The bad news is that, while attacks may be lower in volume than the high water mark of 2017 when WannaCry and NotPetya infected hundreds of thousands, they’re arguably harder to defend against today. It appears as if entry-level ransomware attackers are increasingly using tools out of the playbook of traditionally more sophisticated targeted attack groups to increase their chances of success.
As we reported last week, Trend Micro researchers have observed attack campaigns using a package of tools linked to the notorious Shadow Brokers data dump. This includes an Eternal Blue-based backdoor and password dumping tool Mimikatz, as well as other tools associated with the suspected US-state sponsored Equation Group. These are used to spread crypto-mining malware as well as ransomware.
This comes as new strains of ransomware increasingly use targeted techniques. SamSam, Ryuk, and other families might compromise their victim initially by cracking a weak RDP password, before escalating privileges, compromising security software and spreading as wide as possible in a network prior to encrypting. They may also use fileless malware or “living off the land” techniques to stay hidden for as long as possible. Ryuk in particular appears to be targeting organisations in manufacturing, healthcare and other sectors where it believes victims will be forced to pay out large sums.
This newfound determination to cause maximum damage via targeted ransomware attacks represents a new challenge to organisations – but it shouldn’t overwhelm them. In fact, tried-and-tested best practices are more important than ever. That means ensuring your vulnerability and patch management processes are up to scratch, all accounts are protected with strong passwords or multi-factor authentication, and privileges are restricted. Network segmentation can also help to prevent the spread of malware inside the organisation.
IT security bosses should have advanced security in place at the endpoint, network and server layers to detect and proactively block any ransomware infection. It goes without saying that Trend Micro offers such tools in the form of Deep Security, Deep Discovery, Smart Protection Suites and Worry-Free Business Security. Our approach is connected threat defence, whereby all layers share intelligence to improve protection and response times, and XGen: a cross-generational blend of different tools designed to stop as wide a range of attack techniques as possible.
That’s the kind of protection firms need as ransomware gets smarter.