Ransomware: Not dead, but evolving nasty new tricks

Crooks distributing ransomware are still tweaking their tactics, in an effort to extort as much profit as possible while a 'passing of the guard' is underway.
Written by Danny Palmer, Senior Writer

Video: What's next for ransomware?

Ransomware -- the most high-profile tool in the cybercriminal arsenal until recently -- is falling into such a steep decline that some of the major families responsible for taking millions from victims have ceased operation, and their replacements aren't nearly as successful for criminals.

It is a sharp contrast to how ransomware performed during 2017, helped along by high-profile incidents such as the WannaCry and NotPetya outbreaks.

Alongside them, the likes of the Locky, Cerber, and Jaff ransomware families may not have rivalled the notoriety of WannaCry, but they quietly went about their business, updating their infection and distribution tactics -- and, in the case of Cerber, even gained the ability to steal cryptocurrency.

However, while they once ruled the ransomware roost, Locky and Cerber are now nowhere to be seen, according to cybersecurity firm Malwarebytes' Cybercrime tactics and techniques report for the first quarter of the year.

The researchers note that ransomware attacks against consumers are massively on the decline, although there has been a small increase in attacks against businesses. It's an indication that ransomware isn't dead yet, but its tactics are shifting, with what the report describes as a "passing of the guard" now underway.

In the case of Cerber, the report states it's "unlikely" it will return to its position at the top of the tree following the arrest of members of a criminal group suspected of distributing the ransomware. Locky and Jaff are also described as "effectively out of the game for the time being" having "suspiciously vanished from the threat landscape".

See also: Ransomware: An executive guide to one of the biggest menaces on the web

However, it would be unwise to totally think the likes of Locky have gone forever, because old threats can return -- as Locky has done previously.

"There's always a chance someone might revive and adjust an old campaign, especially if deployed in a way that hasn't been seen before. It's possible to be so focused on new threats coming down the pipeline that a slight tweak to an old scam works wonders for malware authors," Chris Boyd, malware analyst at Malwarebytes, told ZDNet.

In the meantime, other families of ransomware are attempting to fill the void, although none have done so as effectively as these 'classic' variants.

One of the most effective forms of new ransomware has been GandCrab, notable due to being delivered via two exploit kits and demanding payment in Dash cryptocurrency rather than bitcoin.

Researchers note that, while threat actors are experiencing diminishing returns from ransomware, cases like the recent arrival of GandCrab demonstrate how they're still testing "interesting" tricks and tactics in order to gain something from distributing the file-encrypting malware.

SamSam also provides an interesting case study in how particular forms of ransomware are still proving to be highly effective, with those behind it meticulously preparing for and conducting attacks against large organisations in order to gain big pay-offs.

An Indiana hospital and the city of Atlanta are recent victims of SamSam, demonstrating how effective ransomware can still be.

The report notes that this sort of attack against large organisations could represent the way forward for those dealing in ransomware. But while those heavily involved in this threat are likely to still profit from it, it doesn't appear as if ransomware will reach its previous levels of widespread distribution -- unless there's some sort of sudden change of direction.

"The next quarter will see a continued use and evolution of the few ransomware families we have seen in the wild this year, however, whether we will see a return to the levels of distribution we observed in previous years is anyone's guess," says the report.

As many have observed throughout 2018, the decline in ransomware appears to have coincided with the rise of cryptocurrency mining, which has become profitable for cybercriminals -- but without the need for any involvement from the victim.

Recent and related coverage

Ransomware for robots is the next big security nightmare

Researchers found they were able to infect robots with ransomware; in the real world, such attacks could be highly damaging to businesses if robotic security isn't addressed.

Ransomware: Get ready for the next wave of destructive cyberattacks

It might not be flavour of the month right now, but cybercriminals and nation-states could still find plenty of uses for ransomware.

Ransomware: Is time running out for the biggest menace on the web?

Attempts at delivering ransomware have declined, as cybercriminals move towards other forms of malware -- at least for now.


Editorial standards