Ransomware: Not dead, just getting a lot sneakier

WannaCry and NotPetya helped make 2017 the year of ransomware. But while there's been a shift towards cryptojacking attacks, file-encrypting malware is adapting and is still potent.
Written by Danny Palmer, Senior Writer

Last year, high-profile incidents like the WannaCry ransomware outbreak made the file-encrypting malware internet enemy number one.

WannaCry was not alone of course: the NotPetya attack followed just weeks later, and this was followed by a third -- albeit much smaller -- ransomware outbreak dubbed Bad Rabbit which hit Russia and Eastern Europe in September.

And all the while other, less high-profile ransomware attacks have occurred on a regular basis, causing trouble for organisations around the world, like the Locky ransomware which disrupted the networks of a hospital. Other ransomware, like Cerber ransomware, was available 'as-as-service' to almost anyone who wanted to make money this way.

But as 2017 went on the impact of ransomware dwindled. Detections of Locky, Cerber and other long-standing ransomware families massively declined.

Indeed, Kaspersky Lab's latest Kaspersky Security Network report claims that ransomware as a whole is "rapidly vanishing" with a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year.

And a recent threat report by McAfee Labs also suggests a drop in the detection of ransomware attacks -- putting the decline at 32 percent. There appears to be a clear trend here -- that the number of ransomware attacks and the number of ransomware families is dropping off.

"A year ago we probably had four large groups dealing in ransomware, distributing themselves or running an affiliate model, but we've seen those large groups go away. There are a couple remaining, but it's not quite as dramatic during 2017," Keith Jarvis, senior security researcher at Secureworks told ZDNet.

A key factor behind the decline is the rise of cryptocurrency mining malware and low-level cyber criminals shifting their attention to 'cryptojacking' as a simpler, less risky means of illicitly making money.

These cryptojacking attacks involve attackers infecting a PC with malware which secretly uses the processing power to mine for cryptocurrency -- usually the relatively simple-to-mine Monero -- which is deposited into their own wallet.

Unlike ransomware, it's stealthy and so long as the infection isn't discovered, it will continue to deliver the attacker a steady stream of income. The subtle nature of the attack has boosted the popularity of cryptojacking throughout 2018.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

So is it all over for ransomware? Perhaps not.

Ransomware still remains a threat -- as evidenced by a March attack on the City of Atlanta, which encrypted data and led to the shut down of a large number of online services. The city didn't pay the ransom, but the impact of the attack is projected to cost Atlanta at least $2.6m.

The Atlanta attack came as a result of SamSam, a family of ransomware which has been in operation since 2015. Unlike the spray-and-pray tactic used by some of its commericialised counterparts, potentially vulnerable targets are specially sought out in order to ensure that the ransomware can be set to spread across the network once the hackers activate the attack.


A SamSam ransom note on an infected system.

Image: Secureworks

It's proven successful with victims often paying tens of thousands of dollars to retrieve their files: in January a hospital paid out a $55,000 bitcoin ransom following a SamSam infection -- despite having backups available, because paying up was deemed the quickest way to get systems back online.

It's because it is so successful -- and that the whole operation requires a level of expertise to run -- that ransomware like SamSam remains a threat to businesses.

"There's a strong human element to deploy it, not just in the compromise and initial attack, but to deploy the ransomware," Jérôme Segura, security researcher at Malwarebytes told ZDNet.

"There's definitely more effort that goes into deploying this ransomware but it makes sense because it's not just a mass shotgun approach, it's a much more targeting approach looking for victims that have a lot more at stake when infected and will potentially pay a lot more money to unlock their files than average users."

Another successful ransomware variation is GandCrab, which offers an affiliate model, that first appeared in January and has received updates ever since.

"GandCrab is using agile technology because they're using techniques which are like the software industry. They're patching their ransomware on an almost daily basis, they fix bugs as they go along -- it's a really nice approach," Yaniv Balmas, malware research team leader at Check Point, told ZDNet.

"It tells us that these guys are sophisticated, they know what they're doing, they put a lot of effort in. That's one of the reasons you can't say ransomware is gone: people are still working on it and putting a lot of effort into it," he said.


GandCrab ransom note.

Image: Malwarebyes

A third form of ransomware which is still causing plenty of problems is a new kid on the block -- DataKeeper, which emerged in February and those behind it are serious enough that they monitor research blogs which mention it.

"They're applying a lot of technical best practice, they're an active adversary. We see the DataKeeper guys looking at security research blogs and releases of detection -- and soon as something is released, a very short time later they're changing and updating their stuff," James Lyne, global research advisor at Sophos, told ZDNet.

But despite the effectiveness of these campaigns, they're not on the same scale as previous ransomware attacks. Compared with the sheer mass of Locky emails which were sent out to organisations -- tens of millions could be sent in the space of hours -- these ransomware attacks might look relatively small in scale, so are easier to ignore.

"That's a side effect of the volumes like the Locky campaign. That was extremely high volume, tens of millions of emails going out and hundreds of thousands of infected machines -- it's in your face and prominent and affects a lot of different people," said Jarvis.

In SamSam's case, it may only target a few victims a day.

"You have much lower volumes of just a handful per day and when it strikes, the last thing these smaller businesses want to do is talk about it -- they want to avoid the publicity associated with the attacks. They're damaging attacks, but they're lower volume, so they fly under the radar," Jarvis said.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Ransomware may no longer be flavour of the month but it still remains a significant threat. The short-term damage means business can't be done while files are encrypted while the longer-term impact may result in loss of trust from customers and users who may not feel that the victim can be trusted to keep their data secure.

There's also the possibility that a victim who pays the ransom could easily become infected again as attackers realise they've got an easy target on their hands. For cybercriminals ransomware still offers a big payday, quickly, unlike malicious cryptocurrency mining which requires patience to realise a pay-off.

Behind much of the potency of ransomware is the EternalBlue SMB vulnerability which allowed WannaCry, NotPetya and other ransomware attacks to self-perpetuate around networks.

It's over a year since the NSA vulnerability was leaked by hackers but there are plenty of organisations which, despite the clear demonstrations of the damage attacks exploiting EternalBlue can do, still haven't patched their networks.

"If the opportunity presents itself, we could still see large-scale deployment of ransomware. We're still waiting to see if we're going to experience another WannaCry or NotPetya -- that could still happen," said Segura.

"We're still seeing all that infrastructure exposed, the EternalBlue SMB vulnerability, there are a lot of companies that are still exposed, so this is still possible."

That means there's plenty of opportunity for a cyber criminal operation, should it choose to do so, deploy ransomware in the same way as WannaCry. With a more efficient means of collecting ransom payments, they could potentially make millions -- as opposed to the little over $130,000 that those behind WannaCry cashed out.

All of this is why cyber criminals are still deploying ransomware -- because it continues to make them money.

"If you have a machine that's infected, what's the easiest and fastest way to make money from that? For a long time it was dropping ransomware on there and hoping that the percentage of victims who paid would help you make money," said Jarvis.

"It's a fundamental computer security problem that's not going to be solved, we're not going to suddenly solve it any time soon, so it's just going to continue."

It means organisations need to be prepared to face any cyber threat, even ones that are apparently out of fashion.

"I've been hearing a lot of noise of people talking about ransomware as a thing of the past and that it's now all about cryptocurrency mining. The main lesson we should learn is that this is not true: ransomware is still out there and still very much a threat," said Balmas.

"The situation can change any minute, any day -- it depends on so many factors and it's so fragile. We could wake up next week and ransomware could be a huge deal again, so lowering defences against it isn't a smart thing to do. We should treat it as big a threat as we did last year".


Editorial standards