Where ransomware goes next: Your phone, your TV, your servers

Europol's latest annual Internet Organised Crime Threat Assessment report paints a rather grim portrait of digital criminality loose on the internet.

It warns that the Crime-as-a-Service model continues to provide crooks, from the entry level to top-tier players, with the tools and services needed to conduct crime online.

The report also said that the boundaries between cybercriminals and state-sponsored hackers continue to blur, warning: "While the extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited, the availability of cybercrime tools and services, and illicit commodities such as firearms on the Darknet, provide ample opportunities for this situation to change."

But Europol said that in terms of day-to-day online criminality, "ransomware continues to be the dominant concern for EU law enforcement", as the number of variants of the malware have multiplied. Most use the same business model: encrypt a user's files, demand a ransom in Bitcoin, and offer a free test file decryption to prove their capability.

More ransomware targets
But while traditional malware mostly targets desktop Windows users, Europol said there are many more potential targets for ransomware, from individual users' devices, to networks within industry, healthcare, or even government.

"Cryptoware will also continue to expand its attack surface," it said, adding: "The profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms."

And while the same data-stealing malware largely appears year-on-year, ransomware is in greater flux will take several more years before it reaches the same level of equilibrium, said the report.

Europol warned that ransomware will evolve to "routinely spread to other smart devices", and that there were already some indications that ransomware is capable of infecting devices such as smart TVs.

"Following the pattern of data-stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth," the report said, noting that a new strain of server-side ransomware called Samsam was targeting the healthcare industry. Samsam does not require user to click on a link or open an attachment, but exploits the vulnerabilities of web servers and encrypts folders typically associated with website files, images and scripts.

As well as ransomware, the report warned that the overall quality and authenticity of phishing campaigns has increased, with targeted phishing -- also known as spear-phising -- aimed at high-value targets, including CEOs for the purposes of fraud. It also said that DDoS attacks continue to grow in intensity and complexity, as do the ways in which criminals use the data they steal.

"Data remains a key commodity for cybercriminals, however data is no longer just procured for immediate financial gain. Increasingly it is acquired for the furtherance of more complex fraud, encrypted for ransom, or used directly for extortion," said the report.

Read more

• What is ransomware? 1 in 3 small businesses 'clueless' to the danger
• Virlock ransomware can now use the cloud to spread, say researchers
• That's not funny: MarsJoke ransomware threatens to wipe data if a ransom is not paid within 96 hours
• Hackers in the house: Why your IoT devices may have already joined a botnet
• CNET: Ransomware: How to defend yourself against it
• TechRepublic: No More Ransom takes a bite out of ransomware