The number of ransomware families increased significantly in 2016, and evidence suggests the pace will continue in 2017.
SecureWorks® security experts predict that the number of ransomware attacks will continue to increase in 2017, and that malware creators will continue to develop more sophisticated malware. In 2016, the success of professional-grade ransomware relied on the RSA encryption algorithm for key exchange and storage, and the Advanced Encryption Standard (AES) algorithm to encrypt victims’ files. Using the RSA algorithm allowed attackers to securely exchange and store the encryption key generated for AES so that it was never exposed by file-system forensics or network traffic monitoring.
SecureWorks researchers also observed a threat group deploying ransomware only after it had established and maintained a foothold in the victim’s environment for weeks. Having access to the target’s infrastructure for extended periods of time enables a threat actor to do reconnaissance and discover where and what valuable data is being stored by the victim.
“Though most ransomware attacks are not targeted, it is likely there will be an uptick in targeted attacks in 2017 as well,” said Alexander Hanel, a security researcher at SecureWorks. “Compromising corporate environments through targeted attacks allows the attackers to request more money than they would receive from a typical user. That makes enterprise targets more attractive.”
The SecureWorks Counter Threat UnitTM (CTU) research team noted the existence of 47 ransomware families in 2015, and the number jumped to around 130 so far in 2016. Among the most popular and persistent ransomware families are Locky, Cerber, and TorrentLocker, and the primary ransomware distribution methods are spam campaigns and exploit kits such as Magnitude and RIG. Some unsophisticated ransomware families disappeared a week after they were discovered.
The number of ransomware engagements SecureWorks handled increased from 12 during the second half of 2015 to more than 50 so far in 2016. Part of the growth of ransomware can be traced to the ransomware-as-a-service business model used by some cybercriminals. With that model, malware creators can use a network of distributors to infect systems and take a portion of any profit generated from the scheme. Both the Cerber and Locky ransomware families use this strategy.
While most ransomware activity has focused on Europe and North America, many threat actors are localizing ransomware threats to infect systems in other regions. For example, SecureWorks researchers observed localized versions of Locky, Cerber, CryptXXX, and TorrentLocker in Japan in 2016. In addition, Locky was observed targeting Chinese systems.
Paying the ransom to regain access to data carries unacceptable risks. The attacker could refuse to unencrypt the data, or the payment could encourage additional malicious activity. Organizations of all sizes can take several actions to mitigate the threat of ransomware:
- Implement employee security awareness training to educate users about evolving malware threats, paying particular attention to the risks associated with social engineering and attachments or links in email messages.
- Regularly back up data with offline backup media and periodically test media integrity. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because many ransomware families encrypt these files along with those found on the system.
- Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files.
- Apply software patches in a timely manner and verify that system firmware and software is up-to-date.
- Use antimalware solutions and stay current with the latest threat information.
- Incorporate a scenario in incident response plans that includes ransomware and rehearse the response.
“This year, a wave of ransomware attacks hit targets ranging from hospitals to a major metropolitan municipal railway system,” said Hanel. “The proliferation of ransomware families and the success attackers have had in compromising systems makes it highly likely these types of attacks will continue in 2017.”