28 Nov Ransomware Evolution is Remarkable and Creepy
I’m a fan of art that inspires…but the combination of this image and the JIGSAW ransomware it’s associated with just gives me the creeps.
I’m sure you’ve seen a lot of news lately about ransomeware. This malicious software that encrypts the files on an infected computer and then requires a ransom payment from the victim to recover them has become one of the hottest security topics today. As I’ve watched it evolve, I find its advancements both in sophistication and in the type of systems being targeted to be really quite remarkable.
While ransomware initially focused on PCs belonging to individuals, it has rapidly evolved in sophistication and in the type of systems it targets – with corporate servers now being a major focus. The FBI recently issued a warning that ransomware variants have begun targeting specific business servers with the objective of identifying and targeting additional hosts to infect. This technique multiplies the number of servers to potentially hijack, thus maximizing ransom amounts.
The FBI further warns that some corporate victims of this type of attack have not been provided the decryption keys for all their files after paying the initial ransom amount, and have been extorted for more money to complete the decryption.
Some crimeware (Jigsaw, Stampado, Philadelphia and maybe more) delete random files every hour until the ransom is paid, doubling the number of files deleted each hour until the ransom is paid. Users are also punished with additional files being deleted each time they reboot their system in an attempt to rid themselves of the beast.
Ransomware is also evolving in many other ways. It’s now available as complete, off-the-shelf crimeware packages, or crimeware-as-a-service. So even cyber criminals with very limited technical skills can launch advanced ransomware campaigns using a point and click user interface.
Some of the ransomware tools have even evolved to make specific targeting relatively simple. Fill in the blank industries, geographic locations, and even the names of specific corporations or entities to attack make these tools very appealing to both seasoned and budding criminals. At least one ransomware package guides users with suggestions regarding how much ransom to charge based on the industry and location. For example, those being extorted in the U.S. are charged much more than a company in Latin America.
Some of the tools even provide money laundering services, with anonymized methods for collecting the ransoms all ready setup.
There is some good news. As bad as ransomware is, like any malware it has to be installed. That usually happens through compromised user accounts, and typically takes some time to pull off. By using UEBA to monitor how user accounts are being used, anomalous behaviors are very effective indicators that something is up and that unauthorized programs like ransomware are being installed.
Even the most evolved and sophisticated ransomware can be thwarted if the initial anomalous behaviors of compromised user accounts are detected, reported, and disabled in a timely fashion.