Will 2017 be the year of ransomworm?
It’s safe to say that 2016 was the year of ransomware. More specifically, the year of crypto-ransomware, that nefarious variant that encrypts files and holds them captive until a ransom is paid. Since the release of Cryptolocker in late 2013, crypto-ransomware has exploded, and 2016 was a banner year.
As a matter of fact, according to the FBI, cyber criminals used ransomware to steal more than $209 million from U.S. businesses in just the first quarter of 2016. And according to a recent report from Kaspersky Labs, from January to September of 2016, ransomware attacks targeting companies increased by a whopping 300 percent.
With threat actors realizing ransomware’s lucrative potential, they bombarded the industry with new attacks in 2016. Perhaps reading the word Locky makes you cringe? This variant hit the wild in early 2016, infecting systems using AES encryption. It not only infects mapped file shares, but any networked share, so remote drives are at risk. This attack was so potent experts estimate it infected more than 100,000 victims per day at its peak.
More recently, hackers went after the beloved San Francisco Municipal Transport Agency (MUNI). If you were in the area in late November, you may have gotten the message “You Hacked” at public transit ticket kiosks. The city’s light rail was hit by ransomware that forced them to offer free rides for two days while they recovered the files. Or, what about Popcorn, the ingenious little in-development ransomware variant in December that turned victims into attackers by incentivizing them with a pyramid scheme-style discount. Send the infection to two of your friends, and you get your files back for free. (Don’t do it!)
Ransomware perhaps hit healthcare the hardest in 2016, with some reports claiming 88 percent of all ransomware affected hospitals. Whether large or small, no provider could hide from hackers looking to nab and encrypt patient data, disrupting care until the provider paid up or recovered files. The New Jersey Spine Center and Marin Healthcare District were attacked by Cryptowall, which encrypted electronic health records, backup files and the phone system. MedStar, which operates 10 hospitals in the D.C and Baltimore area, was forced to shut down its entire IT system and revert to paper records.
And the list goes on and on with names like California’s Hollywood Presbyterian Medical Center, The University of Southern California’s Keck and Norris Hospital, Kansas Heart Hospital, Alvarado Medical Center, King’s Daughter’s Health, Chino Valley Medical Center and Desert Valley Hospital, and more.
Criminals have obviously realized the awesome money-making potential of ransomware, and you should expect them to double-down in 2017. That said, how can they make an already effective threat even more widespread? How about mixing ransomware with a network worm?
Every year I try to predict changes and evolutions to the threat and security landscape. In this year’s predictions, I forecast that you’ll see the first ever, wide-spread ransomworm. This new variant will dramatically accelerate the spread of ransomware.
What do I mean by ransomworm? Years ago, network worms like CodeRed, SQL Slammer, and more recently, Conficker were pretty common. As you probably know, a worm is a type of malware that automatically spreads itself over a network, using either legitimate network file sharing features, or network software vulnerabilities. In the past, the fastest spreading worms – like the examples mentioned above – exploited network software flaws to automatically propagate through networks (whether the Internet or just your internal network).
Although we haven’t seen many wildly successful network worms lately, they’re still a threat. All it takes is for one black hat to find a new zero-day networking software flaw and wide-spread ransomworm becomes a real possibility. In fact, attackers may not even need to know a new networking flaw to create a successful ransomware. By stealing a computer’s local credentials, attackers can use normal Windows networking, or tools like Powershell to spread through an internal Windows network without leveraging any vulnerability at all. Now, imagine ransomware attached to such a network worm. After infecting one victim, it could tirelessly copy itself to every computer it could reach on your local network.
Whether or not you want to imagine such a scenario, criminals have already added network-scanning capabilities to some ransomware variants, and there’s a high likelihood they will more aggressively merge ransomware and worm capabilities next year. In 2017, I suspect you’ll see a ransomworm that automatically spreads very quickly and successfully, at least on local networks, if not the Internet.
Combat evolving threats
Since falling victim to ransomware can be a costly and time-consuming affair, how can you prepare to combat these evolving threats? I’ll leave you with three quick tips to consider:
1. Backup – Sure, I know most people just want to prevent ransomware, but you’ll never have 100 percent assurances of that in information security. Backing up your data is an important part of security for reasons far beyond just recovering from a ransomware attack. If you don’t already backup your important data, ransomware is the best reason yet to do so.
2. Patch your software – There are many ways ransomware might get on your systems, including just users manually doing foolish things. However, in order to forcefully or automatically install malware on your system, attackers must exploit software flaws. That said, vendors have already fixed a huge percent of the vulnerabilities hackers use to spread malware. If you simply keep your patches up to date, you won’t succumb to many of these forced or automated attacks, which could even help against ransomworms, assuming the network flaw they used was also patched.
3. Implement Killchain Defense – You won’t find one security technology that can protect you from 100 percent of ransomware by itself. However, there are many security controls that help protect you from various stages of a ransomware attack. For instance, Intrusion Prevention Systems (IPS) can prevent some of the exploits criminals use to spread ransomware. AntiVirus can catch some of the most common ransomware variants, and more modern advanced threat protection solutions can even identify and block new zero-day ransomware samples. However, none of these defenses are fool proof alone. The best way to protect your computer or organization is to combine all of them. Unified Threat Management (UTM) solutions often offer the easiest option for placing all these protections under one pane of glass.