WannaCry and the Growing Threat from Ransomware

Ransomware has been a growing problem for the last decade or so, but as a form of cybercrime it is much older. The first recorded ransomware attack pre-dates the world wide web. In 1989 Joseph L. Popp, a Harvard-trained scientist, created and distributed the AIDS Trojan, sometimes known as the PC Cyborg virus. Twenty thousand infected diskettes were created, and many of them were distributed to the World Health Organization’s international AIDS conference attendees from outside the United States. The targets of the attack had to transfer money to a Panama account to unlock infected systems.

Ransomware Attacks on the Rise

According to Kaspersky, between January and September 2016 ransomware attacks on business increased from once every 2 minutes to once every 40 seconds. Symantec also reported high levels of ransomware attacks, over 50,000 in March 2016 alone. A report by Osterman Research indicates 47% of organizations in the US in 2016 had been targeted at least once. A survey in the UK suggested 54% of businesses had been attacked at least once. Friday May 12, 2017 saw one of the largest most widespread attacks to date — the WannaCry ransomware.

What’s the Main Attack Vector?

Phishing attacks via email, either as attachments or as links, remain the main attack vector for ransomware; they account for over 60% of all ransomware attacks, including the WannaCry attack of May 12. Although many people are now aware of the threat from suspicious links and attachments, it remains an effective way to spread malware. According to one survey, 78% of people were aware of the potential threat from a suspicious link, but the majority click on it anyway. Research indicates that when the email addresses the intended target by name, the target is twice as likely to click on a link or open the attachment. According to Proofpoint, 70% of attacks in 2016 Q2 involved Locky, often hidden inside Microsoft Word documents and distributed by email. These attacks used the Necurs botnet for distribution.

Why Have Ransomware Attacks Increased?

The simple reason ransomware attacks have increased is because it’s an easy way for criminals to make a lot of money. According to the FBI it is already becoming a billion dollar a year ‘industry.’ Technology advances have also made the process of ransomware attacks easier for the criminals. Think about that first attack — the code had to be written, then copied onto 20,000 discs, and then each disc had to be distributed manually to the intended target. Now the attacker can use one of the ready-made kits, so there’s no need for programming or IT skills.

The malware can be distributed by email, perhaps with the help of a botnet or via a website. Crypto currencies enable wealth to be distributed anonymously and globally, no need for suspicious overseas bank accounts, credit transfers and possible paper trails. There are also non-technical reasons; according to a report by the National Crime Agency in the UK, the international criminal gangs responsible for these attacks “are increasingly professional and have industrialized their criminal activity so that they can act at scale.” In the second half of 2015 the FBI, the NCA, Europol and others combined to frustrate the networks used by criminal groups responsible for distributing Dridex malware. The criminal groups who control the botnets used to distribute Dridex responded to this loss of ‘business’ by distributing Locky (ransomware). This accounts for some of the increase seen in 2016.

Evolving Threats

The threat continues to evolve; during 2016 there was a marked increase in attacks on large organizations. This pushed the average ransom payment up from around $300 in 2015 to around $700 in 2016 (source = Symantec). Since this approach may be more profitable, I think we are likely to see even more large organizations hit in 2017. There are also variations of the malware such as Jigsaw, which threaten to reveal sensitive data rather than just locking it, this makes data backup as a way of countering ransomware somewhat redundant. The WannaCry malware used in the May 12 attack differs from some ransomware in that it has some self-replicating capabilities, so once it’s installed onto a system it can spread. New devices may be increasingly targeted, including smart phones, smart watches, smart TVs — in fact anything with smart in its name. The malware delivery method may also change. The current approach relies heavily on attachments; a fileless delivery technique could circumvent many of the security measures being introduced in larger organizations.

Paul O’Neill | Data Analyst at Black Duck Software

Originally published at blog.blackducksoftware.com.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.