cisco-logo

How Adversaries Are Refining and Improving Ransomware in 2017

Improving Ransomware in 2017

Once adversaries have found a method for breaching network defenses, stealing data, or otherwise generating revenue, they’ll continue to refine these tactics to avoid detection and improve effectiveness. Ransomware, one of the more high-profile tools leveraged by adversaries, has undergone this same evolution, as we explain in the Cisco 2017 Midyear Cybersecurity Report. Delivery, obfuscation, and evasion are the core elements currently driving malware innovation—and many of these innovations, in turn, drive the use of ransomware by actors in the shadow economy.

Here’s a quick look at some of the key trends in ransomware we’ve observed during the first half of 2017:

RaaS platforms

Ransomware-as-a-Service (RaaS) platforms, such as Satan, are becoming commonplace, significantly decreasing the “barrier to entry” for threat actors who want to get into the ransomware business without doing the hard work of programming, or amassing network resources. The operators of the RaaS platforms take a portion of adversaries’ profits, similar to the way in which many legitimate software platforms work. Some of the operators even provide additional “customer service,” such as deploying the ransomware and tracking the progress of ransomware distribution campaigns over time, making it even easier for threat actors to launch and manage their ransomware campaigns.

Open-source codebases

Open-source ransomware codebases are also being leveraged by adversaries to help them launch new ransomware campaigns quickly. As covered in the MCR, several open-source ransomware codebases such as Hidden Tear and EDA2 have been released publicly “for educational purposes” Threat actors can simply tweak the code to suit their specific objectives and then deploy the malware to launch ransomware attacks. We know that this is a strategy used by some adversaries: many of the supposedly new ransomware families that Cisco has recently observed appear to be directly based on these open-source codebases.

Anonymized, decentralized infrastructure

In a bid to stay below the radar as their attacks find new victims, creators of ransomware and other malware campaigns are also leveraging new techniques for evading detection by defenders. One such technique is the use of anonymized and decentralized infrastructure and network protocols that can obfuscate command-and-control infrastructure. Cisco researchers have noted an increase in the use of services that leverage Tor, such as Tor2Web, which makes it easier for bad actors to use Tor without changing their malware code to natively support it. This also makes the command-and-control infrastructure more difficult to track and makes it more resilient to server takedowns.

A re-embrace of email as an attack vector

Another ransomware-related trend observed by Cisco and covered in the MCR: An uptick in spam volume globally, which parallels a decline in exploit kit activity. Emails with password protected Office documents, or PDFs containing embedded documents may require recipients to interact with the files, such as clicking “OK,” or inputting a password before any malicious activity is encountered which can help the messages bypass sandboxing technologies.

RDoS attacks

Some adversaries are also experimenting with extorting victims using the threat of distributed denial of service (DDoS) attacks. In these attacks, dubbed ransom denial of service (RDoS), the perpetrator threatens to disrupt the victim’s website or other services using a DDoS attack unless a ransom is paid. According to research by our partner Radware, nearly half of all companies suffered at least one cyber ransom incident in 2016—either a specific ransomware attack, or an RDoS attack (17 percent).

Radware research also shows that a cybercriminal group called the Armada Collective have been responsible for most RDoS attacks to date, with ransoms demanded ranging from 10 to 200 bitcoins (about US$3,600 to US$70,000).

Given the cleverness of adversaries, defenders can’t assume that when they’ve blocked one type of threat, bad actors won’t figure out a way around their defenses. As the Midyear Cybersecurity Report makes clear, staying a step ahead of this innovation is key to outwitting attackers.

By Edmund Brumaghin

(Source: Cisco Blog)

CloudBuzz

The latest in curated technology related news collected from many of the leading news distribution, industry research and technology vendor firms on the planet.

Here you will find recent news sources from companies such as Reuters, Marketwired, IDC, Gartner or directly from cloud vendors such as Google, Microsoft or Amazon.

Data Analytics and Human Heuristics: How to Avoid Making Poor Decisions

Data Analytics and Human Heuristics: How to Avoid Making Poor Decisions

The “hot hand,” a metaphor applied frequently to the game of basketball, is the idea that a basketball shooter, after ...
Best Practices in Disaster Recovery and Business Continuity

Best Practices in Disaster Recovery and Business Continuity

Best Practices in Disaster Recovery Hope for the best, prepare for the worst, and expect to be surprised. While that ...
The Unintended – and Intended – Consequences of Cloud Data Sovereignty

The Unintended – and Intended – Consequences of Cloud Data Sovereignty

Cloud Data Sovereignty It seems that everything has unintended consequences – whether positive or negative. Intended consequences are those that ...
What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The ...
Advanced IoT systems provide analysis catalyst for the petrochemical refinery of the future

Advanced IoT systems provide analysis catalyst for the petrochemical refinery of the future

Advanced IoT Systems The next BriefingsDirect Voice of the Customer Internet-of-Things (IoT) technology trends interview explores how IT combines with IoT to help ...
Cloud Advances One Funeral at a Time

Cloud Advances One Funeral at a Time

The Advancing Cloud Forecasts scream huge growth rates for cloud but in the big picture it is tiny. Max Planck ...
AT&T Unveils $15-a-Month Video Service

AT&T Unveils $15-a-Month Video Service

Wireless company’s fees for programmers would depart from industry practice AT&T Inc. T -1.20% on Thursday unveiled a new video service, called WatchTV, that aims to use a “skinny bundle” of channels to recapture some ...
Teradata sues Germany's SAP, alleging it stole trade secrets

Teradata sues Germany’s SAP, alleging it stole trade secrets

FRANKFURT (Reuters) - SAP SE, Europe’s most valuable technology company, was sued on Wednesday by U.S. company Teradata, which accused it of stealing trade secrets, copyright infringement and anti-trust violations. The case, filed at the ...
AI Storms Top Supercomputing Show – NVIDIA Brings Talks, Training, Demos, and More to ISC

AI Storms Top Supercomputing Show – NVIDIA Brings Talks, Training, Demos, and More to ISC

This is what smart people do for fun. Detecting gravitational waves millions of light years away, in real time. Powering computationally fast quantum mechanical simulations at high accuracy and low cost. Proving the feasibility of ...