cisco-logo

How Adversaries Are Refining and Improving Ransomware in 2017

Improving Ransomware in 2017

Once adversaries have found a method for breaching network defenses, stealing data, or otherwise generating revenue, they’ll continue to refine these tactics to avoid detection and improve effectiveness. Ransomware, one of the more high-profile tools leveraged by adversaries, has undergone this same evolution, as we explain in the Cisco 2017 Midyear Cybersecurity Report. Delivery, obfuscation, and evasion are the core elements currently driving malware innovation—and many of these innovations, in turn, drive the use of ransomware by actors in the shadow economy.

Here’s a quick look at some of the key trends in ransomware we’ve observed during the first half of 2017:

RaaS platforms

Ransomware-as-a-Service (RaaS) platforms, such as Satan, are becoming commonplace, significantly decreasing the “barrier to entry” for threat actors who want to get into the ransomware business without doing the hard work of programming, or amassing network resources. The operators of the RaaS platforms take a portion of adversaries’ profits, similar to the way in which many legitimate software platforms work. Some of the operators even provide additional “customer service,” such as deploying the ransomware and tracking the progress of ransomware distribution campaigns over time, making it even easier for threat actors to launch and manage their ransomware campaigns.

Open-source codebases

Open-source ransomware codebases are also being leveraged by adversaries to help them launch new ransomware campaigns quickly. As covered in the MCR, several open-source ransomware codebases such as Hidden Tear and EDA2 have been released publicly “for educational purposes” Threat actors can simply tweak the code to suit their specific objectives and then deploy the malware to launch ransomware attacks. We know that this is a strategy used by some adversaries: many of the supposedly new ransomware families that Cisco has recently observed appear to be directly based on these open-source codebases.

Anonymized, decentralized infrastructure

In a bid to stay below the radar as their attacks find new victims, creators of ransomware and other malware campaigns are also leveraging new techniques for evading detection by defenders. One such technique is the use of anonymized and decentralized infrastructure and network protocols that can obfuscate command-and-control infrastructure. Cisco researchers have noted an increase in the use of services that leverage Tor, such as Tor2Web, which makes it easier for bad actors to use Tor without changing their malware code to natively support it. This also makes the command-and-control infrastructure more difficult to track and makes it more resilient to server takedowns.

A re-embrace of email as an attack vector

Another ransomware-related trend observed by Cisco and covered in the MCR: An uptick in spam volume globally, which parallels a decline in exploit kit activity. Emails with password protected Office documents, or PDFs containing embedded documents may require recipients to interact with the files, such as clicking “OK,” or inputting a password before any malicious activity is encountered which can help the messages bypass sandboxing technologies.

RDoS attacks

Some adversaries are also experimenting with extorting victims using the threat of distributed denial of service (DDoS) attacks. In these attacks, dubbed ransom denial of service (RDoS), the perpetrator threatens to disrupt the victim’s website or other services using a DDoS attack unless a ransom is paid. According to research by our partner Radware, nearly half of all companies suffered at least one cyber ransom incident in 2016—either a specific ransomware attack, or an RDoS attack (17 percent).

Radware research also shows that a cybercriminal group called the Armada Collective have been responsible for most RDoS attacks to date, with ransoms demanded ranging from 10 to 200 bitcoins (about US$3,600 to US$70,000).

Given the cleverness of adversaries, defenders can’t assume that when they’ve blocked one type of threat, bad actors won’t figure out a way around their defenses. As the Midyear Cybersecurity Report makes clear, staying a step ahead of this innovation is key to outwitting attackers.

By Edmund Brumaghin

(Source: Cisco Blog)

CloudBuzz

The latest in curated technology related news collected from many of the leading news distribution, industry research and technology vendor firms on the planet.

Here you will find recent news sources from companies such as Reuters, Marketwired, IDC, Gartner or directly from cloud vendors such as Google, Microsoft or Amazon.

CONTRIBUTORS

Achieving Network Security In The IoT

Achieving Network Security In The IoT

Security In The IoT The network security market is experiencing a pressing and transformative change, especially around access control and ...
What Futuristic Transportation Will Look Like In Your Lifetime

What Futuristic Transportation Will Look Like In Your Lifetime

Futuristic Transportation Being stuck in traffic or late for work because of a hold up on the dreaded commute could ...
The Five Rules of Security and Compliance in the Public Cloud Era

The Five Rules of Security and Compliance in the Public Cloud Era

Security and Compliance  With technology at the heart of businesses today, IT systems and data are being targeted by criminals, ...
What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

DDoS Attacks October 21st, 2016 went into the annals of Internet history for the large scale Distributed Denial of Service (DDoS) ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data ...
Financial Management Finds a Welcome Home in the Cloud

Financial Management Finds a Welcome Home in the Cloud

Cloud Based Financial Management The most cautious person in any organization is likely to be the CFO. After all, they’re ...
What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The ...
Scale Matters in the Enterprise Cloud

Scale Matters in the Enterprise Cloud

The Enterprise Cloud What used to be an unknown and mysterious term, “the cloud” is now a common and mostly ...
What is shadow IT?

How to Make the Move to the Cloud Securely

Move to the Cloud Securely The 2016 Enterprise Cloud Computing Survey from IDG offers multiple interesting insights concerning the state ...
How Big Data Can Empower Native Ads

How Big Data Can Empower Native Ads

Empower Native Ads The realm of big data is expanding an astonishing rate, and its presence can be felt across ...

NEWS

Hackers shut down infrastructure safety system in attack: FireEye

Hackers shut down infrastructure safety system in attack: FireEye

Hackers shut down infrastructure safety system (Reuters) - Hackers likely working for a nation-state recently penetrated the safety system of ...
email as a service

Google Data Analysis, Artificial Intelligence and Predicting Vaccine Scares

Social media trends can predict tipping points in vaccine scares Analyzing trends on Twitter and Google can help predict vaccine ...
Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

NEW YORK, Dec. 12, 2017 /PRNewswire/ -- Deloitte forecasts double digital growth in machine learning deployments for the enterprise, an increasing worldwide ...