How Adversaries Are Refining and Improving Ransomware in 2017

Improving Ransomware in 2017

Once adversaries have found a method for breaching network defenses, stealing data, or otherwise generating revenue, they’ll continue to refine these tactics to avoid detection and improve effectiveness. Ransomware, one of the more high-profile tools leveraged by adversaries, has undergone this same evolution, as we explain in the Cisco 2017 Midyear Cybersecurity Report. Delivery, obfuscation, and evasion are the core elements currently driving malware innovation—and many of these innovations, in turn, drive the use of ransomware by actors in the shadow economy.

Here’s a quick look at some of the key trends in ransomware we’ve observed during the first half of 2017:

RaaS platforms

Ransomware-as-a-Service (RaaS) platforms, such as Satan, are becoming commonplace, significantly decreasing the “barrier to entry” for threat actors who want to get into the ransomware business without doing the hard work of programming, or amassing network resources. The operators of the RaaS platforms take a portion of adversaries’ profits, similar to the way in which many legitimate software platforms work. Some of the operators even provide additional “customer service,” such as deploying the ransomware and tracking the progress of ransomware distribution campaigns over time, making it even easier for threat actors to launch and manage their ransomware campaigns.

Open-source codebases

Open-source ransomware codebases are also being leveraged by adversaries to help them launch new ransomware campaigns quickly. As covered in the MCR, several open-source ransomware codebases such as Hidden Tear and EDA2 have been released publicly “for educational purposes” Threat actors can simply tweak the code to suit their specific objectives and then deploy the malware to launch ransomware attacks. We know that this is a strategy used by some adversaries: many of the supposedly new ransomware families that Cisco has recently observed appear to be directly based on these open-source codebases.

Anonymized, decentralized infrastructure

In a bid to stay below the radar as their attacks find new victims, creators of ransomware and other malware campaigns are also leveraging new techniques for evading detection by defenders. One such technique is the use of anonymized and decentralized infrastructure and network protocols that can obfuscate command-and-control infrastructure. Cisco researchers have noted an increase in the use of services that leverage Tor, such as Tor2Web, which makes it easier for bad actors to use Tor without changing their malware code to natively support it. This also makes the command-and-control infrastructure more difficult to track and makes it more resilient to server takedowns.

A re-embrace of email as an attack vector

Another ransomware-related trend observed by Cisco and covered in the MCR: An uptick in spam volume globally, which parallels a decline in exploit kit activity. Emails with password protected Office documents, or PDFs containing embedded documents may require recipients to interact with the files, such as clicking “OK,” or inputting a password before any malicious activity is encountered which can help the messages bypass sandboxing technologies.

RDoS attacks

Some adversaries are also experimenting with extorting victims using the threat of distributed denial of service (DDoS) attacks. In these attacks, dubbed ransom denial of service (RDoS), the perpetrator threatens to disrupt the victim’s website or other services using a DDoS attack unless a ransom is paid. According to research by our partner Radware, nearly half of all companies suffered at least one cyber ransom incident in 2016—either a specific ransomware attack, or an RDoS attack (17 percent).

Radware research also shows that a cybercriminal group called the Armada Collective have been responsible for most RDoS attacks to date, with ransoms demanded ranging from 10 to 200 bitcoins (about US$3,600 to US$70,000).

Given the cleverness of adversaries, defenders can’t assume that when they’ve blocked one type of threat, bad actors won’t figure out a way around their defenses. As the Midyear Cybersecurity Report makes clear, staying a step ahead of this innovation is key to outwitting attackers.

By Edmund Brumaghin

(Source: Cisco Blog)


The latest in curated technology related news collected from many of the leading news distribution, industry research and technology vendor firms on the planet.

Here you will find recent news sources from companies such as Reuters, Marketwired, IDC, Gartner or directly from cloud vendors such as Google, Microsoft or Amazon.


Key Cloud Office Trends For 2016

Key Cloud Office Trends For 2016

Cloud Office Trends The mass migration to the cloud is well under way and will only accelerate. Two giants continue ...
Infatuation leads to love - How container orchestration and federation enables multi-cloud competition

Infatuation leads to love – How container orchestration and federation enables multi-cloud competition

Container Orchestration The use of containers by developers -- and now increasingly IT operators -- has grown from infatuation to ...
Learning From Past Mistakes: Predictions For Cybersecurity

Learning From Past Mistakes: Predictions For Cybersecurity

Predictions Cybersecurity From Ashley Madison to the Office of Personnel Management (OPM), hackers did not discriminate between organizations or industries ...
Four FinTech Trends To Look Out For

Four FinTech Trends To Look Out For

FinTech Trends The fintech industry witnessed an enormous growth in 2015. Around $7.6 billion were invested in fintech companies last ...
Bryan Doerr

Cyber-Threats and the Need for Secure Industrial Control Systems

Secure Industrial Control Systems (ICS) Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems ...

The Coming Era of Simple, Fast, Incredibly Cheap Cloud Storage

Cheap Cloud Storage Is On Its Way Data storage, like other commodities such as bandwidth, electricity, or simple computer power, ...


Rackspace Extends Managed Security to Google Cloud Platform

Rackspace Extends Managed Security to Google Cloud Platform

SAN ANTONIO, March 21, 2018 (GLOBE NEWSWIRE) -- Rackspace® announced today that Managed Security and Compliance Assistance for Google Cloud Platform (GCP) is now available for preview to new and existing customers that use Rackspace Managed Services for GCP ...
Google classroom

Helping G Suite customers stay secure with new proactive phishing protections and management controls

Security tools are only effective at stopping threats if they are deployed and managed at scale, but getting everyone in your organization to adopt these tools ultimately hinges on how easy they are to use ...
Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018

Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018

By 2021, Regulatory Compliance Will Become the Prime Influencer for IoT Security Uptake Internet of Things (IoT)-based attacks are already a reality. A recent CEB, now Gartner, survey found that nearly 20 percent of organizations ...
BMW raises R&D spending for electric, autonomous cars

BMW raises R&D spending for electric, autonomous cars

Munich (Reuters) - German carmaker BMW (BMWG.DE) will increase research and development (R&D) spending to an all-time high of up to 7 billion euros ($8.6 billion) this year as part of efforts to bring 25 ...
Providers Benchmark Report: Cloud Spectator Releases Annual Top 10 Cloud IaaS

Providers Benchmark Report: Cloud Spectator Releases Annual Top 10 Cloud IaaS

Significant differences persist with price-performance across Public Clouds BOSTON, MA, March 20, 2018 — Cloud Spectator, the industry’s leading benchmarking and cloud consulting firm, today released its 2018 Top 10 Cloud IaaS Price-Performance Benchmark Report ...
Where's Zuck? Facebook CEO silent as data harvesting scandal unfolds

Where’s Zuck? Facebook CEO silent as data harvesting scandal unfolds

Amid calls for investigation and a #DeleteFacebook campaign, company releases an official statement but its figurehead keeps quiet The chief executive of Facebook, Mark Zuckerberg, has remained silent over the more than 48 hours since ...