The lure of easy money attracting organized groups is a trend that spells more trouble for enterprises, researchers say.
Look
for a sharp uptick in the quantity and quality of ransomware this year
as more organized cybercrime groups employ ransomware, thanks to the
huge success other criminals have had monetizing these attacks, security
experts say.
Take the Dridex group, a Russian cybercrime gang that until now has
been known mainly for operating one of the most successful banking
Trojans ever. The group is believed to be behind a recently released
ransomware tool dubbed Locky that has begun proliferating in a major way
on computers worldwide.
Locky, which was what some think was used in the recent ransomware attack on Hollywood Presbyterian Memorial Hospital, surfaced
in mid-February and has already emerged as one of the top 5 ransomware
tools in circulation. A recent report by security vendor Fortinet
in fact, puts Locky as second only to CryptoWall, a ransomware tool
that is believed to have generated tens of millions of dollars in
revenue for its operators. Forbes last month pegged Locky as infecting a staggering 90,000 computers a day worldwide.
“In the case of Dridex, the lines between crimeware and ransomware
are starting to blur,” says Ronnie Tokazowski, senior researcher at
PhishMe. “For most of the life of Dridex, the attackers would focus on
banking as a primary target for attacks,” he said. But as of last month,
“they have shifted and are now trying to monetize from ransomware as a
way to cash out and still remain anonymous by using Bitcoins.”
Dridex is not the only example. This week, Reuters
quoted executives from three security firms warning about a Chinese
group called Codoso being involved in several recent ransomware attacks
against US firms. Like the Dridex operators, the Codoso group too
appears to have diversified into the ransomware space after initially
focusing on another area—in its case, cyber espionage.
Victims of the group include a transportation company and a
technology firm that had 30 percent of its machines infected by
ransomware, Forbes said.
Expect more such groups to enter the ransomware business, says Stu
Sjouwerman, CEO at KnowBe4. “Ransomware is the new criminal business
model."
The significant amount of revenue to be made in ransomware is sure to
drive more interest from groups like the operators of Dridex. Such
groups already have considerable experience in cybercrime, as well as
the infrastructure to quickly ramp up their presence in the ransomware
space, says Sjouwerman. The fact that Locky has already become such a
widespread threat is one indication of how such groups can change the
landscape, he says.
“This is bigger than people think. This is the year when ransomware
is finally going to be recognized in the mainstream,’’ he says.
And it is not going to be just for the number of infections either.
The money to be made in ransomware is also driving up the quality and
lethality of the ransomware tools that have begun surfacing in recent
months, say analysts.
In February for instance, the FBI warned
of a ransomware variant, called MSIL/Samas.A, that for the first time
was designed to infect entire networks and to use persistent access to
find and delete network backups. “Many of the executables and tools used
in this intrusion are available for free through Windows or open-source
projects,” the FBI had warned.
Another example is TeslaCrypt, a ransomware variant that has been
around for some time and has constantly kept mutating in its efforts to
evade detection. The latest version of the malware, which some consider
as one of the most sophisticated ransomware variants currently in use,
lets criminals use unique encryption keys for each victim, thereby
eliminating any likelihood that a single key could be used to unlock
multiple encrypted systems.
2016 will be the year that ransomware wreaks havoc on the US critical
infrastructure community, said the Institute for Critical
Infrastructure Technology (ICIT) in a recent 44-page report examining the ransomware crisis.
For instance, healthcare organizations that were hitherto off-limits
for ransomware operators are no longer safe from the threat, ICIT said.
The organization surmised the trend might have to do with the appearance
of sophisticated Advanced Persistent Threat groups who are entering the
stage because of the money to be made in such schemes.
“Ransomware attacks are under-combated and highly profitable,” ICIT
said in its report. “With [the] prevalence of mobile devices and the
looming shadow of the internet of things, the potential threat landscape
available to ransomware threat actors is too tantalizing a target to
ignore.”