Ransomware has evolved considerably from its first sighting — Cryptolocker was spotted on 5 September 2013 — and is unlikely to disappear anytime soon as the people behind this breed of malware develop more and more sophisticated ways of weaponising it, a senior security official from global vendor Sophos says.
Chester Wisniewski, principal research scientist in the office of the company’s chief technology officer, said in a blog post that five weeks out from the seventh anniversary of the appearance of ransomware, the difficulty in combatting this form of malware had also been made more difficult by the inability to trace payments after the rise in the use of cryptocurrencies.
Wisniewski’s post was the fifth and final in a series published by the company under the title The realities of ransomware. iTWire has covered the other blog posts, one last week and the others on Monday, Tuesday and Wednesday.
“That fledgling ransomware (Cryptolocker) pioneered a new technology to extract wealth from victims, which, in past cyber attacks, had always been the hardest path to success,” he wrote. “Money is inherently traceable and is difficult to obtain electronically if you are a criminal, but Cryptolocker had a new trick up its sleeve: bitcoin.”
He said ransomware operators had upped their game, particularly in the last 10 months, with the addition of data theft to their arsenal in order to create more social pressure on victims to pay up.
Wisniewski pointed out that while security firms had done a great deal to force attackers to switch to different tactics, the attackers had been equally good at finding other, less obtrusive, ways of achieving their ends.
“When ransomware was introduced it depended on infecting large numbers of innocent people and demanding US$400 (A$558) to -US$1000 each to make money, causing widespread harm,” he noted. “These attacks were automated and were largely a numbers game. This is not how ransom attacks look today. Once again, the attackers shifted.”
In today’s world, attackers needed to get past endpoint security that had improved greatly and hence they had to expend more effort by people with better skills. This meant, in turn, that the ransoms had to be bigger amounts, often running into millions, to make it worthwhile for the attackers.
Wisniewski said the modus operandi had now shifted to low-key attacks that did not register on the radar, with attackers trying to avoid indulging in acts that could put them on the wrong side of the law.
“The result is that average organizations, not just governments and defence contractors, now have human adversaries,” he said. “This was not in most organisations’ plans. They were, and are, woefully unprepared for this new reality which has led to the deluge of news stories about ransom, extortion and data breaches.”
One of the major innovations by attackers had been the bypassing of security tools, he said. Given that there were humans involved, the tactics employed often differed from attack to attack.
“If they can phish a password for an admin, they log into the security management console and simply turn everything off. If that doesn’t work, groups like Snatch have turned to booting into Windows ‘safe mode’ where many security protections are disabled before launching their encryption routines,” he explained.
“And, now, with Wasted Locker, we are seeing the depths of internal Windows behaviours like memory mapping and caching being abused to bypass behavioural anti-ransomware technologies.”
Another characteristic of modern-day attackers was the degree of persistence they showed, he said. “If your tools succeed at blocking the initial attack, they will not just give up. They are humans and will find a way around any programmatic barrier.
“Humans are tenacious, we are creative and we don’t give up easily. To defend against this you need humans to sort the wheat from the chaff. Tactics change on a weekly basis and knowing the signs of your own tools turned against you is the key to early detection.”
Wisniewski said the fight against ransomware gangs was no longer a battle. It had become a war. “To stay ahead you need to be vigilant and have the right people, the right training and the right tools. The days of loading security software on your endpoints, dusting off your hands and walking away are long gone,” he observed.
Defenders needed to use the same hybrid tactics as attackers did: “combining automation to find victims with a gap in their defences and humans to creatively use existing tools from the victims own network against themselves. This business model can net them millions of dollars per victim and cause uncountable additional damage.”
He said while computers, automation and tools were amazing, when “combined with human intellect, pattern recognition and our ability to extrapolate from the past into the future they provide a formidable defence. Those that are having success at defending themselves almost always have the right mix of investment in people, training and tools”.