It’s not exactly a no-brainer, but the success of ransomware in 2017 leads us to a logical prediction that more successful ransomware attacks will continue to plague organizations in 2018. These attacks will increase both in volume and sophistication, which will make it even more challenging for security vendors of yesteryear to prevent these attacks and fulfil their basic promise of protecting their customers.
It isn’t just legacy vendors that are challenged, however. Ransomware causes headaches for shiny “next-gen” products that rely heavily on detection-and-response capabilities because, once ransomware has evaded prevention techniques, the damage has already been done: files/folders are encrypted, and the business is impacted. (But hey, if you need a pretty process tree, they’re your vendor.) Rollback features are the equivalent of rolling the dice, crossing your fingers and hoping for the best, which is not a strategy.
Ransoms Beyond Bitcoin
Mao Tse-tung allegedly said, “Political power grows out of the barrel of a gun.” While it’s a stretch to say ransomware will produce the same result, in 2018, ransomware motives will shift to increasingly political, instead of commercial, gains. The business model for ransomware has been simple: as an attacker, I’ll hold your files or folders hostage (encrypt them), and you pay me money (in the form of cryptocurrency). In 2017, we observed attacks that used ransomware, but the motives were political, rather than commercial, in nature. In March 2017, RanRan was a ransomware variant in the Middle East that, instead of money, demanded the victims speak out against a political leader in the region through the creation of a website. In 2018, we anticipate more uses of ransomware attacks that go beyond commercial. In another recent example, NotPetya focused its encryption, not on files and folders that could be later decrypted after payment but instead encrypted the Master Boot Record, crashing systems.
Ransomware for the Masses
According to our latest Unit 42 threat intelligence report, Ransomware: Unlocking the Lucrative Criminal Business Model, ransomware variants are increasing, with total numbers at least 150, if not hundreds more. Another reason driving this increased volume is how much easier it is to launch attacks. Given that cybercriminals with limited technical skills can execute these attacks, making it even more convenient and reducing the barrier to launch attacks, ransomware as a service has become a viable way to launch ransomware attacks (think having to leave the house and shop vs. order from DoorDash). In 2018, unfortunately, the number of successful ransomware attacks will continue to increase, and couch potato cybercriminals will be successful.
Down, Z, Up, X, A, Y, B, C
Do that on an Super Nintendo back in the day, and voila! Your sophisticated “Street Fighter II” champion codes were enabled. Now, think of something similar happening for ransomware. In 2017, a sophisticated set of tools was leaked by a group called The Shadow Brokers, which claimed the tools had been created by a U.S. government entity for offensive operations. These tools were quickly leveraged by attackers in some of the most talked-about attacks of 2017. We had already seen innovative distribution models used in ransomware attacks, including exploit kits, macros, malicious DLLs and others. In addition, kernel exploits were heavily used in these attacks, making them even more difficult for security vendors to prevent. (Learn how kernel exploits work.)
Keep On Keepin’ On
Self-propagation of ransomware attacks will likely continue. The combination of worm-like capabilities as a way to rapidly distribute ransomware has been proven and wildly successful. From a business perspective eliminating any friction needed to propagate the attack makes good business sense, which is why this type of ransomware worm will likely continue in 2018 and beyond.
While 2017 was a quiet year for Mac-specific ransomware, in 2018, we can expect the volume of Mac ransomware to increase. A ransomware attack has already targeted OS X hosts – KeRanger, which Unit 42 identified in 2016 – and given the increase in Mac usage, the attractive targets Mac users make, and with additional tools and the commoditization of ransomware, it’s a good bet we’ll be hearing more about organizations getting hit with ransomware targeting Macs.
As we mentioned upfront, based on the success in 2017, it doesn’t take Nostradamus to see that ransomware will continue in 2018. In fact, we believe adversaries will begin expanding their mission to more sophisticated attacks and targeting more platforms. Ransomware will likely continue as a thin veneer to more dangerous attacks that go through legacy security solutions like a hot knife through butter. The only defense is a coordinated security system that works together where endpoints communicate with firewalls to automatically convert threat intelligence into prevention at both locations, regardless of where a threat is first discovered. This level of integration also enables SecOps to correlate threat events and conduct forensic investigations using data from endpoints, firewalls, and global threat intelligence in ways that may not be possible with disparate security products.