A Quarter of Ransomware Attacks in 2017 Targeted Businesses

Nov 30, 2017 | Cybersecurity News, Internet Security News, Network Security

Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up.

Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code.

At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities.

Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise.

There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017.

Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered.

Others have not been so fortunate and have been left with no alternative other than to pay the ransom demand. As we saw with NotPetya, and many other ransomware and pseudo-ransomware variants, it is not always possible to recover data. The Kaspersky Lab report shows that one in six businesses that paid the ransom demand were unable to recover their data, creating massive business disruption and also potentially privacy and compliance fines. Keys to unlock the encryption were not provided or simply did not work.

There is some good news in the report. Ransomware attacks in 2017 affected 950,000 unique users, which is a considerable reduction from last year when 1.5 million users suffered a ransomware attack. This has been attributed not to a reduction in attacks, but better detection.

Kaspersky reports that the explosion in ransomware families in 2016 did not continue at the same level in 2017. Last year, 62 new families of ransomware were discovered. While there is still a month left of the year, to date, the number of new ransomware families in 2017 has fallen to 38.

While this appears to be good news, it is not an indication that the threat from ransomware is reducing. Kaspersky Lab notes that while the creation of new ransomware families halved in 2017, in 2016 there were 54,000 modifications made to existing ransomware variants, but this year there have been 96,000 modifications detected – Almost double the number of modifications last year. Rather than develop new ransomware families, cybercriminals are tweaking existing ransomware variants.

Kaspersky Lab, McAfee, and a host of security experts predict ransomware attacks will continue to plague businesses in 2018. As long as the attacks remain profitable they will continue, although Kaspersky Lab notes that 2018 is likely to see efforts switch to cryptocurrency miners, which can prove more profitable than ransomware in the long run. Even so, ransomware attacks are likely to continue for the foreseeable future.

To prevent the attacks, businesses need to implement a host of defenses to block and detect ransomware. Anti spam software can be deployed to prevent email-based attacks, web filters can be used to block access to websites hosting exploit kits and prevent drive -by downloads, and endpoint protection systems and network monitoring can detect changes made by ransomware and alert businesses to ransomware attacks in progress.  Along with good backup policies and end user training, the threat from ransomware can be reduced to an acceptable level and the majority of attacks can be blocked.

LockCrypt Ransomware Distributed Using Brute Force RDP Attacks

Nov 17, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering

A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.

The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.

LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.

The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware.  One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.

Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.

The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.

Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.

An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.

While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.

These should include an advanced spam filtering solution to prevent malicious emails from being delivered, web filters to block malicious websites and drive-by downloads, end user training to raise awareness of the threat from ransomware and other forms of malware, and network monitoring technology to identify unusual server and endpoint activity.

Network activity monitoring will not prevent ransomware attacks, but it will help IT teams respond quickly and halt the spread of ransomware to other vulnerable servers and end points.