Ransomware viruses, like other types of malware, evolve and change over the years - from simple lockers that prevented the user from logging into the system, and “police” ransomware that frightened us with prosecution for fictitious violations of the law, we came to ransomware. These malware encrypt files on hard drives (or entire drives) and require a ransom not to return access to the system, but to ensure that user information is not deleted, sold on the dark web, or exposed to the public online. Moreover, the payment of the ransom does not at all guarantee the receipt of a key for decrypting files. And no, it was “a hundred years ago already,” but it is still an actual threat.
Given the success of hackers and the profitability of this type of attack, experts believe that in the future their frequency and ingenuity will only increase. By Cybersecurity Ventures, in 2016, ransomware attacks companies about once every 40 seconds, in 2019 this happens once every 14 seconds, and in 2021 the frequency will increase to one attack every 11 seconds. It is worth noting that the required ransom (especially in targeted attacks on large companies or urban infrastructure) is usually many times lower than the damage caused by the attack. For example, the May attack on government structures in Baltimore, Maryland, in the United States, caused more than , with the amount of ransom declared by hackers in 76 thousand dollars in bitcoin equivalent. A , Georgia, cost the city $2018 million in August 17, with a $52 ransom required.
Trend Micro analyzed ransomware attacks in the first months of 2019, and in this article, we'll highlight the top trends the world is expecting in the second half of XNUMX.
Ransomware Virus: Brief Dossier
The meaning of the ransomware virus is clear from its very name: by threatening to destroy (or, conversely, publish) confidential or valuable information for the user, hackers use it to demand a ransom for returning access to it. For ordinary users, such an attack is unpleasant, but not critical: the threat of losing a music collection or vacation photos over the past ten years does not guarantee payment of a ransom.
The situation is completely different for organizations. Every minute of business downtime costs money, so the loss of access to a system, applications or data for a modern company is equal to losses. That is why the focus of ransomware attacks in recent years has been gradually shifting from shelling viruses to reducing activity and moving to targeted raids on organizations in areas of activity in which the chance of receiving a ransom and its size is the largest. In turn, organizations seek to protect themselves from threats in two main ways: by developing ways to effectively restore infrastructure and databases after attacks, and by adopting more advanced cyber defense systems that detect and promptly destroy malware.
To stay up to date and develop new solutions and technologies to combat malware, Trend Micro constantly analyzes the results obtained from its cybersecurity systems. According to Trend Micro , the situation with ransomware attacks in recent years looks like this:
Victim choice in 2019
This year, cybercriminals have clearly become much more careful in their choice of victims: they are targeting organizations that are less protected and at the same time are willing to pay a large amount for a quick restoration of normal activity. That is why, since the beginning of the year, several attacks have already been recorded on government structures and the administration of large cities, including Lake City (ransom - 530 thousand US dollars) and Riviera Beach (ransom - 600 thousand US dollars) .
Broken down by industry, the main attack vectors look like this:
- 27% - government structures;
- 20% - production;
- 14% - healthcare;
— 6% — retail trade;
- 5% - education.
Often, cybercriminals use the OSINT method (search and collection of information from publicly available sources) to prepare for an attack and evaluate its profitability. By gathering information, they gain a better understanding of the organization's business model and the reputational risks it may face from an attack. Also, hackers are looking for the most important systems and subsystems that can be completely isolated or disabled using ransomware viruses - this increases the chance of a ransom. Last but not least, the state of cybersecurity systems is assessed: it makes no sense to launch an attack on a company whose IT specialists are able to repel it with a high probability.
In the second half of 2019, this trend will continue to be relevant. Hackers will find new areas of activity in which the disruption of business processes leads to maximum losses (for example, transport, critical infrastructure, energy).
Methods of entry and infection
This area is also constantly changing. The most popular tools remain phishing, malicious advertisements on websites and infected web pages, as well as exploits. At the same time, the main "accomplice" of the attacks is still the user-employee who opens these sites and downloads files via links or from e-mail, which provokes further infection of the entire organization's network.
However, in the second half of 2019, these tools will be added:
- more active use of attacks using social engineering (attacks in which the victim voluntarily performs the actions necessary for the hacker or gives out information, believing, for example, that he is communicating with a representative of the management or the client of the organization), which simplifies the collection of information about employees from publicly available sources;
- the use of stolen credentials, for example, logins and passwords from remote administration systems that can be purchased on the dark web;
- physical breaking and entering, which will allow hackers on the spot to find critical systems and disable the security system.
Attack concealment methods
With advances in cybersecurity, to which Trend Micro is also contributing, the detection of classic ransomware virus families has become much easier in recent times. Machine learning and behavioral analysis technologies help detect malware before it enters the system, so hackers have to come up with alternative ways to hide attacks.
New technologies of cybercriminals already known to IT security specialists are aimed at neutralizing sandboxes for analyzing suspicious files and machine learning systems, developing fileless malware and using infected licensed software, including software from cybersecurity vendors and various remote services with access to the organization's network.
Conclusions and recommendations
In general, we can say that in the second half of 2019, there is a high probability of targeted attacks on large organizations that are able to pay large ransoms to cybercriminals. At the same time, hackers do not always develop hacking solutions and malware on their own. Some of them, for example, the infamous GandCrab team, which has already , having earned about 150 million US dollars, continue to work according to the RaaS scheme (ransomware-as-a-service, or "ransomware viruses as a service", by analogy with antiviruses and cyber defense systems). That is, not only their creators, but also “tenants” are engaged in the distribution of successful extortionists and cryptolockers this year.
Under such conditions, organizations need to constantly update their cybersecurity systems and data recovery schemes in case of an attack, because the only effective way to combat ransomware viruses is not to pay a ransom and deprive their authors of a source of income.
Source: habr.com