Ransomware has come a long way, from the days of fake antivirus to now when the approach is a little different, but the objective remains the same. Ransomware is basically a malware that locks a computer and uses law enforcement imagery to intimidate victims into making payments in order to facilitate unlocking. It has spread across the globe initially from Eastern Europe to Western Europe, the United States, and Canada. The scam has been copied and professionalized from initial early attacks, with established online criminal gangs now branching out into the scheme. Each gang has separately developed or bought a different version of the ransomware.
This malware is highly profitable, with as many as 20% of compromised users paying out according to statistics. An investigation into one of the smaller players in this scam identified 68,000 compromised computers in just one month, which could have resulted in victims being defrauded of up to $400,000 USD. A larger gang, using malware called Reveton (aka Trojan.Ransomlock.G), was detected attempting to infect 500,000 computers over a period of 18 days. Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million dollars a year is being extorted from victims.
The scam has evolved over time, using various techniques to disable a computer. A lot of individuals do pay up, either because they believe the messages or because they realize it is a scam but still want to restore access to their computer. Unfortunately, even if a person does pay up, the fraudsters often do not restore functionality, the only reliable way to restore functionality is to remove the malware.
From just a few small groups experimenting with this fraud, several organized gangs are now taking this scheme to a professional level and the number of compromised computers has increased. We have identified several different versions of ransomware. Multiple gangs have retained Software engineers to develop these different versions independently. In fact, there is not just one single family of ransomware composed of multiple variants, but rather multiple families each with their own unique behavior.
In light of the foregoing, the future seems to be bleak but there is hope, below is some of the probable things that may be witnessed in the coming season.
# 1 | More targeted actions shall bring some firms to ruin
We’ve engaged with plenty of IT groups who believed that if they had a ransomware attack, they would decipher it with easy. Unfortunately, enterprises that still hold this belief will be victims of data compromises sooner rather than later and they will be caught unawares. The fact is that hackers are smarter than they’re known for, which buttresses the possibility that more enterprises will succumb without a strategy for quick restoration, so intrusion monitoring and protection strategies aren’t optional.
# 2 | Unnecessary false alarm alerts.
Businesses have started to set up safeguards, but those may not be sufficient if the information isn’t reliable. If threat monitoring solutions regularly identify every small thing, IT groups will eventually start ignoring the alerts— hence putting them plus the data they’re securing at greater risk. Businesses will want to ensure they have an intelligent system that raises flags when there is a real threat versus churning out a high volume of non-actionable alarms.
# 3 | All business shall be susceptible
Businesses of all levels underestimate how exposed they are, but they can’t dare to make this assumption in 2019. When firms don’t believe they’re vulnerable, they don’t see the need to implement systems and processes to ensure survival in case of an attack. For instance, it wasn’t suspected last year that PGA of America’s servers may suffer an attack, but firms that least anticipates it could readily become the next objective for these attacks. And, the worst moment to start meditating upon it is when your firm is in a state of uncertainty.
# 4 | Backup, as well as protection strategies, will fail
Businesses that have security or disaster restoration plans in place are bound to be susceptible to ransomware incidents if they don’t consistently test and confirm for their environment. Several clients have taken up our disaster recovery systems because a routine exercise exposed areas for further growth or they didn’t successfully recover from a backup into a cloud hosting environment. Corporations that are keen on testing their disaster recovery and backup systems will more certainly have what’s necessary to recover from a cybersecurity compromise incident. In the absence of frequent tests, they might actually not have a recovery plan at all.
# 5 | Concerns will heighten around cloud security
Generally, clouds are as stable, or even more stable, than majority data centers. But they have an equal level of exposure to risk that data centers do. This issue has featured prominently among our clients over the last couple of months. They are now more eager to know about the extra features we offer around ransomware. In some situations, we’ll mention the need for those features only to discover that that’s already a priority to them. It just makes a lot of sense that system security issues will be such a priority when resources exit the four walls of a firm.
# 6 |The next couple of attacks shall be more sophisticated
The businesses have put systems in place to shield themselves in the event of that initial wave of attacks, but we are yet to encounter the worst that ransomware can do. Hackers will only grow in aggressiveness and we’ll witness an increased demand for enterprises to install more sophisticated cyber security solutions. They’ll demand a comprehensive solution rather than a simple quick-fix if they plan to withstand the never-ceasing threat cycle ahead.
# 7 | Cloud hosting service providers’ efforts won’t be sufficient
Cloud hosting providers avail infrastructure, but it shall the duty of the enterprise IT teams to ensure they have higher standards of security in the season ahead. Similarly, we’ve discovered that our clients would rather ensure the frameworks they set up around their software and data can move with them if they ever decide to change service providers. Overall, if a company doesn’t have the correct protections in place, it’ll be detrimental to them. A cloud service provider may walk away in short notice.
During the past few years, end users were subjected to misleading applications claiming to be antivirus applications (fake antivirus). Estimates of fraudulent earnings amounted to tens of millions of dollars. While the fake antivirus problem seems to have faded, similar distribution and development techniques are being re-used by ransomware.
It is likely that some of the gangs responsible for the original ransomware are part of this expansion, but other established criminal gangs are also becoming involved. As awareness of these scams increases, the attackers and their malware are likely to evolve and use more sophisticated techniques to evade detection and prevent removal. The “ransom letter” will likely also evolve and the attackers will use different hooks to defraud innocent users.