There’s no doubt businesses are an appealing target for ransomware attackers, as seen in numerous major attacks this past year. The well-known Locky, which hit hospitals in the US among other targets, is definitely here to stay. However, we’re starting to encounter more sophisticated variants than the classic Crypto ransomware, presenting corporate-oriented capabilities. For instance, Samas ransomware, which hit MedStar Health earlier this year, uses exploits on JexBoss (an open source server platform) to install itself in targeted web servers. It then proceeds to the next stage of network acquisition and mapping, with the aim of proliferating within the network and infecting more end-points. Eventually, the attackers use PSExec (executes programs on remote systems) to infect those endpoints. Therefore, we expect to come across more unusual ransomware types aiming organizations, which are set out below:
Data wiping means rendering all data on a hard drive unreadable, most commonly by using hard drive over-writers. An example of a data wiping ransomware, rather than just an encrypting one, is Jigsaw, which steals copies of all the user’s files, and deletes the original ones (along with their backups). FairWare is yet another “wiping” ransomware variant, which deletes web files from Linux servers. As such, we might see more attackers demanding ransom for recovering “wiped” data, instead of encrypted data.
We expect to encounter more ransomware variants that deny access to the infected host and its entire operating system, rather than just to certain files. “MBR Overwriters” prevent the operating system from booting by overwriting the MBR (Master Boot Record). The technique has been used in the well-known Sony Attack. It was “adopted” in a ransomware attack by Petya – a ransomware variant, which overwrites the victim’s MBR so that Windows cannot be loaded. Instead, only the “ransom note” with payment instructions remains accessible to the victim.
Ransomware families targeting enterprises are likely to be have different variants for each OS, or even be cross-platform. Nowadays, the vast majority of ransomware families targets only Windows. However, in the future, ransomware attackers will be able to hit every server, client, mobile device, or any other network component, and even industrial components (such as SCADA) in the organization, leaving no uninfected end-point, and no recoverable backups.
File-less ransomware infections
When performing file-less infections, no files are saved on the victim’s hard drive. This makes it harder for traditional AVs to scan and detect the malware, evading static analysis. Consequently, attackers may shift from file-based malware to file-less infections. Such attacks can be performed by hacking into organizations, escalating privileges, and proliferating throughout the network, using legitimate networking tools. Attackers can leverage IT, administration, remote desktop, FTP, SSH and Telnet tools. Even TeamViewer was already abused by Surprise ransomware for distribution. The data encryption / wiping can also be committed by using shell commands (and so did PowerWare – a PowerShell ransomware variant). Additional file-less infection techniques that attackers can take advantage of are using WMI remotely, Windows Registry malware or memory resident malware (loads malicious code to the memory space of a host process, e.g. reflective DLL injection). An obvious downside of file-less malware infections is the struggle to maintain persistence, in comparison to classic malware, which can easily gain persistence using more simple and common methods. Nevertheless, unlike APT campaigns, ransomware attacks do not necessarily require persistence. Most crypto ransomware variants simply require running once, and encrypting or wiping the user’s data without being detected and blocked. Consequently, ransomware attackers are likely to give up persistence in favor of evasion, i.e. give up file-based infections in favor of file-less infections.
Infecting industrial institutes
Corporate networks are not the only ones at risk. The next step towards a severe ransomware attack is when ransomware targets industrial networks, not necessarily by encrypting files but simply by disrupting activity, which could cause electric, water, gas, or nuclear utilities to shut down until the ransom is paid. In April 2016 BWL – the third-largest electric and water utility in Michigan – was under a ransomware attack, and so was the first electric utility hit by ransomware. In this case, only the corporate network was infected and no damage has been done to the water or energy supplies. However, any future attacks on such companies could be much more destructive.
Learn more ransomware trends and forecasts, as well as how to protect your organization, download Deep Instinct’s comprehensive ransomware white paper.