Академический Документы
Профессиональный Документы
Культура Документы
Article by
Obedience Kuguyo
Ransomware Trends around the Globe by Obedience Kuguyo
Why are more advanced cybercriminals modifying ransomware for their cyber arsenal.
As a cybersecurity expert, Ive seen many attacks already where skilled attackers get into a
network, get what they need, and leave ransomware behind to further extort money or destroy
systems. Part of the reason for this is that it serves as a useful distraction: To show the victim
that they have been hacked by a certain group and that It wasnt just a virus infection but
rather a targeted one. I have seen most people ignoring their network defence after a single
machine has been infected by ransomware attacks it is common that systems administrators
fail to look around their network area for other signs of a network breach, making it easier for
the attacker to escape unnoticed and infect the whole cluster of machines on the same network
environment.
But another reason and the more common one is that cybercriminals wants to make a ton of
money from unsecured systems and ransomware attacks can give them an instant cash out
which is mostly untraceable using cryptocurrency system such as Bitcoins and Zcash. In some
circumstances, rogue nations practising espionage can also conduct state-sponsored
cybercriminal activities and infect target countries with ransomware as cyberwarfare and to
find new sources of revenue. These countries make use of contractors within the target country
who have very good access into many organizations around the world to throw around their
ransomware.
The rise of more sophisticated ransomware attacks designed to shame the victims.
Press coverage of recent ransomware attacks such as WannaCry and Petya has generated a
considerably large interest from hacker groups in ransomware sample and analysis. The world
must expect to see growth in these kinds of attacks with more copycat attacks coming up from
different geographical areas as more samples of ransomware are being downloaded for reverse
engineering and analysis. These attacks will be more directed at profitable systems around the
world especially those of the such as:
Self-checkout systems at grocery store chains
Bank ATMs
Hotels
Computerized billboards
Hosting servers
1
Government institutions
Profitable groups
Basically, any organization that has a kiosk-type system exposed to the public and running on
older, insecure versions of Microsoft Windows can be infected and new strains for Linux and
MacOS are being developed and sites claiming to have such services on the darknet are
beginning to advertise their malware services for interested groups.
If these types of systems get infected with ransomware, everyone knows you have been hit and
there is a lot of pressure to resolve the problem quickly and the victim might even pay the
ransomware in the hope of restoring back their infected resources. Cybercriminals have
developed ways to infect the Internet of Things (IoT) devices with ransomware. They have
devised ways to attack the whole cluster network of IoT devices connected on the same network
using open protocols that are facing the public internet.
This type of ransomware uses a combination of scripting languages (such as PowerShell and
JavaScript) and Microsoft API calls to encrypt the files on a victims machine. The encryption,
the ransom note, and the call out to a command and control server are completed without an
executable file. These ransomware families can avoid detection by many traditional security
vendors because they are taking advantage of legitimate processes on the system, so everything
they do is legitimate.
As ransomware attackers look to expand their attack surface, the easiest way to do that is
increase the number of people who see their email or to have the ransomware auto-install when
the victim opens the email. If the ransomware groups can find weakness in the security of these
2
providers, or use some of the millions they have made to buy zero-day exploits to take
advantage of weaknesses that may exist, they can increase the number of successful installs
and increase their revenue even more. This is what is happening today, Shadow Brokers leaked
the Eternal Blue vulnerability and cybercriminals have used vulnerabilities associated with the
exploit to build up ransomware such as WannaCry and attacked hundreds of thousand systems
across the world.
There is a discrepancy between the IoT device itself and the Windows systems that serve as
the face of these IoT systems; those will be subject to attack in the same way as other Windows
systems. In fact, in some way they may be more susceptible to ransomware. The control
systems of these IoT devices often run specialized software that controls the functions of IoT
devices. This specialized software usually requires a specific version of Windows, one that is
often outdated, unpatched or with less support in terms of its core development.
IoT devices are mostly built on Linux/UNIX/Specialized OSs that handle the day-to-day
functions of those systems. They are too obscure to be a reliable target for mass-produced
ransomware. There is also a difference in the way the file systems are set up between
Linux/UNIX systems and Windows computers. This makes it ineffective to attack Linux IoT
devices. Most people act as local administrator on their home computer, and even a lot of
companies allow their users to have local administrative access to their workstations. In
practical terms, this means that the user can access every file on the system. When a victim
inadvertently installs ransomware that ransomware also has access to everything on the system
and can encrypt it all. Linux/UNIX systems operate differently. The user only has access to his
or her files, not all files on the system. Even if a user does accidentally install ransomware the
ransomware will only be able to encrypt the users files, not all the files on the system. For
ransomware to be effective on a Linux/UNIX system the attacker would either need a victim
logged in as root or to package a privilege escalation with the ransomware.
3
There is a strong need for the security community to collaborate with law enforcement agencies
in a big way to permanently shut down the attacking domains behind ransomware and the
exploit kits that deliver them. Law enforcement agents should be trained on cyber security, and
cybersecurity units within the law enforcement agencies should work together with other
nations to help stop the spread of ransomware and malware related activities. Law enforcement
agencies should also consider collaborating with security researchers and malware analysts
when it comes to dissecting ransomware and offering new protections and cyber response
methodologies.
Here are a few best practices to minimize the risk and data loss associated with ransomware
attacks:
Backups confidential/ useful data and test to verify the backups regularly.
Disable Microsoft Office macros by default, and selectively enable them for those who
need macros.
Keep web browsers, services and plug-ins such as Adobe Flash, SMB protocol and
Microsoft Silverlight updated, and prioritize patching systems with new update
releases.
Uninstall any browser plug-ins that are not required for business purposes, and prevent
users from re-installing them by putting in place effective access control systems and
policies.
Scan incoming emails for suspicious attachments, including examining all compressed
attachments.
Disable or remove the PowerShell, wscript, and cscript executables on all non-
administrative workstations to prevent infections.
Automatically quarantine any email that has an attachment containing a script or a .scr
file extension or from an unknown domain name.
Do not give all users in the organization local administrative access to their
workstations if its an organization computer system.
Use threat intelligence to gain visibility into your organizations external threat
environment and monitor for any emerging ransomware threats to your organization
with proper/reputable security and reporting tools such as Symantec Solutions and
Kaspersky.