Ransomware rockets - time to take it seriously?
Once a low-volume, unsophisticated threat, ransomware has now become one of the most widespread malware risks around. Not only that, it’s one of the most insidious - find out why, and what you can do about it…
You’ll have heard of ransomware, although hopefully not experienced it first-hand yet, but that could all be about to change. A monthly rundown of the most prevalent malware on the internet has identified ransomware in the top three for the first time.
The ‘Locky’ strain of ransomware, first spotted in Feb 2016, accounted for 6 per cent of all recognized attacks globally during the month. The relative presence of ransomware attacks, within the total number of global attacks, increased by 13 per cent, according to Checkpoint.
A separate study from earlier this year (Q3 2016) found that out of the billions of messages that used malicious document attachments, an astonishing 97 per cent now feature Locky ransomware, up 28 per cent from Q2 and 64 per cent from Q1, when Locky was discovered.
Part of the reason for this specific increase is that Locky malware is now being spread by the massive Necurs botnet, which is believed to number more than 6 million bots (although estimates vary widely) firing spam into the digital abyss.
The Necurs botnet itself has been a regular feature of spam campaigns for some time, and has resisted shutdown efforts due to combining C2C and P2P control methods, so there’s no single server to be seized by law enforcement.
As Ilia Kolochenko, CEO of High-Tech Bridge, has commented: “We cannot fight botnets by shutting them down. It's a similar situation to the drug industry - once a drug baron is jailed, another one takes his place because there is a demand for drugs on the market. Demand creates supply, and while we have a demand for cybercrime services - botnets will exist.”
However, this development tells us several things about Locky, Necurs and the team behind it. Firstly, the Locky malware must be effective enough to make it financially viable to re-task some of the botnet to disseminating it - a string of code updates over recent months demonstrate that the criminals responsible are actively refining its capabilities to ensure this is the case. Secondly, this high-volume strategy may successfully infect larger numbers of victims, but they’re likely to be those who have not taken precautions - the low hanging fruit as it were.
The standard layered security advice for mitigating ransomware attacks is to ensure software and AV scanners are up to date, educate your users to minimise the number of links blindly clicked on, and ensure that a good backup and recovery system is in place, so in the event of a successful ransomware attack, you can roll back to an unencrypted version.
However, as High-Tech Bridge discovered some time ago, some attackers have created methods to get around even this best-practice advice.
In what High-Tech Bridge dubbed at the time a ‘RansomWeb’ attack, the attackers gained access to the server of an enterprise’s website, then quietly began encrypting data, decrypting it on demand essentially ‘on the fly’, and storing the decryption key on a remote server. After a couple of months, the most commonly used sections of the database were ‘invisibly’ encrypted, as were the backups. At this point, the attackers simply removed the decryption key from the remote server and sent their ransom demand. The enterprise website was offline, the database and backups encrypted. Luckily, we’ve not heard of this type of sophisticated strategy applied in volume yet, otherwise the cost of ransomware to enterprises will increase considerably from the current estimate of $209 million in the first half of 2016.
Ilia Kolochenko, CEO of High-Tech Bridge, said: “Keeping a complete and up to date inventory of their digital assets is the best way for organisations to protect against botnets and ransomware threats. Also, installing patches and security updates in a timely manner, and making sure that continuous security monitoring of their networks is properly implemented at all times - prevention is better than cure in this case.”