The rise of ransomware, along with a surprising array of variants, over the past year has been dramatic. We now see and track several types of ransomware. Traditionally, ransomware is a targeted attack, meaning that the victim is selected beforehand and the attack is designed to specifically target that individual organisation or network. In this case, critical resources are encrypted, such as data, and a ransom is demanded in order to provide a key to unlock them.
We have also seen the rise in denial of service-based ransomware. This can take several forms. In the first, a denial of service attack is aimed at an organisation that overwhelms services, making them unavailable to customers and users. A ransom is demanded to turn it off.
So how serious is the threat of ransomware? Last year, ransomware attacks more than doubled. Upwards of 4,000 ransomware attacks happen daily, infecting an average of between 30,000 and 50,000 devices monthly. And the potential for additional growth is huge. Even with this rate of increase, ransomware only comprises 2% of total malware attacks today. The financial repercussions of ransomware has skyrocketed as well. In 2015, a total of $24 million in ransom was paid out; in 2016, that number shot up to more than $850 million. The amount being demanded by cybercriminals is following a parallel path: the average demand for every attack jumped from $294 in 2015 to $679 in 2016.
But the biggest impact of ransomware is not in the ransoms being paid. Around 63% of organisations that experienced a ransomware attack in the past year indicate it led to business-threatening downtime. Another 48% report it resulted in the loss of data or hardware. And for those organisations that pay a ransom in exchange for being able to recover their data (42% admit they paid the ransom), one in four never recovered the data.
Mirai, which was launched last August and September, was the largest denial of service attack in history, in part because it leveraged hundreds of thousands of exploited IoT devices. Recently, a new Mirai-like IoT-based botnet called Hajime used exploited DVR devices to target organisations with an overwhelming DDoS attack combined with a demand for ransom to turn it off. Hajime is a next-generation IoT exploit. It is cross-platform, and currently supports five different platforms, and includes a toolkit with automated tasks, includes dynamic password lists making it dynamic and updatable, and it tries to mimic human behaviour to make less noise so it can stay under the detection radar.
An interesting twist has been the development of ransomware as a service (RaaS), allowing less technical criminals to leverage ransomware technology to start their own extortion businesses in exchange for providing the developers with a cut of any profits. Within this family we recently saw RaaS ransomware targeting MacOS, which has thus far largely remained under the radar of attackers.
What we are seeing now are two additional exploits being added to the family of ransomware threats. With Wannacry, we saw ransomware designers for the first time combine ransomware with a worm to speed its delivery and expand the scale and scope of the attack. And now, with Petya/NotPetya, we see the addition of targeting the Master Boot Record to up the ante on the consequences of failing to pay the demanded ransom, from simply losing personal files, which may have been backed up, to potentially losing the entire device.
This is a new generation of ransomware designed to take timely advantage of recent exploits. This malware targets a variety of attack vectors, including the same vulnerabilities that were exploited during the Wannacry attack. Because, like Wannacry, this attack combines ransomware with worm-like behaviours, we are referring to these as a new malware group called ransomworms.
In spite of the highly publicised disclosure of the Microsoft vulnerabilities and patches, and the global follow-up Wannacry attack, there are apparently still thousands of organisations that have failed to patch their devices. Again, this may simply be a test for delivering future attacks targeted at newly disclosed vulnerabilities. Wannacry was able to generate very little revenue for its developers. This was due, in part, because researchers were able to find a kill switch that disabled the attack. Petya’s payload, however, is much more sophisticated, though it remains to be seen if it will be more financially successful.
The disruption that ransomware can cause is not insignificant. Only by harnessing all their cyber defence resources in a coordinated way can firms effectively fight massive cyberattacks like these.
The writer, Aamir Lakhani is a global security strategist at Fortinet.