By Michael Fratello, Security Consultant at Nettitude
If the last five years of malware-related cybercrime were made into a movie, “The Ascension of Ransomware” would be quite the fitting title. The impact of the CryptoLocker ransomware, which emerged in late 2013, was devastating, and it caused a chain reaction. CryptoLocker revealed that the distribution of ransomware can be quite lucrative, and as expected, more and more threat actors sought to hop onto the ransomware bandwagon in hopes of achieving the same financial success as the CryptoLocker author(s). And we are still seeing devastating, high profile attacks today, such as the ransomware attack last week that brought down Hydro, one of the world's biggest aluminum producers.
The evolution of ransomware
Over the last few years, the exponential growth in the sophistication of ransomware has been both impressive and a nightmare for everyone that owns or uses a device connected to the public Internet. The capabilities of ransomware have increased significantly over this period, for example:
- The capability of many early ransomware strains distributed in-the-wild closer to 2013 included the ability to enumerate and infect connected removable storage devices, as well as open network shares. However, early variants were only capable of enumerating and infecting network shares that have been mapped to a drive letter on the compromised system. The ability to enumerate and spread to open shares on the network that the infected host is able to access, even those that have not been mapped to a drive letter, was an initial functionality upgrade implemented by ransomware authors.
- Ransomware has always been, and continues to be, distributed in various ways. However, one particular ransomware family named ‘SamSam’ favored a distribution method different from the vast majority of other analyzed ransomware samples. Specifically, ‘SamSam’ utilized a three-step process; they first would identify a vulnerable server or service running on a host via the public Internet, exploit the vulnerable instance to compromise the device, and manually infect the compromised host by executing the ransomware payload. Vulnerable instances of the JBoss web server were initially targeted by early variants, while more recent variants targeted hosts running vulnerable, misconfigured Remote Desktop Protocol (RDP) instances exposed to the public Internet.
- Modern day ransomware has evolved significantly over the years; so much so that a new term was coined to accurately classify new ransomware strains that incorporate previously unseen advanced capabilities: cryptoworm.
- Ransomware that falls under the cryptoworm classification, as the name implies, possesses many of the same capabilities as malware classified as a ‘worm’. In short, ransomware that owns this designation is capable of self-propagating throughout entire networks that the initially infected host and any additionally infected hosts are connected to.
- The first large-scale distribution campaign of a ransomware strain classified as a ‘cryptoworm’ occurred in May 2017, with the birth of the ‘WannaCry’ ransomware.
The growing impact of ransomware
What is the cost of this to businesses? Unsurprisingly, it’s hefty. It is no secret that successful compromise by ransomware results in a very costly recovery process, regardless of whether or not a ransom payment is made (if one is even demanded). The true cost of compromise is in the funding required to successfully recover, and is skyrocketed by the losses incurred due to any downtime and/or resultant loss of business.
In 2017, it was estimated that the average cost per ransomware attack to businesses was approximately $133,000. In addition, it has been estimated that the total costs incurred by organizations globally due to ransomware infections will reach $11.5 billion in 2019.
Every second of every day, there are malicious actors working to stay a step ahead of security. However, overall ransomware statistics have diminished through 2018 compared to previous years, as the number of logged ransomware attacks fell nearly 30% from Q3 2017 to Q3 2018.
To find out why, and how we predict that this trend will evolve, download our full research report here.