Of the plethora of cyber-threats organisations face on a daily basis, ransomware is one of the most commonly known and publicised. Malicious software strains such as ransomware and crypto-jackers have proven to be effective exploits for cyber-criminals and the signs point to this continuing. In a quarterly threat report written by McAfee it was found that known strains of malware that exploit software vulnerabilities grew by over 150% in the second quarter of 2018.
“WannaCry and NotPetya provided cyber-criminals compelling examples of how malware could use vulnerabilities to gain a foothold in systems and then quickly propagate across networks.”
– Christiaan Beek, Lead Scientist and Senior Principle Engineer, McAfee Advanced Threat Research
The WannaCry and NotPetya strains of ransomware are the most well known malware attacks and some of the most publicised cyber-attacks in the past two years. The strains both managed to infect thousands of organisations in a matter of days by utilising ‘worm’ code to spread across networks at a high speed, infecting organisation small and large alike. With new strains being found on a constant basis, researchers are finding that cyber-criminals are attempting to copy and replicate the styles of attacks seen in both WannaCry and NotPetya. Previously unknown strains of malware and ransomware are in some cases still exploiting vulnerabilities first found in 2014; manufacturers and software companies have since patched these, however due to poor patch management some organisations are still falling victim.
Why were WannaCry and NotPetya so successful?
The WannaCry ransomware attack made headlines in May 2017 when the strain targeted a known vulnerability in Windows systems, infecting a reported 300,000 organisations in just three days. The strain which encrypted systems and demanded a ransom, was one of the first major strains found to be utilising a worm code to help it spread faster across networks. Damages from the attack are estimated to be worth billions. Following the attack, the United States, United Kingdom, Australia and other countries placed blame on a state-led North Korean attack.
The Petya strain of ransomware first came to prominence in 2016 but in 2017 a new version of the strain made headlines as it followed the example of WannaCry by using a worm to launch a large-scale attack in a short space of time. The 2017 attack, dubbed NotPetya by researchers, had fundamental differences, however it was found that it did not have the capability to unencrypt systems after they had been encrypted. Targeted amongst this attack were energy companies, the national Ukrainian power grid, banks and other organizations.
One of the most significant ransomware strains of recent times is Gandcrab – a malware infection that has netted its operators an estimated nine-figure pay-out from targeting large, high-value corporate systems; an estimated 500,000 victims have been struck by the infection since July 2018.
Bitdefender, a cybersecurity and anti-virus software company, believe that victims paid more than a quarter of a billion dollars to have their data decrypted in the space of just two months. This is astounding, given all the literature detailing how best to protect against and recover from these threats.
Unlike other ransomware that targets as many systems as possible with the aim of obtaining multiple small pay-outs, GandCrab cyber-criminals demand huge pay-outs in the hope that some of the infected systems belong to large companies. They rely on wealthy businesses choosing to stump up extortionate amounts of money to get essential data back rather than have an embarrassing breach in their data security released to the press.
Gandcrab cyber-criminals create personalised ransom notes once they realise they have infected a high-value machine. According to Bitdefender, the developers of Gandcrab have made around $300 million since its inception. This is because the lowest ransom note is typically $600 and almost half of infected victims give in to ransomware. Some victims have reportedly paid ransom notes of $700,000.
Ransomware vs Crypto-jacking
The latter half of 2017 and early part of 2018 saw a new malware threat come to light, taking direct advantage of the growth in value and use of cryptocurrencies. Crypto-jacking is a malicious strain of code that will hijack a system and silently begin to mine crypto currencies, utilising available resource, with the knowledge of the system’s owners. The second quarter of 2018 saw an 86% rise in the known samples of crypto-jacking/mining malware, putting the number of known samples over five million.
It has been estimated that in the last 24 months some $1.5 billion worth of crypto-currency has been stolen.
‘Cyber crime is a business, and market forces, such as the rise in cryptocurrency values, will continue to shape where adversaries focus their efforts… Cryptomining malware is simpler, more straightforward, and less risky than traditional cyber crime activities – causing these schemes to skyrocket in popularity over the last few months. In fact, cryptomining malware has quickly emerged as a major player on the threat landscape. Organisations need to remain vigilant to these threats – particularly in today’s cloud-first landscape, when many companies are seeing a rapid increase in cloud applications and environments to secure’
– Raj Samani, McAfee fellow and Chief Scientists.
The human touch
With the rise of malware and ransomware strains taking advantage of software vulnerabilities there is additional onus on the importance of regularly and procedurally updating and protecting systems. Vulnerabilities that have been patched since 2014 are still being exploited in some cases, meaning that poor patch management is putting organisations at risk.
Human error and interaction is still the most likely cause of a ransomware infection taking hold with malicious sites, emails or attachments being accessed. Educating users won’t solve the problems completely, but helping them spot malicious content could be the difference between suffering a disaster with the associated downtime and having to update blacklists and security settings.
Recovering from the effects of ransomware
Ransomware can cost organisations millions. Not only is there the potential ransom to pay but the associated cost of downtime and negative effect on reputation has to be dealt with. While paying a ransom may see data/systems unencrypted, it is not a guarantee. There is also no guarantee or protection against further attacks. Authorities such as GCHQ have recommended that organisations do not pay ransoms.
For organisations who have been struck by an attack, systems must be restored to operational capacity as quickly as possible. One of the best ways to do this is by ensuring that a full off-network (off-site) backup is in place for all data and that this can be accessed and recovered from in the event of a ransomware outbreak. Redstor has helped hundreds of organisations recover from ransomware outbreaks, small and large and can give the ability to instantly access data while a full restore occurs, helping organisations get back to work straight away.