While most people know the basics of ransomware, the details of this threat – like all aspects of cybersecurity – are constantly evolving with new developments. Learn about the trends and what to expect next.
In this post by Nick Graf, Assistant Vice President, Information Security, Risk Control at CNA Insurance, Graf discusses recent changes he sees in the tools, tactics, and procedures used by ransomware attackers and shares new information on detection avoidance, decryption tools, and industries that may face the highest risk. Finally, he makes some predictions on the future of ransomware (spoiler alert: it’s here to stay).
1. Malware uses new tactics to avoid detection
Traditionally, ransomware has involved gaining access to a computer, quickly encrypting the contents, and delivering a message to demand payment. However, we’ve noticed a shift in this process. Recent ransomware variants have begun to use a CAPTCHA test to ensure they’re interacting with a human target and not an endpoint detection and response (EDR) tool or other malware-blocking software.
Similarly, malware may attempt to detect if it’s being executed in a virtual environment, perhaps by a security researcher trying to reverse-engineer it. Unfortunately, we’ve seen attackers flip this on its head and deploy their malware inside its virtual machine to avoid detection by the host machine’s antivirus tool.
2. Payment extractions are becoming more complex
Another recent change involves how ransomware payments are extracted. Previously, attackers would encrypt host data and offer the decryption key for a ransom payment. As more businesses have become better prepared (through mature data backup strategies) or made the ethical decision not to pay ransom demands, attackers are turning up the pressure through a multi-pronged approach.
In addition to their usual method of encrypting data and demanding payment for decryption, attackers now frequently exfiltrate a copy of data in addition to encrypting it locally. If their initial payment request is rebuffed, they’ll threaten to publish the exfiltrated data unless a payment is made for its deletion. We’ve also seen examples where, when no payment is made, the attacking groups attempted to auction off stolen data on the dark web to the highest bidder.
3. Reputation scores provide helpful info for victims of ransomware
One of the most uncertain aspects of dealing with a ransomware event is when it’s been determined that payment must be made. Will the criminals uphold their end of the bargain if the payment is made, supplying the decryption key or deleting the data as promised? While there are no certainties, companies have moved into this space, focusing on brokering ransomware payments and affixing a reputation score to each attacker group. This can provide confidence that the attackers will follow through on their part of the deal.
4. Decryption tools can present risks
While decryption tools have been created for many ransomware variants, we see an uptick in malicious or poorly designed decryption tools that may purposely cause harm or inadvertently corrupt the encrypted data, rendering recovery impossible. Many of these appear in response to simple Google searches for “ransomware decryptor,” offering to decrypt data for free, which sounds very enticing to an affected user. We’ve also seen user errors in this area. For example, a user infected with ransomware attempts to run a legitimate decryption tool, but incompatibility or the wrong variant causes damage and renders recovery impossible.
5. Service providers continue to be a target for ransomware
There’s been a shift in ransomware campaigns targeting, and attacking groups are looking to inflict the most damage possible. Their latest targets are service providers that operate in the information technology, healthcare, legal, and accounting spaces.
The breach of a service provider’s backend environment can directly impact customer data in the vendor’s care. Still, it also might allow malware to spread back to the vendor’s customer’s systems. In all cases, a mature vendor management program is critical. Know your vendors, be aware of their data and access, and ensure it is appropriate and well-secured.
The future of ransomware
Where might ransomware go next? While infections on traditional operations systems will continue, there are new areas to watch. For example, cellphones running old versions of their operating system may be at risk – especially if they install applications from third-party app stores.
Attackers will also continue to leverage malicious web browser extensions. They have become adept at sneaking them into the official extension stores for Google Chrome, so use caution before installing any attachments in your browser. Attackers will also focus on abusing intelligent home devices, especially devices made by less-familiar companies that aren’t patched for security issues.
We believe healthcare and law firms will also continue to be targeted due to the value of their confidential data. Regardless of size, companies in these industries should look for ways to fortify their data protection strategy.
And finally, the attacking groups are leveraging the current pandemic as a “hook” for their activity, pretending to share information on testing, tracking, cures, and remedies with hopes of getting an unwitting user to click their link or open their attachment.
Have More Questions?
For helpful tips on other popular topics, check out our articles on Commercial Crime Insurance, Ransomware Developments, and Cyber Insurance. We are always here to help you, your employees, and your business with all your insurance needs – from commercial insurance to group benefits to personal insurance. Thank you for allowing Mason-McBride to serve you!
Disclaimer: The information, examples, and suggestions presented in this material have been developed from sources believed to be reliable. However, this is not legal advice, and CNA and Mason-McBride cannot accept responsibility for its applicability to your specific circumstances: no one should act based on this article without first seeking appropriate professional advice, including advice of legal counsel, based on a thorough examination of their situation, relevant facts, laws, and regulations. This material is for illustrative purposes and does not constitute a contract.