New Year, New Ransomware Tricks: Five Ways Cybercriminals Are Upping the Ante in 2018

frustrated man with computers locked by ransomware

It’s every business owner’s nightmare: You go to work, flip on your computer, and are greeted by a red warning screen trying to extort you into paying ransom in Bitcoin to unnamed shadowy figures hidden somewhere in the Dark Web. Frankly, unless you have advanced security in place, you shouldn’t be too surprised: Ransomware is on the rise, and has been for the past 18 months.

However, not all ransomware is created equal. In 2018 we’re seeing cybercriminals employing new tactics, rolling out new functionality, and aiming at new targets. Ransomware is evolving, and every business, large or small, needs to be aware of this shifting threat landscape.

Let us not forget that cybercriminals consider what they do to be a job. These aren’t 18-year-old script kiddies wearing hoodies and living on Doritos and Red Bull in their parents’ basements. They’re organized. They think about business models: ransomware as-a-service offers a lot of upside if you’re a black hat type. They are, above all, disciplined. They wake up in the morning, work long hours, and put a lot of effort into differentiating their tactics and their code in order to return as large of a profit as possible. Believe it or not, they even offer customer service and support! Most ransomware offerings on underground forums try to differentiate with a help desk function. In short, they believe themselves to be entrepreneurs, and just like legitimate business owners with a passion for their work, they hit it hard every day in an effort to be the best at what they do.

The result of this ongoing dedication is a level of innovation that shouldn’t be discounted. A critical component of staying ahead of the threat is to understand it in the first place. Here are five emerging ransomware trends to be aware of as we go forward:

1. Internet of Things (IoT) in the Sights

Cybercriminals are upping their game in 2018 to drive profits, and that means targeting IoT systems and mission-critical point-of-sale systems. According to Forrester Research, because chip-and-PIN cards and end-to-end encryption are making it harder for hackers to lift credit-card information the old-fashioned way (i.e., using malware to scrape data), attackers will instead look to extortion to make money from retail targets. To avoid having their entire payment apparatus locked down, retail businesses should focus their efforts on plugging the gaps exposed by default passwords, weak encryption implementations, and inadequate patching/remediation capabilities.

2. Targeting for Fun and Profit

Ransomware is becoming more targeted. It not only looks for certain file types, but also is taking aim at specific types of companies, such as law firms, healthcare providers, and tax preparers. Security researchers have flagged this evolution as an important change on the threat horizon from the “spray-and-pray” attacks most businesses are used to. Criminals have developed ransomware that targets databases, and can make small tweaks to their code to target critical proprietary files such as AutoCAD designs. The importance of this? A focused targeting of extensions means that ransomware attacks are more likely to succeed against legacy antivirus solutions. We can expect their frequency and severity to also increase.

3. Ransomware that Destroys Instead of Encrypting

Ransomware locks down files and demands payment in response for a de-encryption key. But some bugs are not what they seem. One example is a new malware called Ordinypt, which bills itself as ransomware. However, the code is really a wiper, with apparent twin motives of financial gain as well as disrupting business operations. Once an unwitting victim opens a malicious email attachment, the malware infects a victim’s machine, making files inaccessible, and then requests a ransom for recovering them, as is typical. Yet unbeknownst to the target, the files are actually destroyed, not encrypted, and the attackers have no code for “unlocking” them, even if victims pay up.

4. Necurs Never Sleeps

The Necurs botnet is one of the most omnipresent scourges on the cyber-front, believed to control more than 6 million zombie machines that have been enslaved to send out spam emails. Its scale is immense: It can average volumes in excess of 30 million emails per day, all aimed at spreading fraud and malware, including ransomware. Late last year, for instance, Necurs sent the Scarab ransomware to 12.5 million email addresses in just the first four hours of a massive campaign. It’s important to note that using large botnets like Necurs can give smaller ransomware actors the global reach they need to punch above their weight—making attacks much more prevalent.

5. Fooling Cloud Apps Like Child’s Play

Ransomware is also evolving for the cloud era. A new strain of Gojdue ransomware, dubbed ShurL0ckr, manages to evade being flagged by two well-known cloud platforms with built-in malware protection, Google Drive and Microsoft Office 365 – and it’s not alone in that capability. Increasingly, ransomware is being tailored to evade detection in cloud environments.

Don’t Be a Victim

All it takes is one employee clicking on the wrong email attachment for an infection to occur. To protect yourself, make sure you’ve backed up your systems and tested your ability to recover data in the event of a ransomware attack: Paying the ransom is not an option you want to take given there’s no guarantee you can trust the cybercriminal to release your systems and data. Also, many businesses are targets of multiple attacks—and those known to pay up will be among the first retargeted.

The better strategy is to make sure you’re protected in the first place. TPx offers a full suite of managed IT and business continuity services to help you protect your data and systems. We stay on top of the latest ransomware trends to deliver the latest detection, mitigation and prevention capabilities – all backed up by a state-of-the-art security operations center (SOC) staffed by a team of security analysts with deep military and intelligence backgrounds.

Contact your TPx representative today for details on how we can help you protect your company’s network against ransomware and other malware attacks.


About the Author

Matt Mair is a Senior Product Marketing Manager for Managed Services. His role includes marketing and communications for TPx’s suite of managed IT offerings including Managed SD-WAN, LAN Monitoring, Office 365, Workstation and Servers Management, Colocation and Server Backup solutions. Matt holds an MBA from Michigan State University’s Broad School of Business and resides in Los Angeles.