Mass-Scale Ransomware Attacks Providing Hackers the Ability to Earn Quick Money
By Carbon Black's Brian Baskin & Param Singh
September 21, 2017
During the past six months, the Carbon Black Threat Analysis Unit (TAU) analyzed more than 1,000 ransomware samples, categorizing them into 150 families, and found the following:
If global headlines in recent months are to be believed, ransomware’s increased ubiquity and sophistication have reached epidemic proportions. According to these reports, malware such as WannaCry and NotPetya have thrust ransomware into the public’s consciousness in an unprecedented fashion, while businesses around the globe scramble to keep up with the onslaught of attacks.
While it’s true that ransomware is more ubiquitous today than ever, a different reality exists when it comes to sophistication. According to a recent analysis of a large set of ransomware families by the Carbon Black TAU, the majority of today’s ransomware errs on the side of simplicity in an effort to target a mass set of victims as easily and quickly as possible. The net? Attackers are looking to make quick, easy money with unsophisticated malware, combined with sophisticated delivery methods.
To understand the world of ransomware, Carbon Black examined a sample set of more than 150 ransomware families. Our analysis reveals the majority of ransomware attacks are guided by simple economics and likely derive from unsophisticated actors who often leverage pre-existing do-it-yourself (DIY) attack kits purchased from the dark web.
Those who are striking out on their own also tend to use more basic programming languages, such as .NET, and reuse code from open-source projects and websites.
Episodic ransomware attacks, such as NotPetya, have made for splashy headlines, but reveal more about the general unpreparedness of worldwide businesses to handle these attacks than they do about a sophisticated evolution of ransomware. These attacks highlight that the industry at large is often failing to do infosec basics, such as patching.
Businesses appear to be focusing too greatly on next-generation threats while being unable to defend against the current era of basic malware. What’s more, the public attention to new threats distracts many organizations from the ability to tool their environments and train their staff to respond to basic attacks.
The level of effort needed to secure environments seems so daunting to many in leadership that an investment in response and recovery would appear to be a better investment. As ransomware grew in prevalence, many businesses accepted the risk of individual machines getting infected and losing localized data. These businesses implemented policies to quickly reimage the machine with its most recent backup and move on.
However, malware such as WannaCry and NotPetya have changed that equation by including worm functionality to spread across networks. Reimaging a single infected system was ineffective if the ransomware was able to quickly move across the network and infect additional systems. Businesses that had accepted the risk of handling few ransomware incidents now risked losing complete networks. This was seen in various British hospitals where operations were shut down completely while ransomware automatically spread itself across a widely vulnerable network.
However, just as NotPetya was incrementally more sophisticated compared to WannaCry, the Carbon Black TAU expects a rising-tide evolution of ransomware in the coming months as attackers attempt to further extort money from unprepared businesses and consumers.
While the defenses required to limit the spread and damage of ransomware could be easy to determine, their deployment across large organizations provide a challenge for many security teams. As ransomware becomes more sophisticated over time, such challenges only increase.
Security teams will have to implement better lines of defense to detect complex malware and adversaries using non-malware attacks to encrypt data. The development of more sophisticated malware isn’t then limited to single adversaries; Ransomware-as-a-Service (RaaS) operators can deploy a single, complex malware to hundreds of thousands of potential victims at a time.
A Deeper Look at Ransomware
For this research, the Carbon Black TAU analyzed more than 1,000 ransomware samples, categorizing them into more than 150 distinct families. Ransomware, like most other malware applications, can be grouped based upon its development characteristics; methods of injection; and unique techniques, tactics, and procedures (TTPs).
These attributes suggest that each group was designed by the same set of developers for the same purpose. Each family could be unique in the encryption routine it uses, the files it targets, the style of ransom note it provides, or even the method in which it collects its ransom.
Our research highlighted some interesting trends: