Game of Ransomware

The Four Horsemen of The Ransomware Apocalypse Keep Riding On

Optimistic souls predicted last year that ransomware attacks had their heyday in 2017, so that we would see a decline in 2018. Bad news – this is not the case…The four horsemen of the ransomware apocalypse keep on riding, just changing their targets, tools, methods and tactics. The motive for ransomware remains the same: money. (A noted exception is the NotPetya ransomware attack which was aimed at paralyzing a nation’s economic infrastructure).

At its core, ransomware attack is nothing more than an extortion scheme. Hackers had to up their game, since it proved not as lucrative as the cybercrooks wanted. According to a recent survey, more than half (61.3% to be exact) of the respondents refused to pay ransom, with the majority being able to recover data files by running special apps or using backup files. (BTW, more than half of the victims that did pay never got their files back since the cybercrooks didn’t provide ransomware decryption instructions or apps, or these tools did not work).

Let’s have a closer look at the changing landscape of ransomware attacks. Although the number of ransomware attacks targeting individuals might have dropped, some industries remain prime targets. The healthcare sector, especially hospitals, are still being targeted and will continue to be targeted by ransomware campaigns.


The first horseman – Targets

Hackers define the most vulnerable and profitable targets to attack to yield maximum profit. As we have seen above, victims are less and less willing to pay ransom. Especially individuals often don’t have the financial means to pay ransom. As for organizations, the focus is on the most lucrative ones, more specifically those in the healthcare industry. According to a recent report, 45% of cross-industry ransomware attacks in 2017 involved healthcare, followed by finance and professional services at 12% each.  There are various reasons why hospitals and the like are soft targets. The healthcare industry is slow in addressing known vulnerabilities or complying with best security practices. Furthermore, password sharing is standard as is outdated software. Future targets will quite likely include robots. Researchers were able to infect the humanoid NAO robot with custom-built ransomware, which would also be able to infect Pepper robots.


The second horseman – Tools

The latest tool in the ransomware arsenal is Ransomware-as-a-Service (RaaS). Instead of creating their own ransomware, attackers can now become a RaaS ransomware affiliate. In case of the Saturn ransomware, hackers can become a ransomware distributor for free and split the profits with the Saturn owners. Following in the footsteps of Saturn, the Data Keeper RaaS was launched on the Dark Web, as was BlackTDS which costs $6 per day, $45 per 10 days, $90 per month. The low cost, ease of access and relative anonymity of BlackTDS will make it easy for cybercrooks to launch their ransom attacks, eliminating the need to create malicious code themselves.


The third horseman – Distribution

The main ways that hackers use to distribute their ransomware are spam / phishing emails and malvertising. As the latest Sigma ransomware attack shows, delivering ransomware via phishing emails still works. In the case of Sigma, an email purportedly from someone looking for a job lured the recipient to open an infected Microsoft Word resume. To learn more about Sigma rules, read our article on what is a sigma rule.

Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Last June, the hacker group AdGholas group launched one of the largest malicious advertising campaigns in history, waging ransomware attacks against universities, websites and businesses in the United Kingdom. As it looks now, hackers will keep on using emails and malvertising to spread their ransomware.


The fourth horseman – Ransom

To remain anonymous, ransom has to be paid in a cryptocurrency such as Bitcoin or Moreno. According to the latest statistics, global ransomware damage costs exceeded $5 billion in 2017, which is up from $325 million in 2015. The average amount paid in ransom per office worker stands at approximately $1,400. European small and midsize businesses (SMBs) paid out almost $100 million last year to recover encrypted files. Even when no ransom is paid, organizations still have to bear the cost of downtime. It is estimated that ransomware attacks cost businesses nearly $100m in downtime between 2017 and 2018. In short, ransomware pays – bit time.


Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.

Start a Free Trial

Don’t speculate, Cymulate