No experience required: Ransomware in 2017 and beyond

Much to the chagrin of the computer security industry, business executives, and people around the world, ransomware had a banner year in 2016. Hospitals, mass transit systems, hotels, and government offices have all fallen victim to widespread ransomware infections that significantly degraded their capabilities and held their data hostage for significant periods of time. In response, the security community continues to commit significant resources to fight this family of threats, and are beginning to produce some promising results. However, despite these investments and advances, ransomware continues to proliferate and evolve at an accelerating rate, bringing in an estimated $1,000,000,000 in 2016.

While it is difficult to fully predict the evolution of ransomware, a review of recent trends in ransomware, malware, and the computer industry as a whole provides useful insights into what the future may hold, and allow us to better prepare for upcoming advances.

What's new in ransomware?

As we wrote last year when revealing the existence of a new version of TeslaCrypt, ransomware has expanded to a much broader audience than in previous years. Widespread spam campaigns and drive-by downloads facilitated by exploit kits helped attackers initiate an estimated 638 million ransomware attacks in 2016, a significant increase from an estimated 3.8 million attacks in 2015.

Operating system targets

Though Mac and Linux-based ransomware has been spotted in the wild, a vast majority of ransomware is Windows-based, as it is still the dominant operating system for personal computer end users. Ransomware attackers will continue to primarily target Windows until other operating systems catch up in market share, as the case has always been for malware in general. Mobile ransomware is a potential growing threat, but Apple and Google have largely kept it in check by keeping their operating systems regularly updated and reviewing submissions to their respective application stores.

Ransomware targeted against Internet of Things (IoT) devices is another potential area of growth. Most electronic household appliances now have wireless network connectivity. Juicers, weight scales, fridges, and toilets are among the devices that now offer connectivity and, thus, have the potential to be compromised on your home network. While connectivity may seemingly provide valuable extended functionality, these devices further expand your network footprint and may be more vulnerable to exploitation than your laptops and mobile phones.

So, are we all about to be subjected to a wave of ransomware that prevents you from flushing your toilet? Will ransomware disable your thermostat? Will ransomware burn your toast?

The most likely answer to all of these is... possibly. Ransomware has become so prevalent primarily due to its simplicity: attackers just need their payloads to execute on as many hosts as possible. Since most IoT devices tend to run some flavor of Linux and custom software that is optimized for their specific use case, the expected financial gains currently do not appear to justify the work involved to successfully target these devices. These devices also are not easily targeted in the same manner as ransomware attackers tend to distribute their payloads: spear phishing and drive-by downloads. Additionally, these devices do not typically contain the same type of valuable user data that elicits ransom payments from victims. Nevertheless, these devices are not immune to compromise and tend to be less secure than PCs and mobile platforms due to default security configurations as well as the inconvenience of downloading and applying software security updates. The Mirai botnet in particular demonstrated how susceptible to attack IoT devices are across the world.  Once an attacker successfully derives greater monetary value from deploying ransomware to IoT devices instead of utilizing them as part of a botnet, other copycat attacks could subsequently follow. It is an almost certainty that these devices will continue to be compromised and added to even larger botnets and subsequently leveraged in further distributed denial of service (DDoS) attacks.

Motivations

While monetary compensation is the overwhelming driver for ransomware attacks, the RanRan ransomware family that appears to be perpetuated by political dissidents in the Middle East points to attackers with differing motivations becoming more involved in the creation and use of ransomware. Dissidents and hacktivists looking to spread a message could find an audience through ransomware attacks, especially if they are successful and reported in the media.

Though disk wiping malware is typically associated with efforts to sabotage an organization, there have been recent reports of families of this type of malware now being modified to behave like ransomware by encrypting files and soliciting ransom payments from their victims. This combination of financial and destructive objectives puts the attackers in a unique position: they’re passing on the opportunity to outright destroy the data of their purported enemies in favor of making the data temporarily inaccessible in the hopes of procuring a ransom. As is the case with all ransomware attacks, there’s no guarantee that the perpetrators would make good on their promise in the event a ransom payment is actually made.

Technical advances and lower barrier of entry

Through our research, we have identified six key trends pertaining to ransomware that helped lead to both advances in capabilities by more skilled and experienced developers as well as the proliferation of ransomware through enabling less sophisticated attackers to become involved in its creation and distribution.

Exploit kits dropping ransomware payloads

Exploit kits have been around for over a decade, but the attackers leveraging them have started to alter their tactics due to the potential for easy and quick profits. Whereas before the ultimate goal for attackers leveraging an exploit kit would likely be to install botnet software and/or remote access tools (RATs) for spying on users and collecting credentials/personally identifiable information (PII), ransomware is being served up as the intended payload for these kits with increasing frequency. For example, in February 2016, the web site of a hospital in Ontario was hacked and subsequently modified to infect users with a variant of TeslaCrypt via the Angler exploit kit.

As new exploit kits continue to pop up and split off from or replace older kits, attackers will likely continue to use ransomware variants as part of their payloads to maintain a steady revenue stream due to their relative lack of sophistication. If attackers must choose between deploying ransomware and collecting/monetizing credentials and PII, they will likely continue to prefer the more straightforward and quicker attack scenario of ransomware versus the more conservative long con.

Ransomware kits and ransomware as a service

The success of exploit kits and malware as a service has led to equivalent ransomware-based offerings sprouting up. Ransomware kits and ransomware as a service offerings provide an even lower barrier of entry for prospective criminal attackers that want to get started in producing and distributing their own ransomware variants. A subset of users of Microsoft Office 365 were infected in June 2016 with a variant of Cerber, a well known ransomware as a service offering. The developers behind these offerings have gone to great lengths in marketing to potential customers on youtube, and even openly host their own sites.

The division of labor between the developers of kits and service offerings and ransomware attackers provides a mutually beneficial arrangement: developers continue to churn out more advanced ransomware while attackers focus on targeting new victims without needing to worry about the inner workings of the ransomware they are distributing. Both parties are also able to maintain their own steady revenue streams: sales of the ransomware keep the developers happy while the attackers collect cryptocurrency ransoms from their victims.

As less sophisticated and technical attackers continue to become involved in the distribution of ransomware, kits and service offerings will likely continue to evolve to meet their needs and enable them to target victims and collect ransoms even more quickly.

Open source/educational ransomware

Like other areas within the computer security industry, ransomware has seen its fair share of proof of concept/open source projects that have been published for the public, such as:

• AwesomeWare
• CryptoTrooper (inactive)
• EDA2 (inactive)
• Hidden Tear
• Fileless JavaScript POC
• Mabouia (MacOS)
• ShinoLocker
• Sipher

Though these efforts are meant to further research in the field and provide insight into how ransomware works under the hood, attackers have leveraged these projects to produce their own variants. For these attackers, they already have a fully functional codebase, so only minor changes are required to get their own variants up and running. In March 2016, a variant of the EDA2 open source ransomware project infected users via a link posted on a YouTube video. The availability of these projects in open source channels also provides additional camouflage in terms of attribution.

As security researchers work to devise more advanced methods for detecting and preventing ransomware, more open source ransomware projects will spring up to provide platforms for generating samples for testing and educational purposes. Ransomware attackers will continue to leverage these open source and educational platforms for their own destructive goals for the foreseeable future.

Offline ransomware

Ransomware variants that do not require an Internet connection to be fully functional are fairly prevalent. These variants do not require any command and control infrastructure, thus lowering the attacker’s footprint on the Internet and within their victims' networks. Also, since offline ransomware does not require any network functionality, their binaries/codebase can be further condensed and potentially appear less malicious to antivirus and endpoint protection detection mechanisms. A variant of the Dharma offline ransomware family was used to attack a horse racing web site based in India in January 2017.

Below are examples of offline ransomware families that the Endgame TRAP unit has observed throughout extensive testing:

• Cancer
• Chimera
• CryptConsole
• CryptoLocker
• CryptoMix
• CryptoShield
• Crysis
• Dharma
• DirtyDecrypt
• DMALocker
• FakeGlobe
• Fantom
• FireCrypt
• Globe
• GlobeImposter
• Gpcode
• Jigsaw
• Kangaroo
• Koovola
• PowerWare
• RansomPlus
• Rokku
• Sage
• Simple Encoder
• Spora
• TeslaCrypt
• Unlock92
• Xlocker
• Xorist
• Zyka

Though standing up ephemeral network infrastructure is easier than it has ever been thanks to an expanding range of cloud-based offerings, offline ransomware will likely continue to increase in prevalence due to the lack of a need for command and control endpoints.

Fileless attacks

As malware authors devise new and innovative means for circumventing endpoint protection mechanisms, "fileless" malware has seen an uptick in usage due to its ephemeral nature and ease in both development and deployment. It should come as no surprise, then, that fileless ransomware has gained traction recently. PowerWare and RAA are among the more notable examples of fileless ransomware that have appeared since 2016. In March 2016, an unnamed healthcare organization was the target of an unsuccessful spearphishing campaign that employed PowerWare. These ransomware variants are just as capable as those developed in lower level programming languages and distributed as executables, but they are more easily customizable and portable thanks to their scripting language frameworks.

PowerShell, VBA, JavaScript, and other native Windows scripting languages that play key roles (e.g. downloader, dropper, environment detection) in typical fileless attacks also frequently serve the same purpose in setting up both fileless and typical executable-based ransomware attacks. Until they are routinely detected and prevented by a majority of current AV and endpoint protection products, fileless attacks will continue to serve as key components of ransomware attacks.

Raw disk ransomware

Though it is not a new threat, ransomware that encrypts, replaces, or degrades individual disk drive sectors (rather than or in addition to individual files) such as the Master Boot Record (MBR) or the Master File Table (MFT) did not see much use until 2016. Most ransomware variants target user documents (e.g. DOC, PDF, XLS) while avoiding system critical executable files (e.g. EXE, DLL, SYS)  to keep the operating system stable and semi-operational. This allows victims to properly assess the damage and subsequently pay their ransom in order to retrieve their files.

With ransomware variants that target disk drive sectors, such pleasantries are not possible. If the startup disk drive is successfully targeted by one of these variants, users will likely be unable to even properly access the operating system, as the ransomware will have replaced the startup routine contained within the MBR with their own custom bootloader. These bootloaders will simply display a ransom note and prevent the user from proceeding further. A variant of the HDDCryptor raw disk ransomware family was used in the attack on the San Francisco Municipal Transportation Agency in late November 2016.

The following ransomware families that target raw disk drive sectors all were discovered in 2016:

• HDDCryptor/Mamba (January 2016)
• Petya (March 2016)
• Satana (June 2016)

These types of ransomware variants are potentially much more catastrophic to end users than typical file-based encryption ransomware since they have fewer options for potentially remediating the attack (e.g. volume shadow copies, network or external media-based file backups). Since the operating system has likely been overwritten and encrypted, users are left to assume that none of their files are recoverable. Depending on the success of these variants in soliciting ransom payments from their victims, ransomware attackers may develop advancements in an effort to further infect hard disk drives, the system BIOS, and other low level system components.

Conclusion

Unfortunately, ransomware does not appear to be going away anytime soon. As long as the risk to reward ratio remains in favor of ransomware, we are likely to see continued growth and creativity from its developers and attackers. In order to protect themselves from the effects of ransomware, users are highly encouraged to secure their hosts with a fully featured endpoint security product and maintain regular offline backups of their most important documents that may be susceptible to loss during ransomware attacks.

As for what to expect, there likely will be further developments in ransomware for MacOS, Linux, mobile platforms, and possibly IoT devices. Exploit kits, ransomware kits, ransomware as a service offerings, and open source ransomware will continue to be leveraged by less sophisticated attackers and help them grow their budding criminal enterprises. Fileless ransomware will see more usage as attackers attempt to evade endpoint protection mechanisms. Offline ransomware will continue to be used by attackers wishing to minimize their footprint. And last, but certainly not least, expect to see more advanced ransomware that targets the MBR, MFT, and other raw disk drive sectors. In the coming weeks, I'll have a follow-on post to walk through how the Endgame research team is addressing these advances in ransomware. Stay tuned!