There’s no doubt that attacks will continue to increase in frequency, severity and complexity. Behind the scenes, nations are fighting what appears to be a cybersecurity war. According to the president of Microsoft, North Korea was allegedly behind the WannaCry ransomware attack that temporarily brought down numerous NHS trusts. Ukraine’s security service (SBU) claim that Russia was behind NotPetya attacks which resulted in hundreds of millions of dollars in damages. And it’s unlikely these attacks were carried out by your average bedroom cyber-dork, but instead by professional development teams.
So, will 2018 be worse than 2017? In short, yes!
There will likely be an increase in Ransomware as a Service (RaaS) attacks, whereby relatively unskilled cyber-criminals are able to purchase ransomware code from the dark web that includes step-by-step instructions enabling them to customize and distribute their attack.
As more organisations take necessary precautions and raise awareness about ransomware, attacks will likely become more targeted with cyber-criminals carrying out more research to target specific individuals within a specific company – especially individuals with a high net-worth.
Ransomware strains will continue to evolve. Instead of simply decrypting the encrypted files in exchange for payment in Bitcoin, newer attacks will start to use a blackmail technique called “doxing”, whereby the attackers threaten to publish the stolen files along with the victim’s credentials and geolocation info of their local computer. Additionally, newer strains will be able to use tricks to evade sandboxing, bypass antivirus software and email filters, and be able to deploy itself with elevated privileges by bypassing Windows User Account Control (UAC).
New techniques will be used to encourage victims to pay the ransom. For example, Spora – a strain of ransomware discovered in January 2017 – gives victims a variety of options to choose from. They can decrypt two files for free, decrypt a selection of files for $30, have the ransomware program removed for $20, purchase what they call “immunity” for $50, or just get all the encrypted files restored for $120.
File-less ransomware, which leverages a native scripting language to execute the malicious code or write the code directly to memory, will likely grow in popularity as it makes it easier to bypass antivirus tools/sandboxing.
Whilst the number of attacks targeting Android is already increasing, more strains of ransomware will target non-windows operating systems, such as MacOS and Linux.
It’s likely that healthcare will continue to be a primary target as healthcare service providers are more likely to pay the ransomware and are often unprepared and ill-equipped to protect themselves from such attacks.
Internet of Things (IoT) systems will likely become a growing target. While IoT devices do not store sensitive data, they often perform a critical function. For example, if a device that is critical to the functioning of a power grid gets infected, the attacker can request that a large payment is made within a short period to prevent the power going down.
How can organisations protect themselves from ransomware?
Educating employees, keeping backups, and limiting access to sensitive data are often the most cited methods to help protect against ransomware attacks. However, there are also solutions which can help prevent attacks from spreading.
LepideAuditor has a threshold alerting feature which can automatically detect, alert and respond to suspicious events that match a pre-defined threshold condition. For example, if X number of Y changes are made during the selected period, you can execute a custom script which can disable a user account, stop a specific process, change firewall settings, or shut down the computer entirely.