In 2018, a year after the most damaging cyber attacks on record, ransomware is falling out of favor with cybercriminals, but those who continue to develop this form of attack are becoming more focused.
Golden Age of Ransomware: 2016–2017
“Zero Day” refers to exploits that are as yet unknown to the public.
To understand what is happening now, it is important to have some context in what made 2017 the worst year on record for cyberattack damages.
It started in 2016, when hacker group Shadowbrokers penetrated the defenses of the U.S. National Security Agency (NSA) and successfully stole a number of Zero Day exploits the agency had been developing for years. The first thing Shadowbrokers did was to turn around and publish the NSA’s exploits for the entire world to see.
By 2017, hackers had been able to develop the NSA’s exploits into advanced cyber weapons. Among the many types of ransomware and malware unleashed, WannaCry and Petya cost businesses upwards of $20 billion while disrupting energy and trade globally. The main innovation that made these so devastating was their ability to spread quickly throughout networks. NotPetya, a Petya variant, gained a foothold in Maersk in Ukraine but within hours had spread to Merck in the United States, with German companies also taking a big hit.
Compared to last year, 2018 has been remarkably quiet. According to Kaspersky, Ransomware attacks fell 30% between 2017 and 2018. Between January and June, the number of of business ransomware detections decreased from 25,000 to just 10,000.
However, Colorado knows better than many other states how deceptive these detection statistics can be. SamSam ransomware hit Colorado Department of Transportation twice in February and March of this year. SamSam did significantly more damage to Atlanta and many healthcare organizations, but we know that decreasing number of attacks does not mean we are in the clear.
Ransomware Is Less Popular in 2018 but More Deadly for Business
SamSam is one of the most successful examples of a critical trend within Ransomware. There has been a shift away from what are called commodity groups, which aim for volume and rapid iteration to infect as many small victims as possible, toward targeted groups. Targeted groups do not blindly try to infect everyone; instead, they carefully select their victims based on security features, income, and other factors that minimize difficulty and maximize payoff.
Targeting makes intuitive sense for ransomware because returns come from victims’ willingness to shell out money to restore the functionality of their computers. SamSam targeted and successfully infected organization types that are known for antiquated software, including local government organizations like CDOT, healthcare organizations, and small and mid-sized businesses. What is more, these organizations have the most to lose during a ransom: public confusion, bankruptcy and even lost lives.
Endpoint Protection Might Not Be Enough
It is clear that these newest targets in 2018 are chosen strategically and methodically analyzed before the attack commences. What is more, 75% of organizations infected with ransomware were running up-to-date protection, according to Sophos. Previous versions of malware relied on phishing emails to gain initial entry, but the latest versions, including SamSam, do not.
SamSam and many of the latest ransomware variants exploit vulnerable Remote Desktop Protocol (RDP) connections, which allow hacking attempts to go unnoticed. This vulnerability allows hackers to use brute force attacks to ultimately guess user credentials, breech the network without causing alarm, and map out the attack well in advance.
Addressing RDP Vulnerabilities
The RDP vulnerability is already being addressed, but organizations that lag behind become obvious targets. Literally, hackers can run an automated search for RDP vulnerabilities, filter for preferred organizational characteristics, and then begin a brute force breach of the system.
The best way to stay free from harm is to deploy a proactive security solution, such as Intuition. As these latest attacks have delivered billions in damages to large organizations, Platte River Network clients have been secure from harm. We keep our network one step ahead, closing pathways as they emerge rather than reacting after it’s too late.
Read more: Maersk changes position on Cybersecurity after NotPetya