Researchers have described a sophisticated framework for the next generation of ransomware, suggesting a bleak future might await users and organizations alike.
On Monday, William Largent, a security researcher for the Cisco Talos Outreach Team, published a report entitled, “Ransomware: Past, Present, and Future”.
In the study, Largent traces the history of ransomware and discusses several recent events in the world of crypto-malware, including the emergence of Locky and the February attack against Hollywood Presbyterian Medical Center, among other hospitals.
The researcher then casts his gaze into the future to envision what tomorrow’s ransomware threats might look like:
“The advanced attackers that are being hypothesized for this exercise, such as competent penetration testers and skilled threat actors, generally prefer to use software with a modular design. This allows them to use certain functions as-needed, which provides much better efficiency and provides the ability to switch tactics as required in the event one method is discovered or is found to be ineffective.”
The researcher hypothesises this next generation of ransomware will make use of several devastating modules. One module, a command and control (C&C)/reporting infections plugin, could allow crypto-malware to contact a C&C domain via a GUID – a means of communication which is harder to detect than the traditional C&C server setup.
Another module, which Largent has dubbed a “rate limiter,” would strategically limit the ransomware’s CPU usage and attempt to have as little an impact on the network and other system resources as possible.
Using those various modules, attackers could ensure that if defense systems picked up on one malicious technique, they could simply switch gears and adopt another one. Such adaptability ensures they could move laterally throughout an infected network and identify all of the key business assets that might stand in their way, such as backup drives, messaging servers, and systems responsible for performing software application pushes.
Taking out those resources would leave the target organization wide open, the researcher predicts:
“Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3200 workstations are compromised; half the organization’s digital assets, and the vast majority of the company’s data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation. The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like. The victim is left with a choice: Do we pay the ransom, set a precedent and rapidly recover? Or do we refuse to pay the ransom and potentially make the recovery much longer and more difficult with a guaranteed loss of data?”
The scenario Largent paints is of a type of ransomware that in its rapid propagation, payload delivery, and ability to cripple recovery efforts mimics that of a computer worm. Largent has a name for this mishmash of threats: “cryptoworms.”
With that in mind, it is important that organizations make sure they invest in defensive measures sooner rather than later. Specifically, they should focus on DMZ hardening, secure backups and employee awareness training.
Let’s face it. Computer criminals love to trick people into doing something they would not ordinarily do, like hand over their login credentials. An organization’s first defense is its people; the stronger the workforce, the lesser the likelihood of a successful attack.
What do you make of these predictions of the future of ransomware? Leave a comment below sharing your thoughts.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.