While most people know the basics of ransomware, the details of this threat – like all aspects of cybersecurity – are constantly evolving. In this post, we’ll discuss recent changes we’ve seen in the tools, tactics and procedures used by ransomware attackers, and share new information on detection avoidance, decryption tools and industries that may face the highest risk. Finally, we’ll make some predictions on the future of ransomware (spoiler alert: it’s here to stay).
1. Malware uses new tactics to avoid detection.
Traditionally, ransomware has involved gaining access to a computer, quickly encrypting the contents and delivering a message to demand payment. However, we’ve noticed a shift in this process. Recent ransomware variants have begun to use a CAPTCHA test to ensure they’re interacting with a human target and not an endpoint detection and response (EDR) tool or other malware-blocking software. Similarly, malware may attempt to detect if it’s being executed in a virtual environment, perhaps by a security researcher attempting to reverse-engineer the malware. We’ve seen attackers flip this on its head and deploy their malware inside its own virtual machine, to avoid detection by the host machine’s antivirus tool.
2. Payment extractions are becoming more complex.
Another recent change involves how ransomware payments are extracted. Previously, attackers would encrypt host data and offer the decryption key in return for a ransom payment. As more businesses have become better prepared (through mature data backup strategies) or made the ethical decision not to pay ransom demands, attackers are turning up the pressure through a multi-pronged approach. In addition to their customary method of encrypting data and demanding payment for decryption, attackers now frequently exfiltrate a copy of data in addition to encrypting it locally. If their initial payment request is rebuffed, they’ll threaten to publish the exfiltrated data unless a payment is made for its deletion. We’ve also seen examples where, when no payment is made, the attacking groups attempted to auction off stolen data on the dark web to the highest bidder.
3. Reputation scores provide helpful info for victims.
One of the most uncertain aspects of dealing with a ransomware event is when it’s been determined that a payment must be made. The question becomes, will the criminals uphold their end of the bargain if the payment is made, supplying the decryption key or deleting the data as promised? While there are no certainties, companies have moved into this space with a focus on brokering ransomware payments and affixing a reputation score to each attacker group. This can provide some level of confidence that the attackers will follow through on their part of the deal.
4. Decryption tools can present risks.
While decryption tools had been created for many variants of ransomware, we are seeing an uptick in malicious or poorly designed decryption tools that may purposely cause harm or inadvertently corrupt the encrypted data, rendering recovery impossible. Many of these appear in response to simple Google searches for “ransomware decryptor,” offering to decrypt data for free, which obviously sounds very enticing to an affected user. We’ve also seen user error in this area. For example, a user infected with ransomware attempts to run a legitimate decryption tool, but due to incompatibility or the wrong variant, it causes damage and renders recovery impossible.
5. Service providers continue to be a target.
There’s been a shift in the targeting of ransomware campaigns, and attacking groups are looking to inflict the most damage possible. Their latest targets are service providers that operate in the information technology, healthcare, legal, and accounting spaces. The breach of a service provider’s backend environment can impact directly customer data in the vendor’s care, but it also might allow malware to spread back to the vendor’s customer’s systems. In all cases, a mature vendor management program is key. Know your vendors, be aware of what data and access they have, and ensure it is appropriate and well-secured.
The future of ransomware
Where might ransomware go next? While infections on traditional operations systems will continue, there are new areas to watch as well. For example, cellphones running old versions of their operating system may be at risk – especially if they install applications from third-party app stores. Attackers will also continue to leverage malicious web browser extensions. They have become adept at sneaking them into the official extension stores for Google Chrome, so use caution before installing any extensions in your browser. Attackers will also increase their focus on abusing smart home devices, especially devices made by less-familiar companies that aren’t patched for security issues. We recommend purchasing smart devices from well-known manufacturers with a good track record for providing continued security support after the sale. We believe healthcare and law firms will also continue to be targeted due to the value of their confidential data. Regardless of size, companies in these industries should look for ways to fortify their data protection strategy. And finally, the attacking groups are leveraging the current pandemic as a “hook” for their activity, pretending to share information on testing, tracking, cures and remedies with hopes of getting an unwitting user to click their link or open their attachment.
Disclaimer: The information, examples and suggestions presented in this material have been developed from sources believed to be reliable. However, this is not legal advice, and CNA cannot accept responsibility for its applicability to your specific circumstances: no one should act on the basis of this article without first seeking appropriate professional advice, including advice of legal counsel, based on a thorough examination of their individual situation, relevant facts, laws, and regulations. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. All rights reserved.