By Sherri Davidoff   /   May 30th, 2019

Ransomware Trends that are Changing the Game

Ransomware is evolving-- how will you respond?Ransomware is evolving. New features, techniques and distribution tactics have changed the game, and defenders need to adapt. In this three-part series, we’ll discuss the latest ransomware trends, share new ransomware facts, and discuss how you can effectively detect and respond to today’s ransomware threats.

Today’s three major ransomware trends include:

  1. “Big Game Hunting”
  2. Ransomware-as-a-service
  3. Key differentiation

This blog will explore “Big Game Hunting,” as the first part of our series on ransomware trends.

Trend #1 – “Big Game Hunting”

Ransom fees are skyrocketing. The SamSam ransomware, which brought down the City of Atlanta in 2018, had a typical ransom demand of approximately $40,000. Newer strains such as BitPaymer and Ryuk are commonly associated with ransom demands of $100,000 or more, according to Sophos.

Unlike the old-fashioned smash-and-grab style attacks, in which criminals would lock up any computer and charge a piddling $300, today’s ransomers target large organizations in hopes of getting a big payout. Small to midsized organizations can be hit as well, and struggle with how to afford the steep payment. According to Crowdstrike’s 2019 Global Threat Report, this shift to “Big Game Hunting” is the “most notable trend within the year,” and enabled organized crime groups to rake in millions of dollars.

Aside from the ransom demands, the cost of recovery and the public relations fallout from these large scale attacks can be staggering. The recent RobinHood ransomware attack against the city of Baltimore came with a $76,000 price tag for the ransom, but the full cost of recovery and lost revenue is now estimated to be over $18 million. The city has been crippled for almost an entire month as of today.

Lurking in the Shadows

Ransomers now lurk inside victims’ networks for weeks or even months, gathering financial data and identifying valuable intellectual property and specific organizational data to strengthen their bargaining position. Shockingly, one victim organization found this out the hard way, when they attempted to negotiate a lower ransom payment by claiming that they did not have the funds to pay the demand.

“The price is appropriate according to your financials,” the criminals clapped back. Upon investigation, the evidence showed that the criminals had first infected the organization with the Trickbot banking Trojan and explored the victim’s internal network for over a month before launching ransomware. The unrestricted access to the network let the attackers do their homework, learn about their victim, and extract every penny they could.

The Final Act

Often, the ransomware attack is the first thing noticed by the victim organization— but in “Big Game Hunting” attacks, it’s just the most visible step in a long series of malicious activity. Criminals often infect their victims using a common banking Trojan, such as Emotet, Trickbot, or both as the first step. They use their access to harvest credentials and spread throughout the network, adding user accounts as desired, escalating privileges and installing malicious software.  Finally, when the criminals have harvested all of the information they want, they detonate the ransomware.

For defenders, the presence of ransomware should immediately trigger a bigger concern: How long did the attackers have access, and what did they steal? It is no longer the case that ransomers are simply out to lock up files. More and more often, they steal data first, leaving victims to grapple with both ransomware and a serious data breach.

Defending Your Network

Most “Big Game Hunting” ransomware infections start with an exposed login interface. Criminals break in using a weak or stolen password, and then spread throughout the internal network by exploiting unpatched computers or leveraging more weak/stolen passwords.

You can dramatically reduce your organization’s risk by taking the following precautions:

  • Don’t allow remote logons directly from the public Internet. Conduct regular port scans, and put any RDP interfaces behind a VPN.
  • Use strong passwords and audit regularly. For vendors that login remotely, consider requiring a third-party remote access platform such as SecureLink.
  • Deploy two-factor authentication for all remote access. Check out LMG’s video tutorials on two-factor authentication and password generation for more info.
  • Maintain an effective software patching process on all systems, including servers, workstations and network equipment.
  • Install an immutable backup solution, where backups are either non-writable or stored offline. Test your backups regularly to make sure they work.
  • Implement an intrusion detection/prevention system (IDS/IPS) and ensure that it is routinely updated.
  • Keep your antivirus software up-to-date and ensure that it is consistently deployed.
  • Monitor your network 24/7. Conduct attack detection and response testing to ensure that your monitoring is effective.

We hope that these ransomware facts and tips help you combat these concerning ransomware trends. Stay tuned for part two of our series, “Ransomware-as-a-Service,” to learn more. In the meantime, contact us if you need help preventing or recovering from an attack.

About the Author

Sherri Davidoff

Sherri is the CEO of LMG Security and the author of “Data Breaches.” As a recognized expert in cybersecurity and data breach response, Sherri has been called a “security badass” by The New York Times. She has conducted cybersecurity training for many distinguished organizations, including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more. She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her “Data Breaches” course. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien”Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT. Her latest book, Ransomware Response, will be published early next year.