While ransomware is nothing new for the business world, there are never-before-seen infection strains popping up nearly every day. As cybersecurity experts work to bridge the gap between malicious threats and current protection practices, hackers are working just as hard to create attacks that prevent detection.
Recently, brand new open source ransomware samples were discovered that demonstrate specific characteristics showing that the enterprise community is more of a target than ever.
Ransomware statistics paint a picture of the threat landscape
According to Barkly content manager Jonathan Crowe, ransomware continues to be big business for cyber criminals who have generated considerable profits recently.
- Almost half of all organizations have been a victim of ransomware, with just 53 percent reporting that they hadn't experienced an attack within the last 12 months, Osterman Research found.
- Seven percent of businesses saw more than one ransomware-related infection attempt in the last year, with 4 percent seeing six to 10 attacks, and 2 percent seeing anywhere from 11 to more than 20 attacks.
- Ransomware infections spiked in March specifically, with more than 56,000 ransomware infections reported, according to Symantec.
- Hackers are also demanding more money as time goes on. Whereas the ransom amount averaged around $372 dollars in 2014, cyber criminals are now asking for as much as $679 dollars to unlock encrypted files.
- While 4 out of 5 organizations have confidence in their ability to achieve complete recovery after an attack, Barkly found that less than half – 42 percent – of all victims are actually able to recover, even with a backup system in place.
This makes protection all the more important in an environment where new threats are popping up every day.
Three new strains: Spinoffs of Hidden Tear
Trend Micro reported that in late August, a series of new, open source ransomware samples were discovered, which appear to be based on Hidden Tear and EDA2. The fact that these samples were based on Hidden Tear – code that was released in an effort to educate individuals on the dangers of ransomware – makes this discovery all the more disappointing.
In early 2016, Turkish security organization Otku Sen originally published the Hidden Tear open source code on github. At the time, Otku Sen made it clear that Hidden Tear was not made available for hackers to leverage in an attack.
"While this may be helpful for some, there are significant risks," Oktu Sen stated, according to Trend Micro. "Hidden tear may be used only for educational purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent."
Even with this warning posted, it didn't stop cyber criminals from using Hidden Tear to their advantage in the recent rash of ransomware attacks.
"Unfortunately, anyone on the internet can disregard this warning," Trend Micro stated in an Intelligence Blog post. "This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code."
Shortly after the discovery of RANSOM_CYPTEAR.B, researchers came across two other new strains: Magic ransomware, otherwise known as RANSOM_MEMEKAP.A, and KaoTear, or RANSOM_KAOTEAR.A.
Other infections were also uncovered, including POGOTEAR or RANSOM_POGOTEAR.A that uses the file name PokemonGo.exe to entice victims of its legitimacy. FSociety, or RANSOM_CRYPTEAR.SMILA, is another open source ransomware sample based on EDA2 that appears to be inspired by the TV series Mr. Robot. These types of attacks are especially dangerous as ties to pop culture can increase the chances of successful infection.
The problem with open source
Open source code brings numerous benefits when utilized for application development or another legitimate purpose. In the context of malware and ransomware, however, open source only compounds the threat posed by the infections themselves.
As Trend Micro researchers pointed out, open source enables even novice hackers to utilize expert code to launch attacks.
"One factor that contributed to the proliferation of this ransomware type is the ease and convenience it offers to cybercriminals — they don't have to be technically skilled to build their own ransomware from scratch," Trend Micro researchers noted. "Before the source codes of Hidden Tear and EDA2 were taken down, these were publicly available and cybercriminals only had to modify the code based on their needs."
Business community beware
What makes these infections a little different from other strains discovered recently is the particular items the samples were built to seek out. All three Hidden Tear-based samples specifically look for web server and database files within a victim's infrastructure. This could point to the fact that these were uniquely created to target enterprises, as opposed to individual users.
"Enterprises and small-medium businesses are viable targets for ransomware attacks," Trend Micro noted. "The recently-discovered open source ransomware strains show the possibilities that they can potentially affect organizations — disruption to productivity and operations, including damage to company brand or reputation."
Avoiding infection: Best practices
Thankfully, there are a few important strategies that enterprises can employ to reduce their chances of infection:
- Understand the threat environment: Hackers are more likely to launch a successful attack on organizations without a full scope of the current threat landscape. For this reason, it's important that business stakeholders know what they're up against.
- Avoid suspicious emails and files: Infections are often launched when hackers send a legitimate-looking email with an attached file to an enterprise user. It is absolutely critical that employees double check to ensure that emails and files are authentic before opening them.
- Have a multi-pronged approach to security: If cyber criminals have taught the world anything, it's that they are persistent. This means it's in an organization's best interest to have a multi-faceted protection strategy in place that closes gaps at every point in the network.
Businesses must ensure that they are doing everything in their power to protect their assets from ransomware. To find out more, contact Trend Micro today.