In our 2017 Predictions report, “The Next Tier: 8 Security Predictions for 2017” we state that ransomware growth will plateau in 2017, but attack methods and targets will diversify. Let’s explore what we mean by this and how this threat will evolve next year.
Our predictions are developed based on the changes in the computing landscape and the evolution of a threat. Ransomware and the actors behind this threat have evolved over the years starting as FakeAV, moving to Screen Locker ransomware and finally to where we are today with crypto-ransomware. This evolution was due to the fact that the actors were looking to increase their return on investment and their infection rate per target. FakeAV and Screen Locker just weren’t cutting it and so cybercriminals figured out if they held hostage critical files or systems they could not only get more victims to pay, but they could also increase their ransom. In 2017 we’re going to see not only an increase in more ransomware families, but another evolution in how they attack and who they attack.
Ransomware is now one of the largest, if not the largest threat in the world. In 2015 we identified 29 ransomware families developed, so far in 2016 we have more than 150 new families, a 400 percent increase. We predict this increase cannot be sustained, but we will see a 25 percent increase in families during 2017 over 2016. This means we still will need to defend against a wide range of new ransomware, but the actors will focus their efforts on new victims and techniques to attack more organizations.
We have already seen some of this in 2016 with the recent attack on the San Francisco Municipal Transport Authority (SFMTA) where the actor(s) behind it targeted their payment kiosks to disrupt their operations process. Rather than shut down their trains and stop their customers from getting from point A to point B, SFMTA made the decision to continue train service free of charge. We will see in 2017 more of these attacks on businesses who have operations where if disrupted would cause a higher ransom to be demanded. A typical ransomware attack requests between 1-2 bitcoins ($775 – $1550) but a targeted attack like the one against SFMTA operations can net them a significantly higher ROI. In that case the ransom was 100 bitcoins (~$73K). This increased ROI is what threat actors are constantly striving for. Any organization who has critical business processes (healthcare, manufacturing, public utilities, etc.) should look at ways to ensure the systems managing these processes are segmented from their main network, or are protected with more than just traditional defenses.
Another prediction around ransomware will be in the methods of attack. We will see more targeted attacks using ransomware as one of the infection vectors, but the actors will take a page from data breaches by also exfiltrating key data from a victim and hold it for a secondary extortion request (I won’t publicly disclose this data if you pay me $X amount) or sell it on the underground for more profit. We will also see non PC devices like IoT, PoS, or even bank ATMs be targets of ransomware attacks, similar to how we’ve been seeing mobile ransomware targeting Android devices now for a few years. Looking for more attack surfaces is a typical component of the criminal strategy to increase their infection rates and profits.
All in all, ransomware has been a very successful threat for cybercriminals over the past few years and we will continue to see its use in 2017 with more inventive ways of utilizing it to infect higher numbers of businesses across the globe. Organizations will need to actively pursue new ways to protect their systems from this threat by deploying a multi-layered, cross-generational defense. Since ransomware predominately comes from the Internet through email or web downloads, the first line of defense should be to employ advanced messaging and web security. Trend Micro blocks 99% of the ransomware trying to infect our customers at this layer. Below shows our detections from March – August 2016.
But, endpoints need to be secured as well with newer technologies like high-fidelity machine learning or ransomware behavior monitoring defenses, like what’s in our new XGen endpoint security solutions. We also recommend analyzing network traffic like with our Deep Discovery solution and deploying a focused server solution like Deep Security to protect your critical data center systems.
We predicted 2016 would be the year of extortion, and so far this has come true with the rise of ransomware. Time will tell if this 2017 prediction comes true, but we have good evidence that it will. Feel free to leave a comment if you have any of your own ideas on where ransomware is headed.