Trend Micro published our mid-year security roundup report where we covered the biggest threat stories and trends we observed in the first half of 2016. Not surprising if you’ve been following the threat landscape that ransomware was by far the biggest story, with many organizations around the world in the news affected by this threat.
We have been doing extensive research into this threat over the years and I want to dive a bit deeper into the most recent trends we’ve seen and how you can protect yourself and your organization from being a victim.
In my 20 years working in cybersecurity I have not seen any specific threat be picked up and used as much as I’ve seen ransomware. In the first half of the year, we saw threat actors develop close to 80 new families of ransomware, which is a 172 percent increase from what we saw in all of 2015. We’re also seeing these cybercriminals adopt and adapt their creations to continually prevent organizations from detecting their malware. We are even seeing now Ransomware as a Service (RaaS) within the criminal undergrounds to make it even easier for threat actors of any level to deliver attacks. Why are we seeing such a marked increase in this activity? Because it seems to be working, but also this is a threat that is very visible. Most threats try to stay under the radar and be invisible, but ransomware uses fear and very visual effects to entice the victim into paying their ransom demands. You will know you are infected with ransomware if it happens. We do recommend contacting your local law enforcement or the IC3 if infected as the most effective way to stop ransomware is to stop making it profitable and put the criminals behind it behind bars.
Below is an example of some recent ransomware families we investigated and the different capabilities each has. You’ll notice, as mentioned above, the actors behind these are trying many different techniques.
Note the different arrival techniques (infection vectors) and the different ransom amounts being served up to the victims. You also can see numerous different types of data being encrypted by the ransomware families. The encryption process is similar, as there are not a lot of different encryption technologies out there, and the criminals use the same methods used by the good guys. One thing we have seen as the predominate infection vector is email, whether spam or phishing.
But also notice that exploits and exploit kits are becoming more utilized. In fact, we’ve seen the actors behind most of the exploit kits are now serving up ransomware within their kits, again showing that ransomware is becoming the defacto threat used by many actors today.
One other trend we’ve seen with ransomware is who the threat actors are targeting. This was mostly a consumer targeted threat in the past, but recently we’ve seen businesses being targeted predominately by these actors. This is likely due to the ability for a business to pay the ransom versus a consumer, but also in many cases we’re seeing much higher ransom demands against businesses that are in industries where any downtime is critical to them – i.e. healthcare, manufacturing.
We do expect ransomware to continue to be utilized by cybercriminals around the world for the foreseeable future as it has been effective and profitable for them so far. Besides law enforcement activity in curbing this threat, you and your organization can take steps to help prevent becoming a victim of ransomware.
The key is developing a broad strategy that includes the following:
|Education about how this attack works. A good, short video explaining ransomware and basic security can be found here. Our ransomware definition page will give you a lot of information on what it is and the latest trends
Implement a good backup strategy that includes a 3-2-1 model (3 backup copies on 2 different media with 1 backup in a separate location)
Develop a layered security approach that includes the following:
While we cannot guarantee 100 percent detection of all ransomware, implementing the approach above can minimize your risk of becoming a victim. If, unfortunately you do become infected, we have been developing a free tool to decrypt as many ransomware families as possible. Check it out to see if it can help. We have also provided a great landing page to help organizations large and small, as well as consumers, on all aspects of ransomware to help educate them further. We hope it helps. Follow our Security Intelligence blog for the latest news on ransomware found out in the wild.