• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Ransomware   »   Where Will Ransomware Go In The Second Half Of 2019?

Where Will Ransomware Go In The Second Half Of 2019?

  • Posted on:July 9, 2019
  • Posted in:Ransomware, Security
  • Posted by:
    Jon Clay (Global Threat Communications)
0

Ransomware has been an evolutionary malware family that continues to shift and change over the years. From the first fakeAV, to police ransomware, to the now oft-used crypto-ransomware, this threat just will not go away. Based on the latest trends, we predict this threat will grow in the second half of this year.

At Trend Micro, we’ve been following and tracking the data around ransomware for years. Here are some of the changes we’ve been seeing:

 

Year-Over-Year Ransomware Detections from Trend Micro™ Smart Protection Network™

2016 1,078,091,703
2017 631,128,278
2018 55,470,005
2019 (Jan to May) 43,854,210

Year-Over-Year Number of New Ransomware Families

2016 247
2017 327
2018 222
2019 (Jan to May) 44

You can see that ransomware actors were very busy in 2016 and 2017 both in launching attacks and in the development of new families and variants of ransomware. In 2018, we had a drop in both figures, which could be due to a number of factors:

  1. Improved practices within organizations to recover from attacks (i.e. backup and recovery)
  2. Improved detection technologies within the security industry (i.e. machine learning can proactively detect new families and variants)

However, in the first half of 2019 we have seen in the news some very high profile attacks against organizations with successful ransomware causing some victims to pay high ransom amounts or taking weeks to months to recover from the attacks. These attacks have shown that we still need to be very vigilant in protecting networks against this threat.

Trend Micro publishes a predictions report each year to help organizations understand what might occur, and while we did this for 2019, I would like to give you some ideas on where ransomware might go in the second half of 2019 as this threat seems to change very often. Let’s look at the different areas of the ransomware attack lifecycle and what we may see for the rest of the year.

Identifying a Victim

Ransomware actors are being much more targeted in their selection of victims they want to attack. This is due to the above 2 reasons behind why we saw ransomware drop in 2018. In response, actors are looking to target those organizations that are more likely to fall for an attack, but also those who are more likely to pay a higher ransomware. In the first half of 2019, you can see the industries we saw targeted most:

Government, manufacturing, and healthcare are the top 3 industries actors seem to be targeting more than any other. Ransomware actors will also do open source intelligence (OSINT) about each targeted victim to build a profile of them to identify the best way to successfully attack them. There are a number of reasons for this selection and OSINT process:

  • Understand the organization’s business model and how affecting their critical systems could cause them public reputational damage
  • If they have critical systems that can be isolated by ransomware then they are more likely to pay the ransom
  • Whether their security posture and processes are adequate or can be taken advantage of

In the second half of 2019, actors will look to diversify into more industries that have critical business systems that could be compromised. This might include the legal, energy and critical infrastructure, transportation, and distribution industries.

Once they decide on a victim, they will then identify the ways to initially infect the organizations. This is the area that most changes based on the actors behind this threat.

Initial Infection

A number of shifts have occurred in this area over time, and this will likely continue to change. Recently we’ve seen the actors using phishing, malvertising, malicious webpages, exploits and exploit kits to infect an organization. We will continue to see them look to initially infect and organization through their employees, as this still appears to be their best option. But, in the second half of 2019 I see the following scenario occurring:

  1. Ransomware actors will improve their ability to craft socially engineered attacks against employees through their OSINT gathering.
  2. We will see increased use of stolen credentials (i.e. RDP account credentials) that are sold in the underground.
  3. Manual lateral movement and the use of hacking tools will allow the actors to find the critical systems they need to compromise to make attacks successful.

Obfuscation Techniques

As mentioned above, ransomware has been detected more effectively recently due to advances in machine learning and behavior monitoring technologies deployed across the network. As such, the actors have to improve their obfuscation of the malware to ensure it cannot be detected by today’s security applications.

We’ve been seeing improved anti-sandbox, anti-machine learning, fileless, and other techniques used in the past, and moving forward we will see advances in all of these areas. The use of compromised legitimate software, including those from security vendors themselves, will also continue as a method to circumvent security measures. As we saw recently with a compromised MSP, one company’s direct access to multiple organization’s networks can also be leveraged for attacks. Stolen certificates will also be used to sign malware to make it look legitimate.

I expect ransomware actors will continue to target high value, high quality victims in 2H’19, and as such, all organizations need to be vigilant in protecting against this threat. Unless we can ensure no ransoms are paid, we will see this threat persist. Improving your organization’s ability to detect, respond, and recover from any ransomware will help us minimize this threat moving forward.  For more information on the latest trends in ransomware, you can watch my June 2019 Threat Webinar Series that covers the recent trends in ransomware.

Trend Micro will publish our 2020 predictions report later this year, but until then, stay rigorous in your defense against ransomware.

Related posts:

  1. Ransomware Surges in First Half of 2016
  2. This Week in Security News: Amazon Echo Hacked at Pwn2Own Tokyo 2019 and Ransomware Attacks Hit Spanish Companies
  3. Trend Micro Security’s 2019 Release Protects You Better Than Ever Against Ransomware, Coin-mining, Banking, and E-Commerce Threats
  4. Cybercriminals Changing Tactics as Seen in First Half Report

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.