Holding Networks Hostage with Targeted Ransomware

June 7th, 2016 by Kasey Cross

ransomwareCybercriminals have stepped up their game, using new, advanced attack methods to compromise organizations, rather than individual users. And they have been successful, infiltrating a number of hospitals, schools, universities and government agencies. Post-attack investigations reveal that attackers used reconnaissance and lateral movement to infect as many machines as possible. And new ransomware strains demonstrate worm-like behavior, which can spread through network drives and removable storage.[1]

But before we look at the latest attack techniques, let’s take a step back and review how ransomware has evolved.

Ransomware 101
Ransomware is a type of malware that takes over computers and prevents the owners from accessing their files, their applications or even their entire computers until a ransom is paid. Once installed, ransomware encrypts or locks files and then it displays a ransom note instructing the victim to pay a ransom—usually about $250 to $500 USD per machine—to obtain a key that will unlock the files.

Cybercriminals are flocking to ransomware en masse for a variety of reasons: they do not need break into tightly guarded servers to steal information and they do not need to wait for money to slowly dribble in, like with click-fraud or DDoS attack schemes. Plus, ransomware authors can cut out any middle-men that would normally market their stolen data in the underground market. Ransomware has become cybercriminals get-rich-quick scheme.

Ransomware Gets an Upgrade
In the past, almost all ransomware attacks were opportunistic; ransomware authors spammed as many email recipients as possible and hoped that a few hapless victims would open an attachment[2] and inadvertently install ransomware. Or they propagated ransomware through malvertising and other web-based attacks. These first-generation ransomware developers didn’t target their victims, they just took a “spray and pray” approach to infect many clients quickly.

While the opportunists have not gone away—far from it—new, more advanced ransomware campaigns have emerged. The SamSam ransomware authors have taken a page from the advanced persistent threat handbook. They have infiltrated hospitals, schools, and government agencies and brought network operations to a standstill. By infecting many machines at once, attackers have extorted more money per attack then by infecting clients one-by-one. Instead of requesting a few hundred dollars from an individual user, ransomware authors have demanded thousands or even millions of dollars in ransom payments from their corporate victims.

Why Weren’t These Attacks Detected?
Undoubtedly, many of the organizations that fell victim to SamSam ransomware attacks had some sort of security in place. The usual suspects would be firewalls, end point anti-virus software, and perhaps network anti-virus or virtual sandboxing solutions.

However, if intruders can gain network access, steal credentials, and start administering client machines, then they can evade or disable many of these controls.

What Can Organizations Do to Stop Ransomware?
Unfortunately, there is no single, preventative measure that will stop all types of ransomware attacks, especially advanced and zero-day attacks. Organizations must implement layered security, including attack prevention as well as post-attack detection and remediation. User education and prevention solutions, like anti-virus software can drastically reduce the risk of ransomware infections. If attackers find crafty, new ways to evade these defenses, then detection tools can catch attackers in the act.

Detection tools can identify active threats such as user impersonation, Active Directory credential harvesting, and “low and slow” reconnaissance. Armed with this information, IT security can remove any compromised machines from the network, before attackers infect more computers. Comprehensive backup systems can also reduce the impact of a ransomware attack, by allowing IT teams to restore locked files with earlier, unencrypted versions.

Learn How to Outsmart Ransomware
To find out the top ways to stop targeted ransomware attacks, download the white paper “9 Steps to Defeating Ransomware.”


[1] Ransom:Win32/ZCryptor.A discovered by Microsoft in May 2016

[2] Or unzip an attachment and open an executable file disguised with a PDF icon.

Leave a Reply

Your email address will not be published. Required fields are marked *