Ransomware has evolved into a serious enterprise threat

Enterprises should take the threat of ransomware seriously and ensure they are following best practices for basic cyber hygiene to ensure business operations are not crippled by ransomware, says Raj Samani, fellow and chief scientist at McAfee.

“It is important for organisations to understand the evolving tactics and the way adversaries are working to go after big business to ensure they are following the best practices for protecting data and credentials and locking down vulnerable ports, because a failure to do so will result in a costly ransomware or other cyber attack,” Samani told Computer Weekly.

Ransomware increased by 118% in the first three months of 2019 compared with the previous quarter, according to the McAfee Labs Threats Report, confirming findings by other researchers that, despite a seeming lull in ransomware after the peak in 2017, the threat has been revived, with attackers switching from mass consumer campaigns to highly targeted attacks on businesses, making it a much more significant threat for large corporations.

The report examines cyber criminal activity and the evolution of cyber threats in the first quarter of 2019 based on threat data gathered by the McAfee Global Threat Intelligence cloud from more than a billion sensors across multiple threat vectors around the world.

The recent spate of coordinated ransomware attacks reported by the Texas Department of Information Resources (DIR) against 23 mainly local government entities across the state is evidence that the trend identified in the first quarter is continuing, said Samani.

In addition to a ransomware revival, the report highlights that more than 2.2 billion stolen account credentials were made available on the cyber criminal underground in the first quarter and that 68% of targeted attacks used spear phishing for initial access.

“This shows how the cyber crime economy works,” said Samani. “Credentials are sold online, other criminals buy the credentials and then use them to get into organisations and use the ransomware they are an affiliate for to infect an organisation and demand tens of thousands of dollars in ransom.

“The purpose of the threat report is not just to give the hard stats, but to encourage organisations to look at everything that is going on and see it is all connected and contributes to the wider ecosystem of crime.”

The findings on ransomware targeting businesses are consistent with the fact that ransomware and other forms of cyber extortion are currently the most popular forms of cyber criminal activity in the UK, according to Rob Jones, director of threat leadership at the National Crime Agency (NCA), speaking to Computer Weekly in a recent interview.

According to Samani, the average ransomware demand by cyber criminals targeting businesses went up from $12,000 in the first quarter to $36,000 in the second quarter. “The reason they can demand so much is that they will analyse and cripple that environment in an attempt to force organisations to pay up,” he said.

As cyber criminals seek a higher return on investment by targeting big business and local government organisations, the McAfee report shows that those behind these highly targeted ransomware attacks are adopting new tactics and code innovations. 

While spear phishing remained popular in the first quarter as a means to gain access to a company network, the report notes that ransomware attacks are increasingly targeting exposed remote access points, such as remote desktop protocol (RDP), which was linked in other research to 63.5% of disclosed targeted ransomware campaigns in the first quarter of 2019.

RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets, the report said.

In the light of these findings, Samani said organisations should:

• Question whether externally accessible RDP is an absolute necessity;
• Consider how to secure RDP if the organisation is absolutely reliant on it, such as for IP address filtering.

Where RDP is indispensable, Samani said organisations should follow best practices of basic cyber security hygiene to improve RDP security by:

• Not allowing RDP connections over the open internet;
• Using a virtual private network (VPN) for remote user access;
• Using complex RDP passwords to reduce the likelihood of successful brute-force attacks;
• Using multifactor authentication (MFA);
• Using an RDP gateway to simplify RDP management;
• Using a firewall to restrict access;
• Enabling restricted admin mode so that no credentials are stored on the RDP server;
• Enabling enhanced RDP security to implement encryption and server authentication;
• Enabling network level authentication (NLA);
• Restricting access to RDP to only those who need it;
• Minimising the number of local administrator accounts;
• Ensuring that local administrator accounts are unique;
• Limiting domain administrator account access;
• Wherever possible placing RDP servers within a demilitarised zone (DMZ) or other restricted area of the network;
• Using an account-naming convention that does not reveal organisational information.

Researchers found that whereas ransomware criminals would, in the past, have set up a command and control (C2) environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden from authorities and others hunting for C2 servers.

The most active ransomware families of the quarter were Dharma/CrySIS, GandCrab and Ryuk, the report shows.

“Ryuk was very much the precursor of the sort of things we are seeing now in its very targeted nature going after large corporations, in the same way that GandCrab was a precursor to Sodinokibi,” said Samani.

Other notable ransomware families found to be active in the quarter include Anatova, which was exposed by McAfee Advanced Threat Research before it had the opportunity to spread broadly, and Scarab, a persistent and prevalent ransomware family with regularly discovered new variants.

The report reveals that Anatova can adapt quickly, using evasion tactics and spreading mechanisms. “Anatova has a manifest to request administrative rights and strong protection techniques against static analysis, which makes things tricky,” states the report. Researchers found that its modular design allows it to add new, embedded functionalities designed to thwart anti-ransomware methods.

The report also notes that data cannot be restored without payment and a generic decryption tool cannot be created with today’s technology. “Our analysis indicates that Anatova has been written by skilled software developers,” write the researchers.

According to Samani, it is imperative that organisations look at how ransomware is evolving and adapting, so they can shut down common access points.

Christiaan Beek, lead scientist and senior principal engineer at McAfee, said paying ransoms supports cyber criminal businesses and perpetuates attacks.

“There are other options available to victims of ransomware,” he said. “Decryption tools and campaign information are available through tools such as the No More Ransom project.”

Other findings of the 2019 McAfee Q1 threat report include:

• New PowerShell malware was up by 460%.
• Cryptocurrency mining malware was up by 29%.
• Malware exploiting flaws in internet of things (IoT) devices was up by 10% from the previous quarter and grew by 154% in the previous year.
• New malware samples increased by 35%, while new Mac OS malware samples declined by 33%.
• New mobile malware samples decreased by 15%, but total malware grew by 29% over the previous year.