Menu

The Continued Evolution of Ransomware in APJ

As discussed in my previous article, ransomware was arguably the most notorious cyber threat for businesses in 2016. Ransomware caused severe disruptions to victims in different industries and countries, forcing them to shut down business and, in some cases, pay ransom with the hope of speed recovery. 

Although malware spam messages that distribute ransomware look rather rudimentary, the actual payload is well-targeted and destructive, especially for businesses. When ransomware was only targeting consumers, it would only encrypt data that’s stored on local hard disk of compromised computer. In recent years, ransomware started targeting more business-related files by going after data that are stored on shared networks. Many people like using ‘Favorites’ or ‘network drive mapping’ to gain quick access to network resources that are used daily at work - unfortunately, they are also targeted by ransomware. In addition, ransomware specifically target business-related files, ranging from databases, to web contents, to CAD files, among others. We have even seen cases where terabytes of database became compromised by ransomware. These are clear indications that the threat is specifically targeting businesses for higher profit than they could possibly get from consumers. 

 Trend Micro

Number of known ransomware families encrypting business-related files in 2016

 As ransomware became more of a significant threat to businesses, their payloads or extortion tactics became even nastier. For example, Petya ransomware encrypts and destroys PC’s Master Boot Record and Master File Table, making it extremely difficult for recovery. Also, Chimera ransomware uses a scaremongering tactic of threatening to upload the data it successfully encrypted to the internet. It’s only a matter of time before ransomware begins using a combination of extortion tactics that, for example, not only encrypt data but also threaten to make them public or even start selling or using them in the underground market. 

Beginning in October 2016, we started seeing ransomware campaigns that still use spam messages but are very much targeted email-like in Japan. These campaigns use bogus messages such as ‘system maintenance’, ‘announcement from a law firm’, and even ‘security alert from government agency’. These campaigns are also noteworthy in a sense that, instead of sending messages to thousands of users, they only send messages to a handful of corporate email addresses. As we have seen in spear-phishing emails changing from immature and spam-looking to more sophisticated and well-targeted, it’s likely that ransomware campaigns will start targeting businesses with more credible pretext to fool victims. In other words, the old, usual cliché of ‘don’t open suspicious emails’ will be obsolete sooner rather than later. 

Just like any other cyber threats, ransomware has been a threat largely to traditional IT environments where businesses deal with payslips, customer data, financial sheets, etc. There’s a bit of twist in ransomware threat landscape for businesses. When ransomware attacked Hollywood Presbyterian Medical Center, the threat successfully compromised electronic medical record system where patients’ medical records are stored, meaning that there must have been significant disruptions to the hospital’s daily operation*¹. Ransomware also hit San Francisco Municipal Transport Agency, which forced the agency’s ticket station terminals to go offline*². Also, it’s reported that hotel key management system was compromised at a hotel resort in Austria*³. In addition, we saw ransomware that is capable of infecting smart TV and smart TV boxes. With Internet of Things (IoT) gaining traction in the market, it’s wise to expect that cybercriminals will start actively seeking to cause damage to non-IT environments such as IoT-enabled environments including industrial control systems*⁴. 

Trend Micro

Ransomware infecting Smart TV and smart TV box 

Ransomware has become such a phenomenal threat to businesses in a relatively short space of time, mainly due to the type of damage it can cause to target victims. In order to mitigate risks of falling victim to ransomware, businesses must adopt multi-layered approach to their security strategy. Multi-layered approach firstly means strengthening security on every tier such as gateway, endpoints and servers in a corporate network. It also means enabling various security technologies such as web reputation, behaviour monitoring, and so on, on every tier. Even then, there may be a time it’s inevitable that you get hit by ransomware. In order to contain or control damage, breach detection capability, which allows you to identify ransomware activities such as retrieving encryption key from Command and Control server, will play a crucial role in combating the nasty nature of ransomware. Last but not least, ‘3-2-1 back-up rule’ is a must - At least three copies, in two different formats, with one of those copies off-site. Just like against any other security threats, security measures need to be implemented based on the assumption that breach will happen.

 

 

 *1: http://hollywoodpresbyterian.com/default/assets/File/20160217%20Memo%20from%20the%20CEO%20v2.pdf

*2: http://www.sfexaminer.com/hacked-appears-muni-stations-fare-payment-system-crashes/

*3: https://www.thelocal.at/20170131/bitcoin-hotel-hack-victim-speaks-out

*4: http://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomware-crosses-smart-tv/

Tags: APJ, Ransomware

Posted on May 29, 2017

Masayoshi Someya

by Masayoshi Someya

Senior Security Evangelist, Trend Micro

← View more Blogs

This document was retrieved from http://www.rsaconference.com/blogs/the-continued-evolution-of-ransomware-in-apj on Tue, 21 Nov 2017 20:32:46 -0500.
© 2017 EMC Corporation. All rights reserved.