Who is behind Ransomware?

One year after the Wanna-Cry outbreak, ransomware continues to infect internet connected devices without prejudice. To an individual, a ransomware infection feels like a violation of personal privacy and safety.  But although it may feel like one has been specifically targeted, that is rarely the case. In most cases, individual employees and organizations are not targeted. In fact, the targets are usually IT vulnerabilities such as improper network configuration, unpatched software, and weak employee security hygiene/behavior.  

These vulnerabilities are identified by cyber criminals via off the shelf network scanning software or even public sites that perform the scans. The network scanning results lead to large scale campaigns against the organizations and devices on those identified networks. It is similar to to car thieves searching a neighborhood for an unlocked Honda Accord.  While not a fancy car, Honda Accord parts are easily resold in the aftermarket making it the most commonly stolen vehicle year after year. An unlocked car is also easier to steal than a locked one. The car thieves are not out to get that specific owner, but unfortunately the driver was much more vulnerable based on their attack profile than others.

However it happens, the realization that you are a ransomware victim demands action, and contextualizing how the attack originated is a good place to start.  In this three part series we identify three types of attacks. In part I, we look at commodity “off-the-shelf” ransomware attacks. In part II, we look at more targeted attacks. Finally, in part III, we look at targeted highly sophisticated attacks and breaches.  In each section we contextualize the prevalence of the attack type, the likelihood that an attack can be prevented, and attempt to profile the attackers.

One consistent ransomware trend, is that as the volume of attacks has increased exponentially, the technical sophistication of the attacker has correspondingly dropped. A cyber criminal no longer needs to be highly technical. A recent Carbon Black report estimated that over 6,300 dark-web marketplaces are selling ransomware with 45,000 unique product listings. To put that in perspective, your average Home Depot carries 35,000 different products.  Yes, your average weekend warrior has more selection for malicious software than cabinet brass.

Part I: Commodity Ransomware

Description: Vulnerability scanning and a hail of malicious email

Tool: Commoditized Ransomware

Preventability: Highly Preventable

Prevalence: Highly Prevalent

Attacker Sophistication: Low

Cost per Infection: Low

There are a handful of original ransomware strains, but tens of thousands of variants.  These variants are cheaply purchased on the dark web. Anyone in the world with a tor browser and some cryptocurrency can purchase a ransomware kit, an email list and launch their own ransomware campaign. These campaigns spam malicious attachments which endpoint protection, AV and security awareness training are designed to keep out. Nonetheless, by volume these types of attacks are the most common.  All it takes is one errant click.

Commodity ransomware is like a bug bounty program, except without consent or negotiation.

It is extremely difficult to actually track down individual perpetrators of commodity ransomware. The black market cost (very low), and quality of the malware (also low), suggest that this flavor of cyber criminal are non-technical, low income individuals. The campaigns don’t generate vast sums by western standards of income, but to a person in a developing country, where other economic prospects are scant, it can be a decent living.  

These simple ransomware campaigns can lead to disastrous results, if left undetected and allowed to proliferate within an organization's network. Attacks that make it to the media may seem like a targeted attack because of the size and scope, but in many cases that perception is just commoditized ransomware proliferating inside a single, poorly secured network.

Governments departments along with healthcare and financial service organizations are often headline targets because they are also the industries most challenged with legacy infrastructure.  From the outside, it can be difficult to tell if an infection was the result of targeted efforts or commoditized ransomware that soaked more of the network before being detected.

Commoditized ransomware behaves like a dragnet; a an impersonal, non-negotiable campaign that snares companies with un-patched systems or weak employee security hygiene. This a large scale problem with no quick fixes. Investing a multi-pronged disaster recovery plan that suits your organization is the first step.

Read Part II