Tailored, Targeted Ransomware Evolves

Ransomware will become more targeted, to not only look for certain file types, but also to take aim at specific types of companies, such as legal, healthcare and tax preparers.

This evolution from the “spray-and-pray” attacks we largely see now is already underway, according to Rick McElroy, security specialist at Carbon Black.

“There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs,” he said, in a blog. “A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders.”

This specialization also means that ransomware attacks are more likely to succeed—so we can expect their frequency and severity to also increase.

The ransomware supply chain is also shifting, with as-a-service options flooding the market.

“The power to attack is no longer in the hands of a few experts, but in the hands of anyone looking to make illicit money,” said McElroy. “Ransomware can no longer be perceived as small groups of criminals performing stick ups and kidnappings; instead think of ransomware more like the consumer of a cloud service. You simply need to know how to put the pieces together. Startup CEOs no longer hire tons of IT staff or invest heavily in infrastructure. They achieve speed to market by utilizing existing services. So do cyber-criminals. The criminals are jumping right to the point of profit.”

The supply chain is straightforward, and starts with the authors who create the malicious code. These authors generally never use it themselves, he said, but instead offer it for sale for criminals to deploy. Carbon Black identified authors earning in excess of $100,000 per year through selling complete ransomware toolkits or the individual components required to run a campaign. This compares with an average annual salary of $69,000 earned by legitimate software developers.

Then there are Tier 2 providers, which, through reconnaissance, decide what machines to exploit and then sell access to them to Tier 3 criminals.

“This specialization effectively creates a turnkey offering, requiring minimal technical knowledge, and can be used by anyone with a target list,” McElroy said. “The split of revenue from the activity is agreed in advance and the provider tracks the campaign, handles payment and even delivers performance metrics, enabling future campaigns to be targeted at the most profitable victims.”

This customer service approach is growing: Carbon Black even identified helpdesk services available to support budding cyber-criminals.

“Attackers will continue to go where the money is,” McElroy said. “Right now, with ransomware, there is money to be made hand over fist. To begin to shift the economic tide, organizations should take careful inventory of their security best practices and look to implement user education programs in order to close any gaps that may exist.”

What’s Hot on Infosecurity Magazine?