Ransomware to further evolve in the New Year with worm-like feature, say analysts

[Exterminator]

It is of no doubt that we have seen a high number of ransomware variants this year, all differing in name and coding, but with only one goal: lock up a victim's system and ask for money in exchange for its freedom. These nasty programs are usually acquired through spam emails, which pretend to be something important, potentially tricking unsuspecting users.

Most of the time, these malicious programs only infect the host computer. But what if ransomware could actually evolve into something that spreads quickly from one network or computer to another? This is exactly what is being foreseen by Corey Nachreiner, CTO at WatchGuard Technologies. According to him, we will start to see "ransomworms" out in the wild, which could possibly make the crypto-malware feared even more.

Computer worms are standalone malicious programs that replicate itself, to spread on other computers. It usually exploits security failures and network vulnerabilities on a computer in order to access it.

After infecting one victim, it would tirelessly copy itself to every computer on your local network that it can reach,” Nachreiner says. “Whether or not you want to imagine such a scenario, I guarantee that cyber criminals are already thinking about it.”

Nir Polak, Co-Founder & CEO of Exabeam, a provider of user and entity behavior analytics agrees with Nachreiner's prediction. He foresees that utilizing worms could mean a bigger business for ransomware creators, bringing in more money. “Ransomware is already big business for hackers, but ransomworms guarantee repeat business," he says. "They encrypt your files until you pay, and worse, they leave behind presents to make sure their troublesome ways live on."


ZCryptor ransomware | via Technet
The first ransomware seen to be capable of transferring from one computer to another was the 'ZCryptor,' which was discovered by Microsoft back in May. Once executed, it drops a number of files onto removable drives, making sure that the ransomware will be transferred to the next host computer.

Lastly, it is seen that ransomware-as-a-service (RaaS) will become more propagated in the future. Many variants such as Petya, Mischa, and Cerber have been utilizing this method, bringing in large amounts of revenue. According to Norman Guadagno, chief evangelist at Carbonite:

"Given the success these hackers have seen so far – a $1 billion business in 2016 alone – there’s no doubt RaaS will continue to gain traction. Fortunately, just as the cloud enables RaaS, it also enables safe cloud backup to protect against attacks."

With all of these in consideration, even with the New Year ringing in, it always pays to be careful of our activities on the internet. Being wary of the links, files, or emails we open can go a long way, as these are the usual vectors for ransomware to attack innocent victims to drain them out of their hard-earned money.

Source: CSO from IDG

 

[MalwareBlockerYT]

It is of no doubt that we have seen a high number of ransomware variants this year, all differing in name and coding, but with only one goal: lock up a victim's system and ask for money in exchange for its freedom. These nasty programs are usually acquired through spam emails, which pretend to be something important, potentially tricking unsuspecting users.

Most of the time, these malicious programs only infect the host computer. But what if ransomware could actually evolve into something that spreads quickly from one network or computer to another? This is exactly what is being foreseen by Corey Nachreiner, CTO at WatchGuard Technologies. According to him, we will start to see "ransomworms" out in the wild, which could possibly make the crypto-malware feared even more.

Computer worms are standalone malicious programs that replicate itself, to spread on other computers. It usually exploits security failures and network vulnerabilities on a computer in order to access it.

This is pretty worrying but we've just got to hope the AV companies can keep up with the cyber criminals.

 

[509322]

This is pretty worrying but we've just got to hope the AV companies can keep up with the cyber criminals.

They cannot keep up. They never have been able to keep up. That will not change.

The only way to protect arrayed systems is to use a security software that will prevent execution of unknown\untrusted files. In short, system lockdown.

Enterprises embrace server\workstation lockdown, but home users are oblivious to this simple, rock-solid protection model.

The key difference all lies within the differing end-user psychologies and those that know and those that don't - and make decisions based upon false perceptions and incorrect thinking\unrealistic expectations - all going back to the fact that they don't know.

 

[motox781]

They cannot keep up. They never have been able to keep up. That will not change.

The only way to protect arrayed systems is to use a security software that will prevent execution of unknown\untrusted files. In short, system lockdown.

Enterprises embrace server\workstation lockdown, but home users are oblivious to this simple, rock-solid protection model.

The key difference all lies within the differing end-user psychologies and those that know and those that don't - and make decisions based upon false perceptions and incorrect thinking\unrealistic expectations - all going back to the fact that they don't know.

I agree with your message, but typical home users usually don't care what is installed, only that it works. Whether it be classic AVs based on allowing unknowns or default deny methods. I usually setup Avast w/ Hardened Mode Aggressive on home user PCs since the white-list is large and performance is good. Seems to work fine for the majority of users.

To change what gets installed on home user's PCs... that starts at the manufacturer that creates the software. For some reason, AV companies don't seem interested in adding advance options or features to their home product lineup.

 

[RejZoR]

This is pretty worrying but we've just got to hope the AV companies can keep up with the cyber criminals.

Considering the focus they have against ransomware, I'd say it's not so worrying. Though, every effective defense they make means a ransomware designed to counter that will be several times worse.

 

[tim one]

One word and your data will be safe: backup!

 

[frogboy]

Yes bring it on, I am well prepared for any such event.

 

[509322]

I agree with your message, but typical home users usually don't care what is installed, only that it works. Whether it be classic AVs based on allowing unknowns or default deny methods. I usually setup Avast w/ Hardened Mode Aggressive on home user PCs since the white-list is large and performance is good. Seems to work fine for the majority of users.

To change what gets installed on home user's PCs... that starts at the manufacturer that creates the software. For some reason, AV companies don't seem interested in adding advance options or features to their home product lineup.

There are multiple studies that, at least based on their collected data, indicate that more than half of computer\mobile device users do not make system protection a priority.

You'd be surprised how many people think that the OEM bundled security suite is protecting the system - even when it was never activated or the activation was allowed to lapse.

 

[Svoll]

Yes bring it on, I am well prepared for any such event.

I think i understand why you never adopted a smart phone. Good Security Choice nowaday, I might go your route. Dumb Phone, Tablet, and desktop for future to have one less infection method.
Imagine me having this conversation with my phone:
Svo: you are smart, can you keep yourself from being infected?
Phone : Its up to the user to keep me healthy and secured
Svo: hmmm, what if i am not smart
Phone: then I am only as smart as my owner.
Svo: "breaks phone" Stomps on it a few more times then comes the sledge hammer.

 

[David-Cyb]

One word and your data will be safe: backup!

So true mate! recently a friend clicked on an email link that seemed to come from their office fax, and it locked up her laptop. Then she got another email demanding $1500 in bit coins. Fortunately she backups to the cloud so she reformatted and reinstalled everything. Pain in the next and lost a whole day, but .... lesson learned.

Are there any detection tools for Android, laptop that can stop this activity.

 

[jamescv7]

Definitely not impossible.

Ransomware at the current stage can already infect and encrypt all files regardless if connected within network or not, the evolution of strain is continuously progressing alongside of recycling the techniques for better and harder reengineering.

In order to lessen the ransomware attack and related of it, then hire employees for security company with background of being black hat or malware author itself.

 

[JohnBRogers]

In order to lessen the ransomware attack and related of it, then hire employees for security company with background of being black hat or malware author itself.

Nice idea, but I'm not sure how many people with this "skill set" would switch sides and abandon their way of life, income, etc. I doubt any AV company could convince and afford to pay a skilled malware author.

 

[soccer97]

There are multiple studies that, at least based on their collected data, indicate that more than half of computer\mobile device users do not make system protection a priority.

You'd be surprised how many people think that the OEM bundled security suite is protecting the system - even when it was never activated or the activation was allowed to lapse.

Agreed x2.

So, can we take lessons learned from the Conflicker attack from 2008 and apply it to Best Practices in today's security landscape?

Microsoft has it's Group Policy Admin templates- but unless you have Windows 7-10 Pro, Ultimate or Enterprise they may not be of much use to you.

Are things such as MDOP (Microsoft Desktop Optimization Pack), Software Restriction Policies, Local policies preventing execution of certain files, and blocking certain directories (if) widely implemented - sufficient at merely mitigating the risk(minimizing the damage and reducing the available attack surface)? - This is in a perfect world when it is correctly configured and a balance is struck between security and usability.

Ultimately the weakest link is the end user, including every one of us. I would be interested to hear your input on the role of this and if software is at least able to catch a fast spreading worm through Heuristics and traffic analysis before it takes down all of the workstations or network, in an organization. I would sure hope so.

 

[509322]

Agreed x2.

So, can we take lessons learned from the Conflicker attack from 2008 and apply it to Best Practices in today's security landscape?

Microsoft has it's Group Policy Admin templates- but unless you have Windows 7-10 Pro, Ultimate or Enterprise they may not be of much use to you.

Are things such as MDOP (Microsoft Desktop Optimization Pack), Software Restriction Policies, Local policies preventing execution of certain files, and blocking certain directories (if) widely implemented - sufficient at merely mitigating the risk(minimizing the damage and reducing the available attack surface)? - This is in a perfect world when it is correctly configured and a balance is struck between security and usability.

Ultimately the weakest link is the end user, including every one of us. I would be interested to hear your input on the role of this and if software is at least able to catch a fast spreading worm through Heuristics and traffic analysis before it takes down all of the workstations or network, in an organization. I would sure hope so.

Our experience is that a software restriction policy that prevents the user from making any modifications to a verified clean system is the best security.

Usability. A consumer's idea of usability is that they should be able to do anything they so choose to their system. And that's their prerogative with the net end-result being infected in a statistically significant number of home user systems.

For Enterprise, that definition of usability does not fly. It violates best security practices. Enterprises want to prevent their users from turning a once clean workstation into an infected one. Plus, Enterprises are paranoid about malware spreading throughout their networks through shares. The only solution that virtually guarantees workstation integrity over the long term is workstation lock down.

With AppGuard installed and enabled, the user can go about virtually every typical computing activity - browsing, video playing, working with productivity softs like office suites, etc - and not run into a single issue. There are cases where allow exceptions can be made - but are not always absolutely necessary. The decision whether or not to create the exception is the responsibility of the Admin or end-user. It will vary with the OS as well as what is installed on the system.

Sub-standard programming and implementation practices - such as using unsigned files and installing programs to User Space - that's a problem. AppGuard blocks all that sort of riff-raff by default, but the end user can create the exceptions for the programs to work.

 

[jamescv7]

Nice idea, but I'm not sure how many people with this "skill set" would switch sides and abandon their way of life, income, etc. I doubt any AV company could convince and afford to pay a skilled malware author.

Since you mentioned income, then any company for sure will provide smart idea for that.

A money will change everything and for sure it can afford better outcome that will use their skills consistent.

 

[Parsh]

One word and your data will be safe: backup!

Prevention and backup are the best bets.
The evolving ransomware are also targeting backup drives. Mac's Time machine backup program was targeted, the backups were attempted to be encrypted, only to fail though, because of an improper implementation (a hardcoded delay).
Also we need to make sure that we configure version control effectively and the backup tool shouldn't backup the encrypted files otherwise!

 

[soccer97]

So true mate! recently a friend clicked on an email link that seemed to come from their office fax, and it locked up her laptop. Then she got another email demanding $1500 in bit coins. Fortunately she backups to the cloud so she reformatted and reinstalled everything. Pain in the next and lost a whole day, but .... lesson learned.


Oh, the fax machine email - a well known threat - usually from a spoofed address, with the sender appearing to be from Xerox, or an email with the attachment and/or subject containing the work invoice, or a fake UPS or FedEx shipping notice.....


Are there any detection tools for Android, laptop that can stop this activity.

I will acknowledge that I see both sides of this argument.

A better idea is to have someone very familiar with the way that skilled malware authors work, and that can recognize a company's biggest threat - an insider - and what resources they either are, are very likely to be, are likely to be, may be etc....who can break it down into risk levels and do a comprehensive security audot. You then develop documentation, make sure everyone is using 'the principle of least privilege' , always change your ad,in password that guards the server and other 'critical' things regularly and watch for intrusion attempts.

I would want to hire someone with a track record of quickly recognizing threats or potential ones even if they are looking at a SNORT log. For example, when there was a 0-day for JRE that required almost no effort for RCE leading to complete compromise of a system with little effort it was a huge deal and made national and local news - urging consumers to uninstall it. How often does that happen, when you see this on the 5PM news?

A few years ago, one would get flooded with attacks attempting to exploit that in a large network, if it is a DDOS, compromise may be partially successful. At that time ransomware wasn't really a widespread thing but just think of 1000-2000 PC's being infected with strong ransomware and they held proprietary documents. That is an internal and PR disaster. SNORT (an IDS system) logs all activity and matches the attack with the vulnerability in real time, and telling you the originating and targeted IP. It gets complicated.

The right person can act fast- but it takes a team.