Imagine you administrate a datacenter. Actually, that may not be much of a stretch - that may be exactly what you do in real life.
You do most of your work on a Windows Server 2016 machine, managing a few hundred Windows 10 clients through Active Directory. You return from your lunch break and wake your computer out of sleep by moving the mouse. When your displays light up again, each of your desktops has a note open in a web browser: "We have encrypted all of your files. Send 1 bitcoin to this address in 48 hours or your files will be gone for good." Damn it!
I first encountered ransomware as a remote tech support agent in 2007. Cryptocurrencies didn’t exist back then, so the ransom notes demanded credit card numbers. We were instructed to plead with customers to not enter their credit card numbers, and to walk them through a re-install of Windows.
Some of the ransomware families that existed back then, such as Dharma, still exist today, but cyber attackers have made many technical improvements to both older strains of ransomware and to new strains as well. These improvements include taking cryptocurrency ransoms (usually in bitcoin), which are more difficult to track than credit cards; antivirus evasion techniques like injecting executables into processes and stronger crypters; and connections to command and control servers so that cyber attackers can tweak how their malware behaves and send their victims even more malware in the future.
The Rising Threat of Ransomware
Some of the newer types of ransomware, such as SamSam, have cost enterprises, businesses, and institutions millions of dollars. SamSam’s most notable victims include many large hospitals and the City of Atlanta. Ransomware may have started with consumers years ago, but now it’s one of the biggest cybersecurity threats that industries have to contend with.
Datto, a managed service provider (MSP) of IT services receives lots of data on the information security problems that businesses of all sizes encounter. They just released their 2018 Global State of the Channel Ransomware Report, and I learned a lot from it. They surveyed over 2,400 IT professionals from around the world for this report.
Here are some of the findings which really stood out to me:
Chances are that your business uses some cloud services, both for Infrastructure-as-a-Service (IaaS) like AWS, and Software-as-a-Service (SaaS) like Microsoft Office 365. Those are some great products, but the bad news is that they are increasingly popular ransomware targets. Especially Office 365, which nearly 50% of respondents reported as a specific target. A lot of sensitive data is contained in Excel spreadsheets and Word documents, so this is rather worrisome.
MSPs seem to understand something that SMBs (small and medium-sized businesses) often don't: 89% of MSPs are "highly concerned" about ransomware, whereas only 36% of SMBs say the same.
Ransomware isn’t just for PCs and servers anymore. 57% of MSPs predict that ransomware will target social media accounts, 54% of MSPs predict that ransomware will target Internet of Things (IoT) devices in general, which range from Smart TVs, to onboard systems in cars, to industrial controllers in factories. 43% of MSPs predict that ransomware will specifically target wearable IoT devices, such as smartwatches and Fitbits.
39% of MSPs also predict that ransomware will target self-driving cars. That's a type of IoT device, and completely autonomous self-driving cars are still in the R&D phase. Ransomware in a self-driving car could lead to the loss of human lives on a busy highway, so that's pretty scary to me.
And speaking of potentially deadly ransomware, 37% of MSPs predict that ransomware will target medical devices, which include things like insulin pumps and pacemakers.
Some of the future risks of ransomware attacks that MSPs predict include bankrupting entire companies, the capturing of critical utilities such as power grids, and erasing personal records from the Internet. Cyber attackers are improving the destructive potential of ransomware constantly, and the survey respondents speculate AI-driven evolution, targeting victims based on demographic data, and becoming the primary means of cyberwarfare, potentially even overtaking conventional warfare.
Ransomware’s (Unstoppable?) Global Spread
Ransomware can be very difficult to stop. 86% of MSPs say that ransomware victims had antivirus software (why don’t 100% of their clients have antivirus software?). 65% of ransomware victims had email and spam filters. Those security controls are good for preventing ransomware that’s distributed through malicious email attachments, but not so good at preventing ransomware that enters through poorly secured Remote Desktop Protocol ports, which is one of the most common entry points for ransomware in general.
29% of MSPs say that ransomware victims had also pop-up blockers in their web browsers. In a nutshell, a business must implement a wide variety of cybersecurity measures in order to prevent ransomware infections, no individual security control should be completely depended on.
However, ransomware can no longer be dismissed as just a Windows problem. Although 99% of MSPs have seen ransomware target Windows, 9% have seen ransomware target macOS, 8% have seen it target Android, and 5% have seen it target iOS.
This doesn’t surprise me at all because in my threat intelligence research I have seen Mac, Android, and iOS ransomware being sold in Dark Web markets such as Empire Market and Dream Market. That’s a common way that cyber attackers acquire these destructive cyber weapons. Those numbers on other platforms will surely grow.
The number of MSPs reporting macOS and iOS ransomware is up about 500% from Datto’s 2017 report. A lot of creative businesses rely on macOS, and businesses of many sizes give iPhones to their employees for corporate use. The Asia-Pacific region reports Android ransomware more than anywhere else in the world, with 11% of survey respondents from the region reporting it.
The same varieties of ransomware have targeted multiple SMB clients. 71% of surveyed MSPs report CryptoLocker, 50% report WannaCry, 40% report CryptoWall, 24% report Locky, 18% report CryptXXX, 17% report Petya, 14% report TeslaCrypt, 11% report CBT Locker, 9% report NotPetya, 8% report Torrent Locker, 7% report Bad Rabbit, 6% report Dharma/CrySis, 5% report CoinVault, 5% report Cerber, and 3% report SamSam.
SamSam may be less common, but it’s amongst the most destructive of all ransomware. It specifically targets institutions and enterprises, demanding more than $50,000 per victim, with overall cybercrime profits exceeding $6 million since 2017. The profitability of specific ransomware can often be found by examining the cryptocurrency accounts that the ransom notes direct their victims to send money to.
Finally, ransomware targets a wide range of different industries. Of the clients of the surveyed MSPs, 38% of ransomware victims are in construction and manufacturing, 35% are in professional services, 27% are in finance and insurance, 25% are in healthcare, 21% are in legal services, 20% are in the non-profit sector, 15% are in real estate, 15% are in retail, 11% are in education, 10% are in travel and transportation, 10% are in architecture and design, 10% are in consumer products, and 8% are in government.
In my opinion, Datto’s research is very useful. It makes it clear that all industries, both in the public and private sectors, must join forces with technology vendors to fight the growing ransomware threat. Not taking ransomware seriously could not only ruin entire businesses, but also potentially threaten a lot of human lives.