Threat Intelligence Blog

Posted May 29, 2019

You might have had this nightmare or heard about this horror story on the news: Your loved one is kidnapped and the only way to free them is by paying a large ransom to the kidnapper. Worst-case scenario, the kidnapper may not return the loved one after the ransom is paid. They are a kidnapper, after all. Now imagine that same scenario, but the “loved one” is your organization’s data, and the kidnapper is ransomware.

Ransomware is a malicious software designed to block access to a system or network until a ransom is paid to whomever deployed the software. By now we know that ransomware is not a new threat, and it’s a tried and true threat actor exploit. The first ransomware virus was created in 1989 – 30 years ago. Since then, we’ve seen ransomware evolve into once of the hardest hitting cyber threats to enterprises. There were 184 million ransomware incidents reported in 2018 alone.

The lifecycle of a ransomware strain typically looks like this:

  1. Ransomware is deployed through phishing, spearphishing, or social engineering attack
  2. Ransomware encrypts any or all files on the computer’s network, completely blocking access to data
  3. When the user tries to access encrypted files, a ransom message is triggered, with instructions on how to get a decryption key
  4. User pays ransom in an untraceable cryptocurrency
  5. User might get their data recovered

How It Spreads, and How to Stop It

Because ransomware strains are commonly delivered through phishing, spearphishing, and social engineering campaigns, it is vital for organizations to monitor and defend against known malicious URLs, as well as invest in cyber training to help employees – the common target of these threats – identify the warning signs they are being deceived online. Always be skeptical of email attachments from unknown senders.

Patching and updating regularly is another way to prevent ransomware attacks. Many high-profile ransomware attacks—like, NotPetya—took advantage of a vulnerability in computer systems. Following the Cybersecurity ABCs can decrease the chances of being infected with ransomware.

Though ransomware was originally created to target individuals, it is an increasing threat to enterprises in every vertical due to the high reward for criminals if the attack is successful. Ransomware infections cost commercial entities more than 75 million USD per year, and individual businesses an average of 133K USD per attack. Threat actors will continue to deploy ransomware in 2019.

Evolution of Ransomware

Occurring in 1989, the first ransomware attack was perpetrated against the healthcare industry, which remains a top target vertical for ransomware attacks today. Carried out by an AIDS researcher, the ransomware was deployed on a floppy disk containing a questionnaire. The malware remained dormant on the machine, only activating when the computer was turned on 90 times. The earliest ransomwares were typically coded by the individual who distributed the attack, proving costly and time consuming for the criminal.

Today’s cyber criminals are looking for any way to save time and money. A close cousin of Malware-as-a-Service, threat researches now see Ransomware-as-a-Service in the same forums. By turning their ransomware into a marketable product and service, its users can easily deploy the ransomware, and the cyber criminal can gain notoriety and media attention depending on its success.

Recent Ransomware Attacks

In early May 2019, the City of Baltimore was implicated in a ransomware attack, crippling many online payment systems and databases, including parking fines and utility payment portals. The ransomware, RobbinHood, has been holding systems hostage for two weeks. The mayor is refusing to pay the ransom, valued at about $100K. Ransomware attacks like these have been targeting city governments for years—only 15 months ago, Baltimore City’s emergency response  and dispatching system was compromised. City officials have dubbed these instances as “self-inflicted wounds”, citing open and known vulnerabilities without patches, while some experts claim that the attacks are purely opportunistic. Though state and local governments are not being specifically targeted, there have been at least 169 incidents of ransomware attacks on state and local governments since 2013.

The true question in attacks like these is, “Should we pay the ransom?” According to the most recent CyberEdge 2019 Cyberthreat Defense Report, 50% of organizations are still affected by ransomware, 45% of those implicated try to pay the ransom, and only 19% of those got their data back.

Phobos Ransomware Affiliate Program

In January 2019, LookingGlass analysts became aware of suspected Russian threat actor Phobos777 advertising a Phobos ransomware affiliate program. Like an enterprise Partner Program, cyber criminals can make money after successfully deploying the ransomware. For every decryption received, the criminal earns 400 USD. With access to a portal detailing the status of their deployed ransomwares, the affiliate can track and manage them, and are even provided with a support team to keep the ransomware from being detected by anti-virus software.

Phobos777 is believed to be linked to other ransomware strains CrySis and Dharma, which maintains a steady share of the ransomware market worldwide. With both of these strains, similarities include an identical copy-paste email, near-identical ransom notes, and anti-virus programs recognize Phobos as CrySis.

The Future of Ransomware

Though threat actors have targeted large industry verticals in the past, LookingGlass threat analysts have found trends indicating increased targeting of smaller organizations. This would require threat actors to do more research on their target beforehand, but would reduce the amount of media, therefore enabling the actor to reuse the same strain and slowing down decryptions. This approach also enables the actor to tweak the campaign to work better in future. Defending against ransomware is a challenge, but comprehensive threat intelligence helps organizations become aware of and defend against these types of attacks. Contact us to learn more about our Threat Intelligence-as-a-Service offering.

Additional Posts

SecureWorld Dallas

Join LookingGlass and qualified, dedicated, and engaged information security practitioners from ...

NBA Security Conference 2019 Vendor Summit

Stop by our LookingGlass booth at the NBA Security Conference in Las Vegas to receive a demo ...