7 Ransomware Trends to Watch for in 2017

In November McAfee Labs released its 2017 Threat Predictions report and one of the predictions that has gotten a lot of press is that McAfee expects ransomware attacks to decrease in 2017.

Based on the research I have done, I don’t think this is true.

I believe the nature of ransomware is going to change, but as long as it is profitable for attackers to use ransomware they will continue to do so.

Below are my predictions for 2017, in no particular order.

2017 Ransomware Trends

1. Ransomware will become just another tool in the hacker utility belt.

Today, we think of most ransomware attacks as “smash and grab,” kind of like robbing your local 7-11, a crime of opportunity pulled off by low-skilled hackers. The truth is, this is already starting to change and will continue to evolve. Ransomware will sit in the arsenal of a wide range of attackers, similar to a keylogger or a network scanner.

Why are more advanced groups adding ransomware to their arsenal? We have seen a number of attacks already where skilled attackers get into a network, get what they need, and leave ransomware behind. Part of the reason for this is that it serves as a useful distraction: “Were we hacked?” “No it was just a ransomware attack” — people think of ransomware attacks as a single machine attack, so they don’t necessarily look around the rest of the network for other signs of a breach, making it easier for the attacker to escape unnoticed.

But another reason is that advanced attacker groups need to make money, and ransomware done right can be very profitable. By all accounts, state-sponsored activity from China has been way down in 2016 (a trend that may reverse January 21, 2017), which means a lot of Chinese contractors that relied on the Chinese government for outsource work have had to find new sources of revenue. Many of these contractors have very good access into a large number of organizations around the world, so why not throw down some ransomware?

2. We’ll see more attacks designed to publicly shame the victims.

Given the large amount of press coverage that the attacks on the San Francisco MUNI generated, I expect to see more copycat attacks like this in 2017. This was a ransomware attack designed to publicly shame the company into paying. This was not a typical extortion attack, instead it was one that allowed all of the San Francisco MUNI riders to clearly and publicly see that the organization had been compromised. In other words, the attacker will gain access to the organization, whether through luck or targeting, and will look for systems that are public facing, such as:

Self-checkout systems at grocery store chains Bank ATMs Computerized billboards at Times Square

Basically, any organization that has a kiosk-type system exposed to the public and running on older, insecure versions of Microsoft Windows. If these types of systems get infected with ransomware, everyone knows you have been hit and there is a lot of pressure to resolve the problem quickly.

Note: This, in my mind, is distinct from Internet of Things (IoT) attacks — discussed later, because these systems aren’t directly connected to the internet; they are connected to a network that is connected, so an attacker has to make a conscious decision to go after these systems once he/she is in the network.

3. More examples of ransomware using no executable as a means of evading detection.

This is something that has already been done with Ransom32 — developed entirely in JavaScript and PowerWare (developed in PowerShell) — and it is a trend that will continue to grow.

This type of ransomware uses a combination of scripting languages (such as PowerShell and JavaScript) and Microsoft API calls to encrypt the files on a victim’s machine. The encryption, the ransom note, and the call out to a command and control server are completed without an executable file. These ransomware families are able to avoid detection by many traditional security vendors because they are taking advantage of legitimate processes on the system, so everything they do is “legitimate.”

4. Ransomware spam campaigns will target the security of webmail providers.

Right now, spam campaigns are losing the battle against consumer webmail providers like Yahoo!, Microsoft, and Google. These services have gotten very good at quickly identifying new ransomware campaigns and sending the offending emails to the Junk folder (or equivalent). This, at least partially, contributed to the rise of ransomware in the enterprise in 2016 — the spam filtering systems in many organizations are less effective, or non-existent, than those of the consumer webmail providers, which is one of the reasons why the attackers behind ransomware have focused corporate targets.

If ransomware follows the trend of past email-based attack campaigns, the attacker will start looking at ways to bypass the security features built into these webmail providers, similar the most recent vulnerability revealed against the Yahoo email service. Most users don’t think about it, but a webmail service has a great deal of complexity on the backend, completely invisible to the users. Any complex system is subject to security vulnerabilities.

As ransomware groups look to expand their attack surface the easiest way to do that is increase the number of people who see their email or to have the ransomware auto-install when the victim opens the email. If the ransomware groups can find weakness in the security of these providers, or use some of the millions they have made to buy zero-day exploits to take advantage of weaknesses that may exist, they can increase the number of successful installs and increase their revenue even more. I think we’ll see attacks like this in 2017.

5. There will not be any ransomware IoT campaigns.

I am a bit of a contrarian when it comes to ransomware on IoT. Since these devices tend to be synched with a server or a cloud, it is too easy to wipe and replace them, so there is no compelling reason for a victim to pay the ransom. So, I don’t think ransomware is going to be effective against these targets.

There is a distinction between the IoT device itself and the Windows systems that serve as the face of these IoT systems; those will be subject to attack in the same way as other Windows systems. In fact, in some way they may be more susceptible to ransomware. The control systems often run specialized software that controls the IoT devices, this specialized software usually requires a specific version of Windows, one that is often outdated and unpatched.

But when we are talking about the Linux/UNIX/Specialized OSs that actually handle the day-to-day functions of those systems, they are too obscure to be a reliable target for mass-produced ransomware. There is also a difference in the way the file systems are set up between Linux/UNIX systems and Windows computers. Most people act as local administrator on their home computer, and even a lot of companies allow their users to have local administrative access to their workstations. In practical terms, this means that the user can access every file on the system. When a victim inadvertently installs ransomware that ransomware also has access to everything on the system and can encrypt it all. Linux/UNIX systems operate differently. The user only has access to his or her files, not all files on the system. Even if a user does accidentally install ransomware the ransomware will only be able to encrypt the user’s files, not all of the files on the system. In order for ransomware to be effective on a Linux/UNIX system the attacker would either need a victim logged in as root or to package a privilege escalation with the ransomware (that is a whole other set of problems).

The cost-benefit analysis doesn’t work; you won’t make enough in ransom to cover the costs of development. Aside from not being cost-effective, it is really hard to get ransomware to run on a Linux/UNIX system (unless the attacker has control and installs it), and even more difficult to figure out how to get ransomware ported to obscure OSs.

There is a distinction to be made between consumer-grade IoT devices, such as home routers and web cameras and the more complex Supervisory Control and Data Acquisition (SCADA) systems that control things like the city’s water supply or traffic lights. These systems also run on specialized operating systems, but they are not disposable in the way consumer IoT devices are. An attacker who develops a ransomware attack against these platforms has a completely different cost-benefit analysis. It could easily be worth the time, effort and cost to create ransomware and attack these systems. I don’t think it will happen in 2017, but if people get smarter about protecting their systems or organizations, these SCADA systems will become more attractive targets.

6. Similarly, there will not be a Mirai-style botnet installing ransomware.

Because the the Mirai botnet is so closely tied to IoT, this trend is linked with the previous one, but I wanted to make a distinction because some people believe that we will see a Mirai-style botnet installing ransomware on all of our home internet routers or CCTV cameras. We actually saw something similar to that in early 2016. A version of CTB-Locker was designed to take advantage of flaws in WordPress sites. It was configured to replace the front page of the site with a ransom note and then scan for more vulnerable WordPress sites to infect.

No one paid the ransom.

Aside from the previously-discussed difficulty in designing and delivering a UNIX-based ransomware, there are two reasons why attempting to attack an Internet router won’t work. The first is that there is no “viewscreen” on these devices. Victims won’t know that they have been infected by ransomware. In the case of internet routers, for most people, when the internet stops working they call their ISP, who probably sent them the infected router in the first place. If the technician at the ISP sees that it has ransomware on it, they aren’t going to admit it, they are just going to overnight you a new router and get rid of the old one.

This applies to security cameras and any IoT device that is headless; there is a good chance no one will know that ransomware is installed, and if they do it may be cheaper to reset/replace the device than it is to pay the ransom.

7. If there is a decline in ransomware it will be because of law enforcement action.

In 2016, the security community collaborated with law enforcement in a big way to permanently shut down the attackers behind ransomware and the exploit kits that deliver them. In May, the gang behind the Angler Exploit Kit was arrested. Similarly, according to security researcher Yonathan Klijnsma, the authorities got so close to the team behind CryptoWall that they felt it was better to shutter all operations than risk arrest. The team behind the Avalanche malware service was arrested in December.

Law enforcement agents are getting smarter about cyber security, and those agencies are reaching out across borders to work with their international counterparts more closely than ever. They are also stepping up their collaboration with security researchers—the analysts doing the heavy lifting when it comes to dissecting ransomware and offering new protections.

To be sure, whenever a major hacking team is taken down, there always seems to be another one waiting to fill the void. If there is a slowdown in the production and delivery of ransomware, the slack may be picked up by another group. On the other hand, these criminals have to factor in the cost of jail time as part of the price of doing business, which may cause them to think twice.

Ransomware Prevention Tips

In summary, as we go into 2017, ransomware attacks are here to stay.

We we saw quarter over quarter growth in ransomware attacks in 2015 and 2016 and will continue to see this type of growth in 2017.

As long as victims continue to pay the ransom and fund the growth and development of these ransomware families there will more creative and effective ransomware attacks. Here are a few best practices to minimize the risk and loss from ransomware: