2016-08-07 update: I've posted a follow-up diary [link] that includes information on targeted attacks that do involve ransomware.

Introduction

I dislike the term "ransomware attack." Why, you ask? It's a matter of perception.

The word "attack" indicates specific intent against a particular individual or group. An attack means someone (or something) is targeted. But I'm hesitant to use the terms "attack" and "targeted" when discussing ransomware. Calling a ransomware infection an "attack" focuses blame on an enemy. I consider this mindset dangerously close to fear mongering.

If we continue thinking of ransomware infections as "attacks," we'll never seriously consider a wide variety of issues that allow ransomware infections to happen in the first place.

Ransomware distribution

Ransomware is distributed on a large scale. Criminal groups generally use two methods to distribute malware: malicious spam (malspam) and exploit kit (EK) campaigns. These are most often large-scale operations that attempt to reach as many potential victims as possible.

I view EK campaigns as laying a bunch of mousetraps throughout the web. An EK is not an active attack against a specific victim. People stumble across EKs through casual web browsing. Personally, I've never found any convincing evidence that ransomware infections through EK traffic have been targeted.

But what about malspam, you ask? You might think someone receiving an email with ransomware was targeted. However, I find it hard to believe the massive waves of malspam I sometimes look into are targeted against specific individuals. Especially when it's Locky ransomware, which is widely distributed [1, 2, 3]. When someone's email address is discovered by a spammer, it gets on a list. That list is often shared, and the person's email address will be constantly bombarded by wave after mindless wave of botnet-based malspam.

Ultimately, I believe ransomware infections are the result of large-scale campaigns covering numerous potential victims, and a comparatively small number of people actually get infected.

Yes, those relatively few infections often have major consequences, but they're not the result of narrowly-defined attacks. They're the result of large-scale campaigns. The important part isn't necessarily who is infected. The important part is that enough people with enough resources are infected to make it profitable for the criminals.



Shown above: Roberto probably said, "It's got my name in it, so it must be targeted!"

Assigning criminal intent based on statistics

During my day-to-day research, I usually see ransomware. I also see the malspam and EK vectors this malware comes through. But we should not make any assumptions of criminal intent based on the data we collect. Why? Because no matter how wide we cast our net, we'll never know the full truth.

I still read such reports. The latest one I looked at was based on a July 2016 Osterman Research survey about ransomware [4]. It's typical of what I've been seeing lately. The report states that healthcare and financial services are the industries most vulnerable to ransomware attacks. According to the report, "These industries are among the most dependent on access to their business-critical information, which makes them prime targets for ransomware-producing cyber criminals."



Shown above: One of the charts from the Osterman report.

I enjoyed reading the report. It has some good insights. But whenever I see these statements, I always wonder if those industries are really targeted more than other industries. Or did they have more infections because they're inherently more vulnerable? If they're indeed the most vulnerable, wouldn't it follow they're more likely to get infected during massive campaigns indiscriminately targeting everyone?

Like the large-scale EK or malspam campaigns spreading ransomware I see every day?

I don't know how to describe this. We're saying certain industries are targeted more because they're getting infected more. That just feels wrong. Ransomware doesn't need to be targeted if it's widely distributed.

Yet everyone and their mother are calling these ransomware attacks.

Final words

We tell ourselves we must know our enemy so we can better protect our network. However, I think we put too much focus on the enemy and not enough focus on ourselves.

Is everyone in your organization following best security practices? Is security a truly essential part of your corporate culture? Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures? Most organizations have problems in these areas. We convince ourselves there are certain weaknesses we must live with.

And management really wants to know who was behind that ransomware infection and why your organization was apparently targeted.

But odds are the ransomware was directed at any number of people who either stumbled across it or were unlucky enough to find it in their inbox.

Sure, call it a ransomware incident. Just don't call it a ransomware attack.

---

Brad Duncan

brad [at] malware-traffic-analysis.net

References :

[1] https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html

[2] https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware

[3] http://researchcenter.paloaltonetworks.com/2016/07/unit42-afraidgate-major-exploit-kit-campaign-switches-from-cryptxxx-ransomware-back-to-locky/

[4] https://go.malwarebytes.com/OstermanRansomwareSurvey.html