Are cryptoworms the future of ransomware?

Security researcher paints a gloomy outlook.

Cryptoworm

Researchers have described a sophisticated framework for the next generation of ransomware, suggesting a bleak future might await users and organizations alike.

On Monday, William Largent, a security researcher for the Cisco Talos Outreach Team, published a report entitled, "Ransomware: Past, Present, and Future".

In the study, Largent traces the history of ransomware and discusses several recent events in the world of crypto-malware, including the emergence of Locky and the February attack against Hollywood Presbyterian Medical Center, among other hospitals.

Ransomware

The researcher then casts his gaze into the future to envision what tomorrow's ransomware threats might look like:

"The advanced attackers that are being hypothesized for this exercise, such as competent penetration testers and skilled threat actors, generally prefer to use software with a modular design. This allows them to use certain functions as-needed, which provides much better efficiency and provides the ability to switch tactics as required in the event one method is discovered or is found to be ineffective."

The researcher hypothesises this next generation of ransomware will make use of several devastating modules. One module, a command and control (C&C)/reporting infections plugin, could allow crypto-malware to contact a C&C domain via a GUID - a means of communication which is harder to detect than the traditional C&C server setup.

Another module, which Largent has dubbed a "rate limiter," would strategically limit the ransomware's CPU usage and attempt to have as little an impact on the network and other system resources as possible.

Using those various modules, attackers could ensure that if defense systems picked up on one malicious technique, they could simply switch gears and adopt another one. Such adaptability ensures they could move laterally throughout an infected network and identify all of the key business assets that might stand in their way, such as backup drives, messaging servers, and systems responsible for performing software application pushes.

Taking out those resources would leave the target organization wide open, the researcher predicts:

"Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3200 workstations are compromised; half the organization's digital assets, and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation. The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like. The victim is left with a choice: Do we pay the ransom, set a precedent and rapidly recover? Or do we refuse to pay the ransom and potentially make the recovery much longer and more difficult with a guaranteed loss of data?"

Ransomware future

The scenario Largent paints is of a type of ransomware that in its rapid propagation, payload delivery, and ability to cripple recovery efforts mimics that of a computer worm. Largent has a name for this mishmash of threats: "cryptoworms."

With that in mind, it is important that organizations make sure they invest in defensive measures sooner rather than later. Specifically, they should focus on DMZ hardening, secure backups and employee awareness training.

Let's face it. Computer criminals love to trick people into doing something they would not ordinarily do, like hand over their login credentials. An organization's first defense is its people; the stronger the workforce, the lesser the likelihood of a successful attack.

What do you make of these predictions of the future of ransomware? Leave a comment below sharing your thoughts.

(Visited 3,578 times, 1 visits today)

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. coyote

    April 13, 2016 at 2:34 am #

    That's because modularity is good design – as all programmers know. Or at least as all experienced programmers know.

    But I would say that his scenario isn't only reality (some of it makes me think of an apocalypse). It's true that some entities do not properly manage their networks. It is (probably?) true that most do not backup and even of those who do backup many won't properly secure them, won't test them (regularly) or follow other best practises (all combinations are possible). And we all make mistakes. And systems do fail (e.g. hardware fails or even more extreme a data centre is destroyed in a natural disaster). But to say that there will be guaranteed data loss for those not paying? I think that is the wrong way to look at it (although if you're writing a story…). Certainly it's a risk if they don't prepare properly but many (even if not enough) do prepare properly. There certainly are some things that could cause society to go back decades but I don't see this happening from cryptoworms (but cryptoworms are of course inevitable).

    Don't forget bastion hosts (while on the subject of DMZs) and also firewalls. And yes: education and awareness is especially important.

  2. Carl

    April 13, 2016 at 12:49 pm #

    First off, there's a mistake in the flow chart above. Second, there is a way to defend yourself from these attacks. With the advent of the cryptoworms the solution will be in hand. Are you smart enough to figure it out?

    • Mdpepa in reply to Carl.

      April 19, 2016 at 8:31 pm #

      Carl: do you read a lot of horror scopes?

Leave a Reply