For Profit-Seeking Attackers, Ransomware is just ‘Too Legit to Quit’

Given its seemingly unstoppable spread and rapid evolution over the past decade, ransomware (what is ransomware?) deserves a rightful place in the pantheon of fearsome cyberattacks. It continues to yield massive dividends for the cybercriminals who use it, and the very latest ransomware incarnations can wreak substantially more havoc on victims’ infrastructure, on top of the painful financial hit.

According to several accounts, ransomware first reared its ugly head sometime in 2005, where variants targeted Windows-based systems and employed heavy-duty encryption to hold user files hostage. Many attacks were launched in order to coerce victims into installing rogue software (which ultimately served to open the door for other malicious programs), but attackers quickly caught on that they could instead reap tons of money from their victims in exchange for the encryption key.

Fast forward to today, ransomware has evolved by leaps and bounds, resulting in millions of dollars extorted from individuals and organizations alike. In 2014, CryptoWall caused substantial financial damage. Locky followed shortly afterward, proving to be even more aggressive: it targeted a wider spread of file types, and could even encrypt data on unmapped network shares to which an infected system was connected. The emergence of KeRanger earlier this year abruptly signaled the beginning of the era where Mac OS users are no longer immune to ransomware attacks. (For more on the history of ransomware, check out our Ransomware by the Numbers infographic.)

Not long after that, Petya upped attackers’ game through even more virulent techniques that make it even harder to protect against. It encrypts the system’s Master Boot Record (MBR), and then the NTFS MFT—the index of pointers to files— a far faster and more efficient approach to get a stranglehold on the endpoint device’s entire data set. (For a deeper dive on Petya, see SentinelOne’s recent blog: Reversing Petya – Latest Ransomware Variant).

The latest ransomware variant to pop up combines DDoS functionality with the existing ransomware attack code—an insidious double-whammy attack, in essence. This latest approach underscores just how driven attackers are to generate as much profit as they can from their attacks. Botnets created via DDoS can still fetch a decent price out there on the dark web, so even if the victim is able to restore their encrypted files from backup (therefore spurning any ransom demands), attackers can still dominate their valuable assets and make a profit.

If history is any indication, ransomware isn’t going away any time soon, and it will only get more sophisticated, so long as its evolution is being driven by the desire for illicit profit. In fact, the FBI estimates that ransomware-driven extortion will net attackers over $1B this year. Though there are possibly millions of ransomware variants in current circulation, the fundamental behaviors exhibited by the attack can be successfully identified via dynamic behavior analysis methods employed by Next-Generation Endpoint Protection. It has long been proven that even the slightest changes to ransomware binaries, along with other well-known obfuscation techniques can fool antivirus and even some sandboxing solutions, but threat behaviors are not as easily masked. In light of this, Next-Generation Endpoint Protection (NGEP) is the best defense against ransomware in all of its dangerous forms.

We have a ransomware webinar coming up on June 28th led by one of the industry’s top security experts. Join us to learn more about it.