Why the death of 2016 ransomware king is bad news for businessTuesday, April 18, 2017
New study shows that the biggest ransomware threat in 2016 (Locky) has almost vanished in 2017 - but this is actually terrible news.
A new study into ransomware variants by volume has uncovered a trend that as first sight looks like good news - Locky is dead.
Locky was the runaway success for criminals in 2016, making up 69 per cent of email attacks that used malicious document attachments in Q2 2016 alone (according to Proofpoint), comfortably beating all comers by volume. However, this year Locky is almost nowhere to be seen, going from nearly 70 per cent market share to 12 per cent in January, now retaining a mere two per cent, according to a report from Malwarebytes: new Cybercrime Tactics and Techniques Q1 2017.
While this might at first sight seem like good news, it’s actually for a rather bad reason - that malware volume has essentially been diverted almost entirely to the Cerber family. Cerber began 2017 with a 70 per cent market share of Windows ransomware, which has remorselessly climbed to 90 per cent toward the end of the quarter (ransomware accounts for 60 per cent of all malware attacks on Windows).
While the precise reasons for the overall trend are hard to pinpoint for obvious reasons, the report speculates that the main bad news is that the switch is down to Cerber being a better business bet for non-technical criminals - essentially, a more complete Ransomware as a Service (RaaS) service.
“Cerber’s spread is largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting, and a slew of new features, but by also making it very easy for nontechnical criminals to get their hands on a customized version of the ransomware”, stated the report.
Ilia Kolochenko, CEO of High-Tech Bridge, said: “The business of ransomware has become so attractive that some cybercriminals don’t even bother to actually encrypt the data, but just extort money from their victims with fake malware. The victims are so scared by media stories about ransomware, combined with law enforcement agencies’ inability to protect them or at least to punish the offenders, that they usually pay up either way.
“Overall, it is not a technical, but an economic problem. While there is a demand to send spam and compromise users - ransomware-as-a-service will continue skyrocketing. You cannot really do anything about this, as you cannot change the fundamental laws of economy and human behavior. By technical means you can significantly reduce the problem, but you cannot stop it.”
The reality of RaaS isn’t new, in fact, a Check Point report from last year credited the Cerber service with infecting 150,000 devices and extracting $195,000 in ransom payments in July 2016 alone. The researchers estimated then that the malware authors were making an annual profit of $946,000. However, the malware designers have been busy ensuring their product meets the ever-evolving grade by seeking to avoid detection by machine learning tools - an inevitable result of the IT security arms race. The developers have also recently built in methods for the malware to detect if it is executing within a sandbox or virtual machine.
Another factor is that the Necurs botnet, responsible for a lot of the phishing attacks and malicious spam used to distribute malware over the years, is no longer pushing Locky ransomware, massively reducing the volume of the malware.
The clear takeaway is that ransomware strains will continue to evolve, but with increasing rapidity through 2017 to remain competitive as the criminal market demand remains strong. Malwarebytes researchers note that several ‘technically beefy’ new strains - such as Spora and Sage - are being detected in low numbers, but are testing out different marketing approaches. Spora has decided to set itself apart with superior customer service for its victims, for example.
Whichever the leading malware of tomorrow is however, the broad brush business mitigation steps remain the same - as mentioned in our six essential steps that will help you avoid paying ransom:
- Maintain a comprehensive and up-to-date inventory of all your digital assets. You cannot defend what you don’t know.
- Make sure that you have implemented proper access control and segregation to prevent domino effect triggered by a single compromised device.
- Implement continuous monitoring of your physical and virtual IT infrastructure, software and security patches, as well as of new threats and malware targeting your industry.
- Create and regularly test a Disaster Recovery Plan (DRP) that will allow you to mitigate loss of any critical data in a reasonable timeframe, and at a cost compatible with your corporate risk appetite.
- Invest in security training and awareness programs to educate your employees, key suppliers and partners.
- Verify that your approach to cybersecurity and risk management is based on common sense principles, which your C-level fully understands, shares and practically supports.