Cisco’s Talos Security Intelligence together with Research Group has released a new report on the next phase of ransomware. According to the researchers, a brand new era of self-propagating ransomware, or the so called “cryptoworms” should be witnessed very soon.
Unlike the ransomware strains which have cast a wide net through mass phishing campaigns or similar methods, the latest ransomware campaigns have employed more targeted strategies, specifically pursuing enterprise networks and healthcare institutions.
The Ransomware: Past, Present, and Future report, co-authored by Talos security outreach manager Craig Williams and manager of ICS research Joe Marshall, referenced a previous Talos study of SamSam ransomware’s propagation method.
First, SamSan ransomware infects the entire servers, and after that it spreads across the networks. According to Joe Marshall, security research manager at Talos, “SamSam is the proof of ransomware’s evolution to its logical next step.”
Craig Williams, Talos security outreach manager, stated that SamSam was designed to be “effectively hands-free,” but said the fact that its creators chose to take advantage of two well-known network vulnerabilities – one of the vulnerabilities is nine years old and the other is seven years old, which shows that ransomware can get much more sophisticated.
“We believe that this is a harbinger of what’s to come – a portent for the future of ransomware,” the Ransomware: Past, Present, and Future report stated.
The security experts also reported rising ransom prices, citing estimates which Angler exploit kit operators generate $60 million per year in ransom payloads, but warned that “Ransomware operators are increasing the stakes.”
The above-mentioned figure stands in strong contrast to earlier figures. A section chief at the FBI’s Cyber Division reported that in 2015, there were 2,453 ransomware attacks registered, costing the victims $24.1 million in total.
Some of the recent ransomeware attacks targeting healthcare facilities, such as the attack at the Medstar Health offline last month, are demanding larger payouts. Attacks like these prompted the U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC) to issue a ransomeware alert some time ago.
“It’s almost child’s play. You only have to spin them up, and let them go,” said Marshall. “There’s a plethora of the vectors the ransomware can utilize.”
In March, security researchers discovered a new version of TeslaCrypt ransomware, featuring stronger encryption algorithms and an ability to extract more data from computer files.
According to Williams, the researchers have confirmed that ransomware victims are not always getting the keys that they purchase and they cannot always trust the integrity of the data they get back.
“It’s astonishing to me that paying the ransom is still being encouraged as a magical quick fix solution for business owners,” Williams stated.