With WannaCry, NotPetya, and Bad Rabbit outbreaks making international headlines 2017 was often referred to as the year of ransomware. The term ransomware was discussed around offices and lectures halls. For a period it was deemed to be enemy number one within the InfoSec community. A year is a long time in digital terms and ransomware may no longer hold that notorious spot any longer. 2018 may be the year of crypto miners, with such attacks been the most detected by security firms including Imperva. Although ransomware may be dethroned is it truly on the way out? Or has it adapted and evolved?
For a period of time ransomware made a real nuisance of itself, particularly for industry and companies. Locky ransomware caused major disruptions at a hospital while the Cerber ransomware was offered by enterprising individuals as a “Ransomware as a Service (RaaS).” Despite these incidents, ransomware detections by security firms decreased steadily. This decline has been so significant that it led those working at Kaspersky Labs to state the threat was “rapidly vanishing.” In a report published by the firm, analysts noticed a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year.
Researchers and McAfee Lab also published a report in which researchers noticed a 32% drop in ransomware detections. It is interesting to note that while ransomware detections are down detections in crypto mining malware were up by an astronomical 1,189% in the first quarter of this year alone. While crypto miners saw a massive jump hackers were also increasingly making use of LNK shortcuts to deliver malware rather than by using PowerShell. The use of PowerShell dropped by 71% while the use of LNK shortcuts rose by 24%. These stats certainly indicate a major decline in the use of ransomware strains and a massive increase in crypto miners.
One of the reasons for the decline in ransomware can be directly attributed to the rise in popularity of crypto miners. There are a few reasons for this, one being that they are simply a less risky means of illicitly making money. Cryptocurrency mining malware works by infecting a victims PC or mobile device with malware which uses the CPU to mine cryptocurrency without the victim’s knowledge. It is far stealthier than ransomware, the bonus of not having to actually attempt to receive a ransom payment from a victim. It is also able to provide the cybercriminal with a far steadier stream of income.
Is ransomware doomed to obscurity?
Given the shift in popularity from ransomware to crypto miners one can be forgiven for thinking that ransomware is down and out. The truth, however, may not be so simple. While, yes there is a significant decline in ransomware detections ransomware still remains a threat. A ransomware attack on the city of Atlanta proves that. The attack which led to data been encrypted and the shutdown of certain services cost the city an estimated 2.6 million USD. It is important to note that the city never paid the ransom but the costs were associated with recovery of data and service downtime. The Atlanta attack was as a result of the SamSam ransomware which has been seen in the wild since 2015.
In that attack the threat actors didn’t use the traditional infection method of trying to infect as many computers as possible in the quickest time, such techniques are often called “spray and pray”. Rather it appeared that the attackers target the City of Atlanta as it was vulnerable. This tactic would appear to be more successful. In January of this year, a hospital paid approximately 55,000 USD in Bitcoin when their systems were infected. In the case of a targeted attack, the attacker can see that the entire network may be vulnerable making it easier to bring an entire organization to its knees in the hope of better securing a ransom payment. This shift in tactics means that ransomware is still a threat to organizations, in particular, those with outdated cybersecurity protocols.
If ransomware is dead some hackers never got the memo. In April Fortinet published a report in which it detailed their analysis of GandCrab, another ransomware seen in the wild. Initially, the first versions of the ransomware were detected in January. Since the initial detections, the malware authors shifted their business model and offered GandCrab as part of an affiliate “business” model. Since the shift, the malware has received a near constant stream of updates. The latest version was seen been distributed in a spam email campaign. There is obvious interest in GandCrab as it would appear that the creators are continually patching and fixing bugs in a similar way to how a software company would.
With all things considered despite ransomware not being the popular kid in school anymore, it cannot be written off. Ransomware variants both older, like SamSam, and newer like GandCrab pose very real threats. By changing tactics from “spray and pray” to a more targeted approach it would appear that hackers using such techniques seem to have matured along with the malware they create and deploy. In more targeted attacks it would seem that attackers have a greater chance of receiving a ransom payment. Further, by looking to target an organization dependent on their network, like a hospital, they force the question of to pay or not to pay far more effectively than previously seen.