Early in the afternoon on May 12, 2017, the United Kingdom’s National Health Service (NHS) confirmed that it had been hit by a massive ransomware attack that was spreading its way around the globe.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said in a statement, confirming that at the time it was released, 16 of its organizations had been affected by WannaCry ransomware.
MalwareTech, a cybersecurity blogger and researcher, saw that NHS had been hit by the attack at approximately 2:30 p.m. That fact tipped him off “that this was something big,” MalwareTech wrote in a blog post.
To find out what was happening, he got a sample of the malware, ran an analysis, and registered an unregistered domain for $10.69 that the malware had queried.
“Now one thing that’s important to note is the actual registration of the domain was not on a whim,” MalwareTech explained. “My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server domains.”
In the course of registering that domain name, however, MalwareTech effectively stopped WannaCry, the ransomware infecting 200,000 computers globally, demanding that users pay a ransom of about $300 in Bitcoin to decrypt their data.
MalwareTech’s efforts, along with an emergency patch released by Microsoft for Windows XP (which hasn’t been supported since 2014), stopped WannaCry. But that doesn’t mean they will be so lucky in the future as ransomware and other types of crimeware become more prevalent.
In the recently released Verizon 2017 Data Breach Investigations Report, Verizon analyzed data from 65 organizations and found that 88 percent of breaches fell into nine patterns identified in 2014: crimeware, cyber espionage, denial of service, insider and privilege misuse, miscellaneous errors, payment card skimmers, point-of-sale intrusions, physical theft and loss, and Web application attacks.
These attacks are successful, in part, because most companies erroneously believe they won’t be targeted, wrongly think they have the basics of cybersecurity covered, are failing to set strong password requirements, and are relying on how they have always done things—as opposed to being innovative and proactive.
“While attackers are using new tactics and tricks, their overall strategies remain relatively unchanged,” the Verizon report explains. “Understanding them is critical to knowing how to defend your organization from cyberattacks.”
The report also finds that it’s not just major companies being targeted. Instead, 61 percent of breaches in the report affected businesses with fewer than 1,000 employees.
Manufacturing, healthcare, and the financial services sectors were major targets for data breaches in 2016. But Verizon Global Head of Cybersecurity Strategy and Marketing John Loveland said that companies should not be distracted by that fact.
“I would say put a big emphasis on ‘industries most at risk,’ but that can be unhelpful because I think it may distract from the idea that every organization is a potential target,” Loveland said in a Verizon podcast interview.
Bryan Sartin, Verizon global security services executive director, echoed Loveland’s comments, and said that no organization should rest on its laurels.
Though they may be in denial, organizations are going to be targeted, Sartin explained on the podcast. “Whether it’s design plans, medical records, or good, old-fashioned payment card details—somebody, somewhere will see it as their meal ticket and as an opportunity to get a hold of that, exploit vulnerabilities, find that data, get it out, exfiltrate it, and try to convert it into cash. Most cybercriminals aren’t that fussy about who they steal from.”
Ransomware. One of the unchanged strategies that cybercriminals are using is ransomware, which was the twenty-second most common form of malware in 2014. It’s now moved up to the number five position.
“For the attacker, holding files for ransom is fast, low risk, and easily monetizable—especially with Bitcoin to collect anonymous payment,” according to the Verizon report. Due to the success of ransomware in the past several years, criminals have become more innovative about how they use it to turn a profit.
“Criminals introduced time limits after which files would be deleted, ransoms that increased over time, ransoms calculated based on the estimated sensitivity of filenames, and even options to decrypt files for free if the victims became attackers themselves and infected two or more other people,” the Verizon report says.
And while the hackers behind WannaCry didn’t make a great deal of money from the ransomware—CNBC estimated they made about $50,000 in Bitcoin in May—the way the malware spread was concerning for future attacks, says Jonathan Couch, senior vice president of strategy at ThreatQuotient, a threat intelligence platform.
This is because WannaCry spread through an initial infection, such as a malicious email that was opened, but from there operated like a peer-to-peer network, he explains.
“Clients would search for other clients on the network, spreading that way, rather than having a user spread the ransomware,” Couch says, adding that this is one of the reasons that WannaCry spread so quickly—because it was able to do so on its own.
The ability of ransomware to target an organization, as opposed to an individual, was a major change to ransomware in 2016, and attackers combined this tactic with other strategies to make their efforts even more successful.
“Ransomware campaigns targeting organizations often have additional characteristics, such as credential theft to spread the attack throughout the organization, delayed encryption to infect as many machines as possible before detection, and code that targets corporate servers as well as user systems,” according to the report.
These tactics will likely make future versions of ransomware even more powerful than what has been seen so far, Couch says. “People are going to improve the peer-to-peer to spread [ransomware] faster, and are going to use more encryption within their code to hinder analysis,” he adds.
Couch also predicts that future models will actually extract data from victims’ systems and encrypt it—rather than encrypting the data on the existing network. “One of the ways to fight ransomware is to do a backup…so if I have a good backup, I just use that,” Couch says. “If you have taken all my files, now I run the risk of you exposing my information.”
While ransomware is not likely to go away anytime soon, the security industry is stepping up to the challenge to detect ransomware before infections become critical, protect organizations from criminal campaigns, and help rescue ransomed systems without paying cybercriminals.
The industry is doing this by improving endpoint protection and detection of ransomware, sharing threat information with law enforcement agencies and other organizations, and supporting the No More Ransom! Campaign.
Started in July 2016, the campaign now has 57 corporate, association, and public sector members that work to help victims recover their encrypted data without paying ransoms.
“To that end, nomoreransom.org currently hosts 27 decryption tools, which can recover files from a wide range of ransomware families,” according to the report. “No More Ransom! calculates that they have successfully diverted more than $3 million from criminals by offering free decryption tools to thousands of victims around the world.”
Cyber espionage. Another major pattern in 2016 identified by the Verizon report was the increase in the number of attacks linked to state-affiliated actors who may—or may not—have a motive of espionage.
Twenty-one percent of the breaches examined by Verizon in the 2017 report were related to espionage, and the manufacturing sector accounted for 86 percent of the breaches. And of those breaches, 73 percent of perpetrators used a combination of a social engineering attack—such as a phishing attack—to install malware.
“A malicious email is the cyber spy’s favored way in. But this is no smash and grab,” according to the report. “The initial email is typically followed by tactics aimed at blending in, giving the attacker time to collect the data that they need.”
Attackers want to infiltrate their target, find out where its secrets are kept, and then slowly collect them until they are detected—ideally, as long as possible.
“When state-affiliated actors are involved, their operations are targeted attacks, rather than opportunistic,” the report explains. “In other words, the criminals are coming directly for a particular organization with a specific purpose in mind.”
The cyberattacks on French President Emmanuel Macron’s campaign in spring 2017 is a prime example of this tactic. After Russia’s efforts to influence the U.S. presidential election in 2016, Macron’s team knew it was likely to be targeted by similar efforts to help Russia-friendly candidate Marine Le Pen win. After winning a position in the final round of the election, Macron’s team began to receive sophisticated phishing emails.
Because Macron had limited staff resources, his team decided to create a disinformation campaign to confuse any potential hackers instead of focusing on keeping the hackers out altogether, said Macron’s digital director, Mounir Mahjoubi, in an interview with The New York Times following the election.
Mahjoubi said the team went on the counteroffensive, creating false accounts full of fake content that could be used to trap hackers. This way, once the hackers got into the accounts, they would have to spend precious time determining what content was fake and what was real.
While this was effective in slowing down the hackers and preventing the hack from being completely damaging, it’s not the best defensive approach to take, says Alex Vaystikh, cofounder and chief technology officer of SecBI, a threat detection provider.
“If we look at it from a defensive point of view, it’s a bad approach in terms of defense because the defense has come to the conclusion that there’s nothing it can do to prevent the hack,” Vaystikh explains. “The only way is to confuse the hacker with enough false information that when he gets in, he’ll have to go through certainly a lot of noise. Kind of a denial of service attack on the hackers with information.”
Several companies have taken this same approach to cybersecurity, which Vaystikh says is frustrating because it seems that they have resigned themselves to the fact that hackers are going to get in.
“It’s somewhat frustrating in the world of cybersecurity because it means that we’ve given up… and our only hope is that by the time [the hacker] gets the sensitive information and figures out what it is, it will no longer be that sensitive,” Vaystikh adds.
Instead, companies should be proactive about securing their systems and monitoring them, he argues, echoing suggestions from Verizon’s report.
For instance, Verizon recommends that companies separate their highly sensitive data to allow only those who need access to have access, provide phishing training to all employees, monitor internal networks, and implement data loss prevention controls “to identify and block improper transfers of data by employees.”
According to the Verizon report, “If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.”