How Targeted Ransomware is Getting Through Your Defenses

Over the last few years, ransomware has come from seemingly nowhere to be one of the most popular forms of cyberattacks.

Back in 2015, the threat was barely a blip on even the most forward-thinking security pro's radar, with just 3.8 million incidents reported worldwide, according to figures from Statista. But in 2016, it jumped to 638 million and, while it has since quietened down, the attacks that are launched are often bigger, more sophisticated and more damaging.

But since the WannaCry and NotPetya attacks brought the term to widespread prominence and demonstrated just how much disruption they can do, businesses have been taking steps to mitigate such attacks, with stronger defenses and more thorough backup processes as a last resort.

Therefore, criminals have had to turn to new tactics in order to get through these protections and achieve the results they want. And one attack vector likely to be prevalent this year is targeted ransomware.

The growth of targeted ransomware attacks

Sophos Labs' 2019 Threat Report warned this is a trend that's set to grow throughout the year, as hackers seek to overcome some of the weaknesses of standard ransomware attacks that can result in them having a very low success rate.

One of the biggest issues for the criminals is that, in order to cast a net as wide as possible, their malware often relies heavily on automation. But while automation is good for many things in the tech world, it is predictable, which makes it relatively easy to counter.

Therefore, instead, hackers are turning to more hands-on, manual strategies and targeting their attacks at specific organizations. This may mean they aren't aiming at as many businesses, but it does greatly increase their chances of successfully infiltrating a specific company, which then may feel it has no choice but to give in to the hackers' demands in order to regain functionality.

Sophos explained:

"With targeted attacks, the behavior is inherently unpredictable, and the attackers can respond reactively to defense measures that, at first, thwart them from accomplishing their goal. If the attacker knows what they’re doing, those defenses may not stop them for long."

Is SamSam a sign of things to come?

One of the most high-profile examples of this type of attack is the SamSam ransomware, which has targeted several organizations in the US, perhaps most notably the city of Atlanta in March 2018.

In this incident, the hackers launched targeted ransomware attacks on several critical local government departments. It resulted in more than a third of the city's software programs being wholly or partially disabled, crippling infrastructure, police work and utility payments for nearly a week. Although Atlanta stated it did not pay the $51,000 ransom demanded by the hackers, total costs resulting from the incident are estimated to have been in the region of $10 million.

Research by Symantec highlighted that Atlanta was far from the only target of this ransomware, with 67 organizations coming under attack in 2018 - 56 of which were in the US. Healthcare was the most commonly-attacked sector, accounting for almost a quarter of incidents, with banks, construction firms and insurance providers also coming under assault.

How targeted ransomware attacks are so successful

But how are these more targeted ransomware attacks getting around businesses' defenses? Sophos noted that while each attack is unique and tailored to the vulnerabilities of each individual target, there are a few common elements in their overall structure.

Typically, an attack begins when a hacker gains entry to a network via a weak Remote Desktop Protocol password. Once in, they work to escalate their privileges until they have administrator access, which allows them to bypass security software. They are then free to plant ransomware that encrypts key files and leave a note demanding payment in exchange for the decryption key.

Symantec also observed that targeted ransomware hackers make extensive use of 'living off the land' tactics, using tools already installed on targeted computers or running scripts directly in memory to make their activity look like legitimate processes. By doing this, they can remain hidden within organizations' networks for days, putting the right steps in place to execute their attacks.

Therefore, firms need to ensure their defenses are able to adapt and spot these intrusions. Advanced intrusion prevention and detection systems should be a first line of defense against such targeted attacks, and while backups are essential, they can't be relied on completely; if attackers are able to break deep into a network, they could well be able to access these backups as well.

Finally, it's important to not give in and pay the ransom, as there's no guarantee this will make the problem go away. Symantec noted:

"Attackers may not send a decryption key, could poorly implement the decryption process and damage files, and may deliver a larger ransom demand after receiving the initial payment."