​Will 2017 be the year of ransomworm?

by Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies

It’s safe to say that 2016 was the year of ransomware. More specifically, the year of crypto-ransomware, that nefarious variant that encrypts files and holds them captive until a ransom is paid. Since the release of Cryptolocker in late 2013, crypto-ransomware has exploded, and 2016 was a banner year.

As a matter of fact, according to the FBI, cyber criminals used ransomware to steal more than US$209 million from U.S. businesses in just the first quarter of 2016. And according to a recent report from Kaspersky Labs, from January to September of 2016, ransomware attacks targeting companies increased by 300 percent.

With threat actors realising ransomware’s lucrative potential, they bombarded the industry with new attacks in 2016. Perhaps reading the word Locky makes you cringe? This variant hit the wild in early 2016, infecting systems using AES encryption. It not only infects mapped file shares, but any networked share, so remote drives are at risk. This attack was so potent experts estimate it infected more than 100,000 victims per day at its peak.

More recently, there was Popcorn, the ingenious little in-development ransomware variant in December that turned victims into attackers by incentivising them with a pyramid scheme-style discount. Send the infection to two of your friends, and you get your files back for free. (Don’t do it!)

Ransomware perhaps hit healthcare the hardest in 2016, with some reports claiming 88 percent of all ransomware affected hospitals. Whether large or small, no provider could hide from hackers looking to nab and encrypt patient data, disrupting care until the provider paid up or recovered files.

Criminals have obviously realised the awesome money-making potential of ransomware, and you should expect them to double-down in 2017. That said, how can they make an already effective threat even more widespread? How about mixing ransomware with a network worm?

Every year I try to predict changes and evolutions to the threat and security landscape. In this year’s predictions, I forecast that we will see the first ever, widespread ransomworm. This new variant will dramatically accelerate the spread of ransomware.

The ransomworm

What do I mean by ransomworm? Years ago, network worms like CodeRed, SQL Slammer, and more recently, Conficker were pretty common. As you probably know, a worm is a type of malware that automatically spreads itself over a network, using either legitimate network file sharing features, or network software vulnerabilities. In the past, the fastest spreading worms – like the examples mentioned above – exploited network software flaws to automatically propagate through networks (whether the Internet or just your internal network).

Although we haven’t seen many wildly successful network worms lately, they’re still a threat. All it takes is for one black hat to find a new zero-day networking software flaw and wide-spread ransomworm becomes a real possibility. In fact, attackers may not even need to know a new networking flaw to create a successful ransomware. By stealing a computer’s local credentials, attackers can use normal Windows networking, or tools like Powershell to spread through an internal Windows network without leveraging any vulnerability at all. Now, imagine ransomware attached to such a network worm. After infecting one victim, it could tirelessly copy itself to every computer it could reach on your local network.

Whether or not you want to imagine such a scenario, criminals have already added network-scanning capabilities to some ransomware variants, and there’s a high likelihood they will more aggressively merge ransomware and worm capabilities next year. In 2017, I suspect you’ll see a ransomworm that automatically spreads very quickly and successfully, at least on local networks, if not the Internet.

Combat evolving threats

Since falling victim to ransomware can be a costly and time-consuming affair, how can you prepare to combat these evolving threats? Here are three quick tips to consider:

1. Backup– Sure, I know most people just want to prevent ransomware, but you’ll never have 100 percent assurances of that in information security. Backing up your data is an important part of security for reasons far beyond just recovering from a ransomware attack. If you don’t already backup your important data, ransomware is the best reason yet to do so.

2. Patch your software– There are many ways ransomware might get on your systems, including just users manually doing foolish things. However, in order to forcefully or automatically install malware on your system, attackers must exploit software flaws. That said, vendors have already fixed a huge percent of the vulnerabilities hackers use to spread malware. If you simply keep your patches up to date, you won’t succumb to many of these forced or automated attacks, which could even help against ransomworms, assuming the network flaw they used was also patched.

3. Implement Killchain Defense– You won’t find one security technology that can protect you from 100 percent of ransomware by itself. However, there are many security controls that help protect you from various stages of a ransomware attack. For instance, Intrusion Prevention Systems (IPS) can prevent some of the exploits criminals use to spread ransomware. AntiVirus can catch some of the most common ransomware variants, and more modern advanced threat protection solutions can even identify and block new zero-day ransomware samples. However, none of these defences are fool proof alone. The best way to protect your computer or organisation is to combine all of them. Unified Threat Management (UTM) solutions often offer the easiest option for placing all these protections under one pane of glass.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags network securitysoftware developmentwatchguard technologiescyber securitychief technology officer (CTO)crypto-ransomwareransomwormpopcorn

More about FBIIntrusionIPSKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Corey Nachreiner

Latest Videos

More videos

Blog Posts