UPDATE (June 15, 2016): This post has been updated to include new data on ransomware activity, which is also now broken down by region.
Cyber extortion for financial gain is typically carried out in one of two ways. The first method is a business disruption attack – a category we discussed at length in M-Trends 2016. In this type of attack, threat actors target an organization’s critical business systems, capture confidential data and threaten to do something malicious with that data (such as expose, delete, or encrypt it) unless a ransom is paid. This method is generally more targeted, requires a greater deal of finesse on the part of the threat actors, and often has a greater potential payout.
Ransomware is the other common method of cyber extortion for financial gain. Ransomware is a type of malware that prevents users from interacting with their files, applications or systems until a ransom is paid, typically in the form of an anonymous currency such as Bitcoin. While individual computer and mobile device users have long been targets of ransomware, the threat has expanded. Ransomware has gained publicity in recent months through mainstream media coverage of ransomware attacks against organizations, namely hospitals.
While the end goal is the same – some type of financial payout to the attacker – not all ransomware operates the same way. The file-encrypting variety is perhaps the most dangerous. This is because the targeted files, which often contain users’ or organizations’ most valuable data, become useless without the decryption key. The issue is compounded because paying the ransom offers no guarantee that the files will be unlocked, thus making frequent backups the best defense against ransomware.
Since the average ransom demanded from an individual user is relatively low (typically a few hundred dollars, if that), threat actors distributing ransomware typically follow the “spray and pray” tactic of sending out as many lures as possible – emails with malicious attachments or links to malicious websites, for example – to maximize their potential gains.
Based on data from FireEye Dynamic Threat Intelligence, ransomware activity has been rising fairly steadily since mid-2015. We observed a noticeable spike in March 2016. Figure 1 depicts the percentage of ransomware compared to all malware detected on FireEye products from October 2015 to May 2016.
Figure 1: Ransomware detections from August 2015 to May 2016
The spike is noteworthy, and consistent with other observations. In March 2016, FireEye Labs detected a significant rise in Locky ransomware downloaders due to an email spam campaign targeting users in more than 50 countries. The malicious email attachments pretended to contain an invoice or a picture, but opening the attachment led to an infection instead.
There is no denying the satisfaction an attacker feels when their exploits make the news. For threat actors distributing ransomware, the satisfaction is even greater when the headlines report that the victim paid the ransom. A recent blitz of ransomware reports in the media – as well as the follow-up success stories – may have spurred other attackers to get in on the action, possibly resulting in the March ransomware activity spike. The Petya ransomware, for instance, includes links to recent media articles on its ransom payment page, as shown in Figure 1.
Figure 2: FireEye Threat Intelligence in 2016 uncovered Petya ransomware advertising links to recent media articles on their ransomware payment page
Hollywood Presbyterian Medical Center incident
In early February, Hollywood Presbyterian Medical Center (HPMC) was in the media spotlight after their systems became infected with file-encrypting ransomware. Midway through the month, Allen Stefanek, president and CEO, wrote that staff had trouble accessing the network beginning Feb. 5. He explained that malware locked access to certain computer systems and prevented the sharing of communications electronically, and indicated that a ransom of 40 Bitcoins had been requested (approximately $17,000 at the time).
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote. “In the best interest of restoring normal operations, we did this.” HPMC restored its electronic medical record system and cleared all systems of the malware by Feb. 15.
Continued targeting of hospitals
Attackers may have taken a hint that hospitals are a lucrative target. Later in February, The Register reported that file-encrypting ransomware infected the systems of Lukas Hospital and Klinikum Arnsberg hospital – both in Germany. Then in March, Ars Technica reported that data at Union Memorial Hospital in Maryland – as well as other MedStar hospitals in the Washington, DC area – were encrypted by ransomware, and that the requested ransom was 45 Bitcoins, or about $18,500 at the time.
The targeting of hospitals is no surprise. Cyber criminals have been increasingly turning to industries such as healthcare that possess critical data but may have limited investment in security across their enterprise. With hospitals, budget dollars often go towards surgery wards, emergency care centers and supplies for a large number of patients – not security. This makes for a tricky issue, since hospitals cannot operate without the necessary patient data stored in their systems.
High-profile media coverage of ransomware is certainly attracting attackers, but that is not the only factor driving the uptick in activity. The following are some additional factors contributing to the increase:
Through this discernible uptick in ransomware activity from mid-2015 to early 2016, FireEye has observed significant growth and maturation of the ransomware threat landscape – predominately involving the proliferation of myriad new variants.
Prolific Ransomware Families
We continue to observe the sustained distribution of multiple, well-established ransomware families used in both geographically targeted and mass infection campaigns. In multiple cases these renowned variants, such as CryptoWall and TorrentLocker, spawned updated variants with improvements in either encryption capabilities or obfuscation techniques. These established ransomware brands will continue to pose a significant threat to global enterprises, as malware functionality, encryption techniques and counter-mitigation measures are adapted and successfully introduced into updated variants. Examples include:
Novel Ransomware Variants
We have also observed several new ransomware variants that incorporate a range of new tactics, techniques and procedures (of varying degrees of technical practicality). Based on the increased growth in this area, we expect ransomware developers to continue equipping ransomware variants with novel features in order to expand targeted platforms and increase conversion ratios.
We expected to see the ransomware threat landscape sustain, if not exceed, levels observed in 2015 – and so far we have been right. Cyber extortion has gained significant notoriety, with illicit profits garnered from highly publicized campaigns undoubtedly resonating among cyber criminals. Recent campaigns in which targeted victims paid the ransom demand reinforce the legitimacy and popularity of this particular attack method.
One of the most worrying threats concerns the targeted deployment of ransomware after the attackers have already gained a foothold in the network. In these cases, threat actors may be able to conduct reconnaissance to strategically disable or delete backups and identify those systems most critical to an organization’s operations before deploying the ransomware. To increase the difficulty of such an attack, enterprises are encouraged to properly segment networks and implement access controls. In addition, enterprises should evaluate backup strategies regularly and test those backups to ensure that recovery is successful. Finally, copies of backups should be stored offsite in case onsite backups are targeted.
Learn more about ransomware during our webinar on May 19, 2016, at 11:00am EDT. You can register here.