Since September 2013, ransomware has become vicious and has inspired several copycats. At the time of this writing, summer 2014, the very first strains of second-generation ransomware have been identified. The five reasons that these strains are called second generation are:
- They use the TOR network for their Command & Control (C&C) servers which makes them much harder to shut down.
- Traffic between the malware that lives on the infected machine and its C&C servers is much harder to intercept.
- Second-gen ransomware uses super strong cryptography which makes decrypting it yourself impossible.
- Compresses files before encrypting them.
- Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It Bitcoin ransom amounts that the "customer" can specify and a choice of which files types will be encrypted, so that the criminal can compete and differentiate themselves.
What can be expected in the next 12 months?
- Second-gen ransomware will proliferate, several large (and competing) Eastern European cyber mafias will be big players in this field, followed by dozens of smaller operations spread all over the planet that buy "pay-and-play" commercial ransomware.
- Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom demand to unlock your iMac, iPhone or iPad will be likely to occur frequently mid 2015. Similarly this will be the case for the Android OS, which runs on both phones and tablets, and likely in much higher volume than Apple devices.
- Criminal RaaS (Ransomware-as-a-Service) subscriptions will be available, where would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions comprise of available potential victim email lists, phishing templates that use successful social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that includes encryption / decryption features and last but not least the financial infrastructure that allows victims to pay.
- The vast majority of these attacks will be launched from countries that do not have legislation (or insufficient enforcement) to stop this kind of attack, with the result that U.S. law enforcement will continue to be severely challenged to do something about these attacks and is forced to continue the whack-a-mole game.
- Infection vectors will continue to be more creative and hard to defend against. At the moment, links to cloud storage are being used to social engineer people so they open up zip files, but it is likely that this will follow the same pattern as phishing and that drive-by ransomware infections will be the norm. Visiting a legit website that has been compromised and clicking on a link will be enough to encrypt the files on the workstation and/or the file server.
In general over the next year, ransomware attacks will technically get more sophisticated and be able to evade normal detection methods like antivirus and sandboxing technologies. "With target audiences so large, financing mechanisms so convenient, and cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice president of McAfee Labs.(*) "The emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of architectures and common security tactics enable attacks that are very hard to uncover." (*) Source: McAfee Labs 2014 Predictions Report
Looking at these expected developments, it is a necessity to step end-users through effective Security Awareness Training and prevent ransomware infections before they cause downtime and/or lost intellectual property. Learn more about the KnowBe4 crypto-ranson guarantee and find out how affordable this is for your organization.