Threat researcher sees no end to ransomware’s growth


Intel Corp.’s McAfee Labs raised some eyebrows in the security community in November with its prediction that “the volume and effectiveness of ransomware attacks will go down in the second half of 2017.” The security firm based its prediction on improvements in preventive technology, better industry coordination, education and stepped-up law enforcement pressure for its optimism.

But Allan Liska doesn’t agree. Liska, who’s an intelligence architect at threat intelligence firm Recorded Future Inc., last week penned a lengthy forecast of ransomware trends for 2017, in which he asserted that its growth will continue unchecked for the foreseeable future. “We saw quarter-over-quarter growth in ransomware attacks in 2015 and 2016, and will continue to see this type of growth in 2017,” he said in an interview with SiliconANGLE. “We’re probably looking at a 50 percent increase.”

Liska, who has studied ransomware since long before it became an epidemic, said that the continued spread of this insidious form of malware is being driven by market forces attributable, ironically, to the success of cyber-criminals. “There have been so many breaches in the past few years that the market for information is beginning to collapse,” he said. “Medical records that used to fetch $50 to $100 are now a couple of dollars, so traditional revenue sources are running dry.”

That means criminals have been forced to reset their sights on a new audience: victims. Ransomware takes possession of a person’s computer and encrypts the files on it, offering a decryption code only if a ransom is paid. By some estimates, over 40 percent of organizations have been victimized, and insidious ransomware variations are emerging. They include Doxware, which threatens to reveal embarrassing information unless the victim pays up, and Ransom32, a type of ransomware that can run without an executable file, and thus evade standard malware detection.

“A lot of research [in the cyber-crime world] is being directed toward how create more effective ransomware,” Liska said. “It’s already a billion-dollar industry, so people are working on creative new ways to trick victims.”

Servers targeted

One alarming new development is a type of ransomware that targets MongoDB database installations. The attack, which started on New Year’s Day, spread from 200 infected machines to 27,000 in a little more than a week, taking advantage mis-configurations or failure to change administrative passwords. Liska said this latest development is a troubling evolutionary step, because it means attackers are broadening their attacks beyond desktop PCs to include server applications. The open-source MongoDB is the fourth most popular database engine, according to

Ransomware actually spread beyond individual desktops long time ago. Many versions harvest password files and use that information to log on to other systems and drop their payload. If a computer with administrative credentials is compromised, an attack can spread network-wide in a matter of minutes. In fact, Liska recommends that security teams immediately investigate the possibility of a broader attack if a single instance of ransomware is detected. “It may be a disguise,” he said.

The emergence of strains that work without requiring a user to click on an executable file are particularly worrisome, Liska said. These typically use JavaScript or Windows PowerShell to deposit files in a user’s temporary folder, from which an attack is launched.

This approach subverts standard antivirus software, which looks for executable files.”As soon as the .exe hits your desktop it can be stopped by your anti-virus,” Liska said. “But if it’s using PowerShell or JavaScript, it’s going to avoid detection because those are allowed programs.” Most PCs come with PowerShell and JavaScript support enabled by default.

The most effective defenses haven’t changed much over time. The more frequently you back up files, the less damage you’ll suffer. Disable JavaScript and PowerShell, which most users don’t need, anyway, Liska said.

Administrators should also investigate new types of malware protection that target behaviors rather than simply look for executable files. Liska mentioned endpoint security software from Sentinel One Inc. and Carbon Black Inc. as two examples.

Image by Danny Thompson via Flickr CC