Ransomware attackers don't just use new malware variants. They are also launching attacks that require no software downloads at all. Instead, the attackers take advantage of the tools and software that already exist on the victim's machine, or that just run in memory.
"So traditional anti-malware approaches are useless," says Dan Schiappa, SVP and general manager of Sophos end user and network security groups at Sophos Ltd. "The ball just moves to another game," he says. "We raise our defenses and the bad guys just find another attack vector."
New attack strategies
New exploits are just the tip of the innovation iceberg when it comes to the ransomware industry. Attackers have adopted new strategies for infiltrating networks, improved their ability to do damage, and, just as important, have embraced sophisticated growth-enabling business models.
For example, users have been getting training on not clicking on malicious attachments or visiting malicious sites, and anti-malware vendors have been getting better at spotting those sites and attachments. But worms spread themselves without the user needing to do anything at all. "The worm will look and scan its surroundings on the network that have the vulnerability that it is looking to exploit, and copies itself onto the exploited machines," says Robert Simmons, director of research innovation at ThreatConnect, Inc., a security vendor based in Arlington, Va.
A company that has a vulnerable machine connected to the internet is an easy target, for example. If a company has locked-down all its public-facing computers, an employee might use a mobile device or laptop to connect to an insecure network that has another infected machine on it, Simmons says.
Then, once the employee is back on the company network, the ransomware can spread from there. Once inside, the attackers don’t only launch encryption right away, he adds.
"With Petya, they found that in addition to its ransomware capabilities, it had a tool to provide an additional capability of attacking Windows domain controllers, the locations where the credentials and passwords to your network were kept," he says. "So they're branching into other capabilities that would let them pivot around the network."
The attackers can steal data, for example, or do other damage. Then the ransomware will go off, and help the attackers cover their tracks. "The ransomware would be used as a smokescreen," he says. "It would make it more difficult for a responder to find evidence of the original attack."
What about backups?
If ransomware gets through and encrypts everything, a company can still wipe the infected machines and restore from the most recent good backup, right? Not necessarily.
It's become common for ransomware to stop the Windows Shadow Copy service and delete all the backups already created, says Nikolay Grebennikov, VP of research and development at Acronis, a data backup vendor. In fact, in tests by AV-Test and Anti-Malware Test Lab conducted earlier this year, most popular personal backup software failed to protect the backup files from ransomware.
Sign up for CIO Asia eNewsletters.