Navigating the Evolving Threat of Ransomware: Trends and Strategies for 2024
This blog explores the evolving threat of ransomware in 2024, trends, strategies, and best practices to mitigate risks. Stay informed and resilient.
Ransomware has become one of the most widespread and damaging threats that businesses or organisations face.
Since CryptoLocker first appeared in 2013, there has been an ever-increasing number of file-encrypting Ransomware variants commonly delivered through attachments from the spammed e-mail, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems. The current wave of Ransomware shares a common goal – to extort money from victims through intimidation.
The rise of ransomware can be attributed to its undeniable success. Variants such as ‘CryptoLocker’, earned an estimated $3m before it was taken down by authorities [1], and ‘CryptoWall’, which has been estimated to have accumulated over $325m in payments [2].
The damage of becoming a ransomware victim and not having effective safeguards and prevention strategies in place is considerable and at times, potentially life-threatening. as seen recently when a US-based hospital had its computer systems infected [3].
Like others before it, this infection started with a seemingly routine email but contained a malicious attachment, upon execution, all the hospital's files, including patient data were encrypted. In the end, the hospital was required to pay the $17,000 ransom in order to regain access [4].
Ransomware technologies
Ransomware uses asymmetric encryption to hold a victim’s information at ransom. Asymmetric (public-private) encryption generates pair of keys used to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim with the private key to decrypt the files stored on the attacker’s server.
Variants of the malware will look for files with specific file extensions to encrypt network shares even when they are not mapped to a local drive. For example, the Locky variant will look for dozens of file types, such as:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg,
.wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes,
.ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv,
.djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif,
.tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd,
.sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd,
.MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3,
.asc, .lay6, .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam,
.docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx,
.pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks,
.xltx, .xltm, .xlsx,.xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc,
.dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx,
.DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT,
.stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
Any data stored in these files will be encrypted and unusable until the ransom is paid.
Over time ransomware variants are becoming more sophisticated, the most notable new technologies include:
- Deletion of Shadow copies to ensure that data cannot be restored from backups;
-
Use of cryptocurrencies such as Bitcoin to establish an anonymous method of receiving payments;
-
Use of the Tor Network to hide Command and Control channels and reduce the chance of attacker infrastructure being located;
-
Polymorphic attacks whereby the malware server morphs the payload often (In some cases every 15 seconds) to generate unique hashes;
-
Inclusion of credential and password stealers;
-
Dropping "autorun.inf" on all attached removable drives introduces worm-like capabilities to spread;
-
Ransomware-as-a-Service (RaaS) allows anyone to set up a campaign and earn a percentage of the profits.
Defending Against Ransomware
Common methods to prevent infection include filtering e-mails that contain malicious attachments or enforcing user permissions. While blocking known attacks works to prevent a high number of infections – it is not possible to block all variants, attackers are always one step ahead.
With this limitation, it is essential to employ security solutions that are first able to detect ransomware when it lands and second provide an effective method to defend against its malicious actions.
How can a business protect itself?
Detect
An effective way to detect a ransomware threat is through the use of anomaly-based threat detection. Such a system will detect ransomware at three important stages:
- Initial Download – Ransomware commonly connects to an external domain to download the executable file.
- Command and Control Communication – Ransomware first requires initial communication to request and send encryption keys. When a device connects to an uncommon location this will be flagged.
- SMB Writes – The encryption process will overwrite files causing lots of noise in SMB traffic.
By flagging such events and observing these types of behaviours it is possible to identify an infection and restrict the amount of damage it can do.
Defend
Integration of a reliable endpoint solution can stop a threat from ever being able to execute.
An important first step is to step away from traditional solutions which only rely on whether a file is known as good or has previously been flagged as bad. Solutions no longer rely on this approach to detecting Ransomware. In addition to known good and known bad, they utilise an additional “unknown” category, for detecting advanced threats that have never previously been seen, and bypass traditional tools.
An endpoint solution that runs as a kernel-level driver, can monitor all the input and output of applications as they run. With this in mind, if suspicious behaviour is detected it can be blocked therefore stopping malicious activities from occurring.
Another approach is the use of journaling or rollback features. If a file is unknown the file is only allowed limited processing and monitoring and journaling features are activated:
- Each unknown file is monitored and all of its actions including file changes, registry entries and changes to memory are recorded.
- If an unknown file is then to be later classified as bad, the solution can automatically roll back all of the changes that have occurred as recorded in the journaling.
When a known ransomware variant is downloaded, it will automatically be quarantined and prevented from executing. When a variant that has not been previously seen before is executed, its actions are monitored. When a file is later flagged as bad it is possible to then reverse its effects and encrypted files returned to their previous state.
Stop Ransomware in its tracks
Ransomware is growing in popularity because it has the ability to be indiscriminate. Any organisation, regardless of size, is a potential target. This is why attackers are spreading malware by any means possible.
Fortunately, Cyberseer’s approach uses a combination of cutting-edge technologies and human expertise to offer a truly intelligent and flexible defence that all organisations now require.
Cyberseer leads endpoint security / EDR service with Microsoft Defender, by enabling organisations to disrupt advanced attacks, deploy the best prevention strategies and shift the power back to security teams.
It shields businesses from infections on the endpoint within your network and stops malware from around the globe the moment they are discovered. Having a cost-effective cloud-based management solution running behavioural analysis on the endpoint with unique journaling and rollback features provides organisations with effective threat mitigation.
Cyberseer’s threat detection and analysis service bridges the gaps in an organisation's cyber defence system. Read more about our detection service and cyber security solutions.
Sources: [1] BBC [2] PR Newswire [3] The Guardian [4] The Tech Times
