Ransomware - What May Happen in the Future?
Ransomware campaigns targeting medical centers and hospitals are becoming very popular among cyber criminals. Pacing through the JBoss servers, they managed to delete snapshot backups and even encrypt large portions of the network. Sadly, surgeries were delayed as a result and some patients even had to be moved to other hospitals.
When reading this, it makes you wonder just how low some criminals will stoop. With this in mind, what can we expect in the coming years? Will they change their target to EMS systems? Maybe even water treatment facilities or other types of critical infrastructure?
For many corporate and government victims, the simple act of paying the ransom seems like the safest option compared to long restoration process when the safety of human lives is at stake. Even if you are able to quickly put the wheels in motion for a cloud backup restoration, it could already be too late. With this knowledge, ransomware attackers will continue to play on the price of human life and the amounts they demand are only going to get higher.
Algorithms and campaigns
For the purpose of antivirus evasion, we have already seen algorithms during the Russian Hammertoss virus campaign as well as being used by Conflicker authors. However, let’s not forget that algorithms can be incredibly effective for more than just evasion because they can raise the campaign efficiency in terms of timing.
Security experts notice that most ransomware reports come to them between Friday afternoon and Saturday lunchtime. Typically, they experience various waves of reports during this time. Statically, SMBs and some corporate victims appear to be slow in stopping an attack that happens on Friday night. Looking ahead, hackers will optimize their launching time based on the relative success ratios; this itself will come from algorithmic automated launches.
For criminals, anonymity is not guaranteed even when they use Bitcoins for getting payments. Therefore, experts believe money sums would be torn down to the smallest pieces and distributed among numerous wallets using algorithms as well as choosing random fog systems at the money retrieval stage moving Bitcoins around again and again. With such automation, the investigations become harder to carry out.
Before we head into the next section, we should also note that the command-and-control servers could also be switched using algorithms; they could be sent back to the attacker by using optimized protocols and dynamically-generated domains. As soon as the core modules have been written and tested, there is no reason why they can’t be scaled up thus providing time advantages to the attackers when they attempt to evade detection.
We have already seen adware within browser space when there have been several compromises on a Fortune-type companies. The introduction of any further malware is auction based. The winning bidder receives easy shell access to upload whatever he wants. If we combine this with worms as well as their ability to reach the active directory and also compromise various credentials, we can’t say for certain that even the largest companies are safe from ransomware that uses this infection vector. Spear phishing can be superseded by this new strategy as the motivation to launch complicated campaigns doesn’t exist anymore since a shell account can be bought for relatively small amount of money.
Critical asset targeting
For maximum return, many criminals don’t even have to target the majority of hosts of the enterprise; instead, enough ransom amounts can be earned after reaching a few important assets and but ensuring that restoration will be impossible. If we use print servers as an example, many companies still use XP on these systems. They are so important to let’s say within a warehouse distribution operation. They are so heavily busy that it is nearly impossible to replace or upgrade them all. And the question is: “How much money companies would pay to get these systems quickly return to work?” The sum would equal hundreds of thousands of USD per day in operations these systems support. In perishable food distribution niche organizations will pay even more.
Typically, we are used to criminals now jumping from one guest account to another on a virtual environment, but the possibility of targeting the steel as a malicious insider is somewhat frightening. With e-commerce on the rise, the hosting provider would fall into trouble here and the pressure to get everyone back and running again is likely to make them pay the ransom quickly.
When you think about the process of hacking a set of computers, you think of a complex operation requiring experts. However, it can be as simple as a member of the cleaning team at a hotel slipping a small flash drive into every laptop they come across at a time of an important conference. Once in place, this small device will lock any machine at BIOS level. For hotel employees with not much to lose and access to every room in the building, they will get paid depending on how many devices they install and the whole operation can be quite lucrative.
Mobile and IoT mass injections
With the increase in mobile phone usage, is there a way for hackers to gain access to an Android device? Sadly, the answer to this is ‘yes’ and it’s all too easy. With numerous opportunities to gain access, we need to ask what will happen the next time Stagefright happens; here, a text message was sent to every single number on one carrier. Hackers may target the carrier as opposed to the end users. As you can imagine, they may request a huge amount.
If we look at a different case, what if ransomware is sent to all connected cars? Suddenly, no car owner can start their vehicles until the ransom has been paid. Both drivers and car manufacturers are at risk.
Source code compromise
Anything can be hacked. Criminals may find their way to compromise popular open source products. Launching a ransomware campaign with the help of backdoored open-source software will have a devastating impact. All at once, hundreds of thousands of end users will be sent a message telling them to pay or lose their devices.
On a good amount of Friday nights and leading up to big holidays, the campus police team was busy fighting ransomware attacks that targeted their computers. Eventually, it was found that the guilty party was actually a fraternity who simply wanted to distract the police whilst they partied. Of course, this is a light-hearted example but you can see how this could be scaled up into something much more serious. For example, neighborhood robberies or riots could be planned using it this technique.
Espionage and market manipulation
Some criminals may ask for personal information like passwords or intellectual property instead of Bitcoins. In this scenario, would people be willing to share sensitive corporate information to have their laptops returned back to normal? For some, calling a help desk is seen as an embarrassment so they may just consider it. For the criminals themselves, this would actually make everything easier and it would make it harder for specialist teams to track the attackers further down the line.
We could also see ransomware requesting financial information from a particular company. If they get financial performance numbers before the quarterly report, they can then make money in the stock market. In these occasions, they might not even ask for payment but a simple spreadsheet of the company’s finances.
Actions by Individuals
Finally, we may also see requests to perform physical actions in order get the decryption key. Would there be industrial engineers willing to complete the act? Would those around celebrities take a video at a private event just to see their device returned to normal condition?
In truth, we cannot say but it will be interesting to see what path ransomware takes in the coming years and how well we can deal with it. Please share your thoughts on this point bellow by adding comments.