Ransomware: Is the worst yet to come?
Data hostage-takers are innovating quickly, Raytheon experts warn
A new ransomware attack that swept across Europe and is now hobbling IT systems around the world is the latest in a wave of hackers-for-hire holding critical data hostage, Raytheon cybersecurity experts warn.
The latest attack follows a similar but less severe virus called WannaCry that infected tens of thousands of computers in more than 150 countries in May. Ransomware is ballooning into a billion-dollar market as attackers quickly find new ways to exploit its reach, said Michael K. Daly, chief technology officer at Raytheon Cybersecurity and Special Missions.
"If you thought WannaCry was bad, you haven't met this one yet," Daly said, adding that the attacks "are demonstrating just how vulnerable critical infrastructure is by hitting railways, airports and more."
The attack, using malware called Petya, hit a wide range of targets, including government offices in Ukraine, banks in Russia, a shipping company in Denmark, an advertising agency in Britain and even a chocolate factory in Australia.
Analysts from Forcepoint, a cybersecurity firm jointly owned by Raytheon, have reported that the attack has several mechanisms for spreading laterally through a network after the initial victim has been infected. This includes using a vulnerability in something known as SMBv1, an early version of a PC feature called Server Message Block that allows computers on a network to access printers, files and other commonly shared items.
They recommended installing security updates on all machines within an organization, and disabling SMBv1 on all Windows systems, where doing so would not impede older systems on the network.
People in charge of critical infrastructure must work to make it more resilient to such attacks, Daly said.
“If we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with both economic and safety ramifications," Daly said. “From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it."
The deep web is full of do-it-yourself ransomware kits, Daly said, meaning it's easy for novices to try their hand at causing havoc.
"Anyone can launch an attack," he said. "You don't have to be a cyber whiz to inflict cyber damage."
Ransomware programs infect computers, identify data that looks important and encrypts them – rendering them useless without a special decryption key. The attackers demand payment to unlock the data.
Some ransomware users have introduced tiered payments, giving victims a choice of how much data to free, said Josh Douglas, chief strategy officer for Raytheon Foreground Security. Others are attacking specific users in return for a cut of the profits, a model known as ransomware-as-a-service.
Some attackers have even introduced “affiliate programs,” encouraging victims to infect their friends in return for a decryption key, Douglas said.
Raytheon has been tracking WannaCry since it first began spreading across Europe in May 2017, and experts at Forcepoint Labs have been posting technical information about the worm on their blog. The worm appears under various names, including WCry and WannaCrypt0r 2.0.
Cyber defenders found a weakness in the WannaCry attack that allowed them to disable it with a “kill switch.” But criminals worked quickly to counter that effort, creating a new variant that circumvented the defense.
Last Updated: 06/28/2017