Ransomware: Is the worst yet to come?

Data hostage-takers are innovating quickly, Raytheon experts warn


Computer systems around the world have fallen victim to Petya and WannaCry, a pair of malicious computer programs that lock away data until the owner pays a ransom.

For hackers, it's close to a perfect crime.

Ransomware offers plenty of easy targets, lots of money and virtually no way to trace it. It's become a favorite tool of nation-state hackers and transnational criminal organizations. Which is why everyone from private citizens to operators of networks that keep the world running have to be on guard, experts warn.

"Ransomware is an irresistible crime," said Michael Daly, Raytheon's chief technology officer for cybersecurity and special missions. "It keeps hundreds of millions of dollars in untraceable cryptocurrency flowing in, all the while causing chaos in places like hospitals, power plants, train stations, financial institutions and telecommunications companies."

Ransomware uses encryption to lock up data on infected computers, then demands payment for its return. Though it has been around for years, it hit the public consciousness in May 2017 with an attack called WannaCry that infected tens of thousands of computers in more than 150 countries. In December, the U.S. government officially attributed the attack to North Korea, with Homeland Security Advisor Thomas P. Bossert describing the attack as "indiscriminately reckless" and calling on governments and businesses to cooperate in making networks more secure and resilient.

"As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations," Bossert wrote in the announcement, published in The Wall Street Journal. "Malicious hackers belong in prison, and totalitarian governments should pay a price for their actions. The rest of us must redouble our efforts to improve our collective defenses."

While WannaCry was the first big ransomware attack of 2017, it was hardly the only one. A month later, similar software called Petya/NotPetya infected networks in Ukraine and spread around the world. Then four months after that, an attack labeled Bad Rabbit disrupted transportation networks, media outlets and other organizations.

All told, ransomware is ballooning into a billion-dollar market as attackers quickly find new ways to exploit its reach.

“Ransomware is cheap to make and lucrative when it works, so we can expect to see a lot more of it," said Shirali Patel, Raytheon's international cyber program manager. “Today, corporate networks are so woven together that a breach of a lower-level target can allow attackers to slither into much more sensitive systems. That's the real danger. It's bad enough to hold data hostage, but it's much worse to lock up the operations of a power plant or a hospital."

In the Petya/NotPetya attack, the range of targets was wide – government offices in Ukraine, banks in Russia, a shipping company in Denmark, an advertising agency in Britain and even a chocolate factory in Australia. 

Analysts from Forcepoint, a cybersecurity firm jointly owned by Raytheon, said such attacks "will continue to evolve, including the evasive methods to hide their activity as well as their true intent."

"Understanding these intentions can help shape our security strategies," the company wrote in a blog post.

Most importantly, they said, security strategies should focus on a network's users, taking into account how they use the internet, which applications they need and which privileges they should have.

Some malware attacks, including as Petya/NotPetya, thrived because users had failed to install routine security updates. That malware in particular spread through a vulnerability in something known as SMBv1, an early version of a PC feature called Server Message Block that allows computers on a network to access printers, files and other commonly shared items.

Forcepoint's experts recommend installing security updates on all machines within an organization, and disabling SMBv1 on all Windows systems, where doing so would not impede older systems on the network.

Some ransomware includes tiered payments, giving victims a choice of how much data to free. Other strains attack specific users in return for a cut of the profits, a model known as ransomware-as-a-service. Some attackers have even introduced “affiliate programs,” encouraging victims to infect their friends in return for a decryption key.

Raytheon has been tracking WannaCry since it first began spreading across Europe, and experts at Forcepoint Labs have been posting technical information about the worm on their blog. The worm appears under various names, including WCry and WannaCrypt0r 2.0.

People in charge of critical infrastructure must work to make it more resilient to such attacks, Daly said. 

“If we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with both economic and safety ramifications," Daly said. “From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it."

The deep web is full of do-it-yourself ransomware kits, Daly said, meaning it's easy for novices to try their hand at causing havoc.

"Anyone can launch an attack," he said. "You don't have to be a cyber whiz to inflict cyber damage."

Last Updated: 01/26/2018