Ransomware Predictions | Past, Present, Future (Part 3)

By Scott Scheferman

It’s been two years 2014 ransomware predictions, and Scheferman has provided me with an updated list of new predictions. The main premise behind these new predictions is that the core concept of ransomware has already proven out; one would be hard pressed to say ransomware campaigns aren’t hugely successful. Why? Because the business of ransomware is one of low risk and high reward for the criminals.

“A major theme for 2017 and beyond - can be summed up by this – ‘Ransomware: It’s not just for criminals anymore’.
— Scott Scheferman, Cylance

Be warned, Scheferman’s new list of predictions are frightening.

Focus on Human Life as Leverage

This last April and May, Scheferman and his team were responding to an incredibly nasty samsam (aka samas) ransomware campaign that was victimizing hospitals and medical centers, worming through externally-facing JBoss servers, deleting snapshot backups, and encrypting entire networks. Patients were forced to be relocated in some cases and some surgeries had to be delayed in another.

Why stoop to such lows as a criminal?  Because human life and safety is the greatest form of leverage.

So what’s next then?  EMS systems?  Critical Infrastructure controller systems?  Water treatment plants?  Paying a ransom may be an infinitely-safer bet than attempting an off-site restoration – especially when human life and safety is in the mix. By the time a cloud-backup strategy can restore an entire network, it may simply be too late. Prepare for merciless ransomware timelines and extortion-level ransom amounts.

Algorithmically Coordinated Campaigns

We’ve already seen algorithms used for purpose of evasion; by Conficker (Domain Generating Algos); and in the Russian Hammertoss campaign via Twitter account generating algorithms. But algorithms can be used to accomplish much more than evasion to include campaign efficacy based around the timing of coordinated campaigns.

At any given time, Scheferman and team have about 40-50 Incident Response engagements active, and a large majority are ransomware related. Most of them occur on a Friday afternoon or late evening, early Sat morning, and the campaigns come in waves, even across different ransomware variants. Scheferman expects this to become optimized based on success ratios over time via algorithmic automated launches. 

As for payment, the block-chain is not a fool-proof way to remain anonymous as a criminal. As such, algorithms can be used to set up and tear down accounts, move bitcoins around, and even choose random fog networks when it is time retrieve the money. Automation results in speed advantage, which makes the job and heavy lifting of an investigation exponentially harder to keep up with. By the time forensics specialists have traced a set of transactions, the money is long gone, along with the accounts.

Finally, algorithms might be used to switch up the command-and-control (C2) communications back to the attacker by selecting optimized protocols, dynamically generated domains, and diverse obfuscation techniques. Once these core modules are written and proven out, they can scale indefinitely, and again, provide a temporal advantage to the attacker when it comes to evading advanced detection technology stacks.

Adware Injection Vector

Adware/PUA’s are already being used in markets to auction off browser space if it is determined a host on a Fortune-size company has been compromised. This provides easy shell access which the winning bidder can use to upload whatever tools they want as a means to target that host. Combine that with the ability to worm, compromise credentials or target the active directory itself and it’s not a stretch to imagine entire enterprises being hit by ransomware via this injection vector. Why risk and pay for setting up an entire campaign for targeted spear phishing, when you can just buy your way into a shell account from which to distribute ransomware inside the enterprise?

Critical Asset Targeting

A criminal may not need to target an entire enterprise’s set of hosts for maximum return potential. Targeting a few critical assets and preventing restoration ahead of time may be all that is needed to extract a higher ransom amount from some organizations. Think of print servers sitting in a massive warehouse distribution operation. Many of these print servers are still running Windows XP – oftentimes because they are so critical to the operation that they literally cannot be replaced or upgraded. How much money would such an operation pay to get those servers back online?  Answer: $1 less than the hundreds of thousands of dollars per day in operations they support. And if it’s a perishable food distribution operation, even more.

Virtual Environments… Ransomware on the Steel

When an attacker can jump from one guest to another guest in virtual environments, it is already a big problem. But if an attacker can target the steel as a malicious insider, then effectively they’ve targeted the set of guests as well. In an e-commerce scenario that could be devastating to the hosting provider, and the pressure to restore operations quickly may tempt some to pay a high ransom.

BIOS-Focused Ransomware
(Want Your Hardware Back? Pay the Ransom)

Imagine it’s RSA conference time, and a member of a hotel’s cleaning or catering room-service staff is going to make an extra $15,000 this week, and all he or she needs to do is pop a thumb drive into every laptop found in every room. A keyed piece of ransomware that can disable a machine at the BIOS is all that’s needed (no more heavy-lifting encryption required). To get your hardware back, you’d be given a link to an .iso that can be imaged to a thumb drive to restore your BIOS (leaving a back door, of course, so the criminals could come back for round 2 of the campaign.

Secrets are hard for hired help to find and sell to buyer. But sticking in a thumb drive for a few seconds, that’s not too complicated. The hotel employee would get paid simply based on the number of beaconing BIOS running that piece of keyed code unique to them.

Mass-Mobile Injection Vectors

The number of ways to gain a footprint on an Android device is countless. But what happens the next time something like Stagefright happens and an automated set of text messages is sent out to an entire carrier, and those text messages are designed to install ransomware? Probably martial law, that’s what. The ransom demand is sent to the carriers, not the end users. It is a large amount…very large. Consider a slightly different case where a connected car network is used to distribute ransomware to all of its electric cars, preventing all their owners from starting and driving their cars until the massive ransom is paid. Or, worse yet, what if they disabled the brakes on all of the vehicles after the fifth brake press is made unless the ransom is paid?

Source-Code Injection / Co-Packaged Mobile Apps

Why encrypt one laptop, if you can encrypt them all? If a large open-source software distribution ever gets back-doored by a ransomware campaign, it could be devastating. Imagine hundreds of thousands of end-users all getting hit with the same time-delayed and coordinated ransomware all at the same time. This event would overwhelm third-party incident response teams and could even hold entire organizations hostage if the poisoned source code is part of a gold disk build.

Combining the concept of mass-mobile injection and source-code / packaging, what happens when backdoor rootkits that are able to compromise 9 in 10 Android phones in the world today (See “Godless” Trojan now being circulated) are re-purposed as ransomware? If a toolkit can be downloaded by a rooted mobile device, so can a ransomware package. Initiate the attack at the same time, and not only will the attackers instantly encrypt millions of devices, but they’ll also create a global crisis scenario in the process.

Be sure to read Part 1 and Part 2

Scott Scheferman

As Director of Consulting for Cylance, Mr. Scheferman oversees the delivery of Cylance Consulting services ranging from compromise assessments and penetration testing to incident response to ensure timely and effective delivery. He also performs additional roles within Cylance such as public speaking and sharing intelligence with partners.

More about Scott