Ransomware Predictions | Past, Present, Future (Part 1)

By Scott Scheferman

During the recent Credit Union Information Security Conference held in New Orleans, Louisiana, I had the pleasure of chatting with Scott Scheferman, Director of Consulting at Cylance, and Chris Inglis, former Deputy Director of NSA, and member of board of advisors for Securonix. We discussed everything from attack trends, to the role of government in personal cybersecurity, to the need for machine learning and analytics to address the scale of the cybercriminal activity.

I was reminded during those conversations of another time a time when I chatted about cybersecurity with a professional celebrity photographer; someone who had no knowledge of the cybersecurity environment. The picture I painted was “all our data is already stolen; it’s just a matter of when and by whom it will be used.” This picture was, shall we say, pretty dire – and not well received. At that moment, I realized I should be careful with whom I share my understanding of this space – and the risks we face as individuals and as a society.

This said, I am confident that the IT Security Planet audience is well equipped to handle the material I am about to share in this slideshow. I’ll look for your comments to substantiate – or refute – my position.

Let’s set the stage with a combined set of observations and predictions made by Inglis and myself:

  • As individuals and as a collective society, we are basically novices when it comes to understanding cyber risks, being able to identify an attack, and preparing ourselves for a compromise
  • However, “government’s role is to not reach in, rather it should provide an environment where the private sector can do what it does,” says Inglis.
  • Therefore, we, as individuals – both personally and professionally – must be responsible for our own security
  • Given these three points, we could easily find ourselves dealing with a situation similar to that of the country’s fierce debate regarding the right to bear arms – when and how far can an individual take a cyber-counterattack against a suspected perpetrator when they realize they are a victim of a cybercrime?

Now that you’ve seen the big picture, let me step back and show you a broader set of predictions — and you’ll see where Inglis and I are coming from here with our comments above. Some of these predictions have already, unfortunately, come true, and others are new.

Before we proceed, I would like to thank Chris Inglis for a fantastic conversation and Scott Scheferman for his predictions and thoughtful insight into the world of ransomware that follow.

Predictions That Have Already Come True

In the summer of 2014, Scott Scheferman, Director of Consulting at Cylance, gave a keynote where he presented his predictions around ransomware. Since that time, a number of them have already become true:


We’ve already seen (link) ransomware victims being further convinced to pay the ransom by the criminal threatening to post sensitive or personal data to paste-bin or social media by providing samples of the stolen data. Mobile ransomware may evolve to skip the encryption process altogether, and instead threaten to publish sensitive photos, text messages, emails, and other data that were found on the compromised phone.


This is basically “throw away the key.” Scheferman and team have seen worming ransomware achieve a 95% compromise rate of a 200-endpoint network within 24 hours. What’s worse, is that some ransomware can delete snapshot backups on the host and remote shares prior to the encryption routine. In this case, the criminals wanted a hefty ransom in order for the business to survive. But what if the true goal is sabotage and data destruction, and payment isn’t an option? Have we entered into an era where a single JBoss server vulnerability results in the deletion of an entire company’s business?

Root is root… the rest is simply up to the imagination…and we are just getting started in 2016
— Scott Scheferman


Much like a distributed denial of service (DDoS) is often a prelude to a targeted attack, we are now seeing ransomware being used solely for the purposes of tying up IT resources during the exit process when heavy-lifting tools are used during the incident response process. In 2013-2014, it was okay to install a forensics agent process on a compromised host, or even across the environment. No more. In 2016, attackers are constantly monitoring for these agents, their installers, and their processes; the last thing you want to do is tip your hat during your response. Critical assets, Active Directory boxes, and executive-level endpoints are common ransomware targets during the exit phase. What’s worse, if the victim organization didn’t know they were being attacked in the first place, they may just think the ransomware attack is merely that. Surprise!

Evasion and Anti-Attribution:

Scheferman and team have recently seen two interesting advanced persistent threat (APT) related developments in incident response.

  1. APT’s ‘hiding’ as ransomware to fly under the radar as APT’s and simply leveraging generic exploit kits and generic distribution methods, but rolling in tools like Pupy to grab credentials off the victim host first prior to exfiltrating those over a separate channel from the ransomware’s typical command-and-control (C2) / key-management channels.
  2. APT campaigns out of China that are re-purposing their now-burned footprint to deploy ransomware. Many theories surround these observations, ranging from rogue individuals in the APT campaign trying to supplement their income, to the shell accounts having been sold via black markets to further distance the original APT campaign actors by adding another layer to the attribution game.

Mobile Ransomware

For the first time ever, ransomware is now the #1 attack type on mobile devices, which for many consumers and businesses are valued higher than traditional laptop/notebook endpoints. “But my phone backs up to the cloud” you say?  Consider the fact that Angler EK can roll a tool like pony (credential stealer) into the equation; might mobile ransomware developers similarly leverage harvested credentials on the device to delete those cloud backups prior to encryption?

Be sure to read Part 2 and Part 3

Scott Scheferman

As Director of Consulting for Cylance, Mr. Scheferman oversees the delivery of Cylance Consulting services ranging from compromise assessments and penetration testing to incident response to ensure timely and effective delivery. He also performs additional roles within Cylance such as public speaking and sharing intelligence with partners.

More about Scott