July 29 2016
Ransomware’s Success Causing Evolution of Variants
Ransomware is dominating the malware market and has become the most profitable type of malware in history, and healthcare organizations have emerged as the target of choice for cybercriminals, say security researchers at Cisco.
“The success of recent ransomware attacks against businesses, including several organizations in the healthcare industry, has likely prompted many adversaries to plan similar campaigns in the future,” finds the Cisco 2016 Midyear Cybersecurity Report. “Network and server-side vulnerabilities provide an opportunity for attackers to quietly carry out ransomware campaigns that could potentially affect entire industries.”
The healthcare industry is increasingly being targeted by ransomware, with organizations falling victim to applications that either encrypt data or lock computing devices so they can’t be used.
In January 2016, Hollywood Presbyterian Medical Center reported that it suffered a ransomware attack that disabled its network and electronic health record system for about a week, leading to delayed patient care and the need to divert patients to other facilities. Hollywood Presbyterian paid 40 bitcoins, equivalent to around $17,000, to bring its systems back online. And, in March 2016, MedStar Health reported a suspected ransomware attack that forced it to take computer systems offline throughout its entire system, which includes 10 hospitals and other care delivery sites.
Following these attacks on hospitals, the Federal Bureau of Investigation issued a warning about SamSam ransomware, a new breed of ransomware that’s unknowingly installed after attackers have exploited unpatched server vulnerabilities. According to Cisco, the SamSam attacks represent a change in focus for ransomware operators, who have moved from targeting individual end users to infecting entire networks.
“Given SamSam’s success, it’s only a matter of time before adversaries introduce faster and more effective propagation methods to maximize its impact and increase the probability of receiving payment,” states the report. “Attackers’ use of JBoss back doors earlier this year to launch ransomware campaigns against organizations in the healthcare industry is a strong reminder that adversaries, when given time to operate, will find new ways to compromise networks and users—including exploiting old vulnerabilities that should have been patched long ago.”
The rise of ransomware makes patching long-standing vulnerabilities an urgent imperative, Cisco security researchers say. Based on trends and advances observed to date, they anticipate that “self-propagating” ransomware is the next phase of the cyber onslaught and urge organizations to take steps now to prepare.
The traits of self-propagating malware that should concern security professionals include:
Utilization of a vulnerability in a widely deployed product. Most successful worms of the past used vulnerabilities in products deployed across the Internet.
Replication to all available drives. Some strains of malware will enumerate local and remote drives, including network drives and USB drives, and copy itself to those drives as a way to spread or persist. This enables the infection of offline systems as well as systems not reachable through the public Internet.
File infections. File-infecting malware will either append or prepend itself to files. Specifically, the malware attaches to executables not protected by Windows SFC or SFP (System File Checker or System File Protector). Some worms can attach themselves to and spread through nonexecutable files.
Limited brute-force activity. Few worms have attempted this method in the past.
Resilient command and control. Some worms take into account actions normally used to disrupt command-and-control infrastructure and will implement preemptive measures to circumvent those disruptions. Many worms have no command-and-control infrastructure. They exhibit only a simplistic default action to spread as quickly as possible.
Use of other back doors. Some malware authors, aware that other infections may have already made an impression on a system, will piggyback on those back doors to spread their malware.
“We expect the next wave of ransomware to be even more pervasive and resilient,” warns Cisco. “Organizations and end users should prepare now by backing up critical data and confirming that those backups will not be susceptible to compromise. They must also ensure that their backup data can, in fact, be restored quickly following an attack.”