What’s next for ransomware?
David Maciejak, head of FortiGuard Lion R&D team, Asia Pacific, Fortinet
(The author, David Maciejak, is head of FortiGuard Lion R&D team, Asia Pacific, Fortinet)
The Federal Bureau of Investigation recently published that ransomware victims paid out US$209 million for only the first quarter of 2016 compared to US$24 million for all of 2015.
Ransomware is now completely dominating the threat landscape conversation. Fortinet’s FortiGuard Labs R&D team, for instance, is seeing one new ransomware strain every day.
Historically, there are two types of ransomware − blocking ransomware (which prevents normal use of one’s computer) and crypto ransomware (which encrypts your personal documents, preventing them from being viewed).
In recent times, however, hybrids of these two types of ransomware have started to emerge. For instance, there now exists crypto ransomware that prevent infected computers from accessing some Internet websites until payment is made to the hackers.
The line is also blurring between targeted devices – some mobile ransomware attack both computers and smartphones. And as some smartphones are running on Android OS, we have also started to see some cases (like the FLocker variants) where the infection is hopping across to IoT devices like smart TVs, with the ransomware demanding things like a $200 iTunes gift card before you can watch your NHL Stanley Cup final.
According to Gartner, there will be 6.4 billion connected “things” in use in 2016, rising to an estimated 21 billion by 2020. For attackers, that only means one thing − more potential victims.
Malware evolve over time, and ransomware’s migration from computers to smart devices is a natural step in their evolution. We have seen some lateral movement through the network for SamSam and ZCryptor family samples. Some strains of those malware now show worm-like behavior, spreading themselves to nearby networks. If you compare this to the biological evolution in Darwin’s theory, it’s like the time when fishes leave the sea and start using their fins as feet to walk, exploring uncharted territories.
This evolution is happening sooner rather than later for one simple reason − victims are paying the ransoms asked of them. Not all the victims, but enough to keep this business rolling in money. Without doubt, ransomware authors are running their business like an enterprise, and are reinvesting a substantial portion of their ransom dollars into R&D.
At Risk: Industrial control systems, cloud and ourselves
Ransomware infections are already a plague, and you may think how could things possibly get worse.
Firstly, there is still one domain that has been untouched by ransomware − Industrial Control Systems (ICS). This software can be found in industrial applications like chemical manufacturing plants, nuclear power plants and electric power generators.
No ransomware infections of ICS systems have been publicly reported so far, but such systems are not as impenetrable to malware as some may think. For example, the Bowman Avenue dam in New York has been the subject of a reconnaissance attack in 2013. Calpine, America’s largest generator of electricity from natural gas and geothermal resources, also had their detailed engineering drawings stolen by hackers.
The current ransomware variants don’t need to achieve anything more than just knocking at the right door. This means the risk of them spreading into Operational Technology (OT) environments in the coming months is real and pretty high. These targets are potentially lucrative for ransomware authors – imagine how much a government will pay to prevent incidents in a nuclear power plant?
Besides ICS, another target for ransomware authors could be the cloud. Today, the cloud is teeming with data, and that naturally makes it an attractive target for hackers.
Recently, for example, Apple announced that they will upgrade their free iCloud accounts from 20Gb to 150Gb. This means that in the coming months or years, in our always-connected world, almost all of our data will be stored in near real-time in the cloud. It’s not difficult to imagine that through some API abuse, cybercriminals will find ways to encrypt our online data and demand ransoms.
In such a scenario, the importance of backing up one’s data cannot be overstated. Some best practices include regularly backing up your data and storing those backups offline in a separate device, segmenting your network into different security zones so that an infection in one zone cannot easily spread to another, and having a failover plan that will keep things running for a while (even if in a limited fashion) when your computer systems or network is being rectified.
On Fortinet’s end, we will continue to do research to bring new approaches to combating emerging threats − like improving detection and response, and developing counter-measures through new prevention models.
In the longer term, a nightmarish scenario could await ransomware victims. In May 2010, a British scientist demonstrated that medical implants on humans can be infected with computer viruses.
It is not unforeseeable that the day may come when ransomware could prevent you from using your prosthetic arm or leg, or threaten to stop your pacemaker. Is this science fiction? Judging from how far ICT technologies have come, and how ingenious hackers can be, perhaps not.
