5 Years That Altered the Ransomware Landscape

  /     /     /  
Publicated : 23/11/2024   Category : security


5 Years That Altered the Ransomware Landscape


WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.



The ransomware landscape has evolved considerably since WannaCry dramatically drove home the potential severity of the threat five years ago on May 12. What has changed somewhat less over the same period is enterprise preparedness in the face of ransomware attacks. 
Ransomware emerged and has remained entrenched as one of the most difficult security issues for organizations across sectors in the past few years. WannaCry itself, while nowhere near as widespread as it was initially, remains a potent threat and even figured in some vendor lists of top malware threats as recently as last November.
By most accounts, enterprise organizations have gotten better at remediating vulnerabilities and updating obsolete and outdated software. Even so, the vulnerable version of the Server Message Block (SMB) protocol that WannaCry used to spread like wildfire remains in widespread use across organizations and regions. Most attacks against the SMB protocol still attempt to exploit EternalBlue, the exploit that was used in the WannaCry attacks. Patching and vulnerability management programs continue to pose challenges, as do practices such as threat detection, remediation, and response.
Meanwhile, ransomware and the manner in which it is used has changed. Many ransomware attacks these days are highly targeted and involve hands-on tactics for maximum effectiveness. Tools are increasingly becoming multiplatform, meaning they can be used to attack different operating systems. Examples of these tools include
Conti, BlackCat, and Deadbolt

And the proliferation of ransomware-as-a-service offerings has lowered the barrier to entry for common cybercriminals, even as it has fostered increasingly businesslike hierarchies and processes within the criminal industry. A high percentage of ransomware attacks these days also involve data theft and denial-of-service attacks as additional forms of extortion.
Alive and Kicking
WannaCry, though not nearly as prevalent of a threat as it once was, is still alive and kicking, says Tessa Mishoe, senior threat analyst at LogicHub. Over the time between its first attacks and now, the ransomware industry has learned from WannaCrys efforts and the responses to it — whether it be new tactics such as auctioning data and blackmailing customers or new techniques like more complex virtual machine escapes and persistence. Ransomwares increase in market share should be a good indicator of how WannaCry launched more intrigue into ransomware, Mishoe says.
WannaCry surfaced on May 12, 2017, and in a matter of days spread to some 300,000 computers worldwide. Though many have described it as ransomware, one of its main functions was to wipe data clean from infected systems. 
Numerous organizations were affected in the outbreak, including FedEx, Nissan, and, perhaps most notably, the United Kingdoms National Health Service. The US Department of Justice and numerous others have
attributed the malware
and the attacks to
North Koreas Lazarus Group
. Over the years, researchers have estimated damages associated with the malware to be more than $1 billion dollars.
The malware spread via a publicly leaked, US National Security Agency (NSA)-developed exploit called EternalBlue that targeted a critical remote code execution vulnerability (
MS17-010
) in Microsofts Server Message Block 1.0 (SMBv1) file-sharing protocol. Once installed on a system, WannaCry quickly spread to other devices running a vulnerable SMB version. Most of these were
older Windows systems
, such as those running on Windows Vista, Windows 7, and Windows 8.1. 
Though Microsoft had issued a patch for the SMB flaw more than a month before WannaCry, millions of computers were unpatched against the problem when the malware hit.
A Continuing Threat
Five years later, attackers are continuing to use the EternalBlue exploit to deploy WannaCry and other malware on enterprise systems.
A recent analysis conducted by Barracuda Networks of attacks over a three-month period shows a staggering 92% of all attacks on SMB port 445 involve
attempts to use the EternalBlue
exploit. 
There are still machines out there that have never been patched against these sorts of exploits and likely wont ever be, says Jonathan Tanner, senior security researcher at Barracuda. So, its not a lot of work on the attackers part to try to find and exploit these systems.
Much of this also is due to continued delays in organizations updating their infrastructures. A survey of 500 IT decision-makers by vendor ExtraHop found 68% of respondents admitting to still running SMBv1, even though newer, more secure versions of the file-sharing protocol have been around for years. The company will be discussing the obstacles that companies face in hardening themselves for ransomware attacks at the upcoming
RSA Conference
(RSAC), in a session aptly entitled,
What Will It Take to Stop Ransomware?
SMBv1 has been deprecated since 2014, notes Jeff Costlow, ExtraHops CISO. I wish it was surprising that 68% of organizations are still running SMBv1, but I see example after example of organizations running outdated, insecure, or unencrypted protocols — either knowingly or unknowingly, he says. The risk is huge, he adds. SMBv1 doesn’t need to be installed on every device in the environment to be used to launch a catastrophic attack. It only needs to be on one.
Brian Donahue, principal information security specialist at Red Canary, says that, for the most part, organizations are less vulnerable to WannaCry now than they were before. Even so, many organizations still have not updated to MS17-010 and their SMB installations remain susceptible to the EternalBlue exploit, he says. 
More generally, enterprise patch-adoption lags behind vendor updates, and organizations will always struggle to keep up to date with new software releases, he notes.
Organizations also need to keep on top of cybercriminal innovation. To that end, Red Canarys Katie Nickels, also a SANS Institute director, will be part of a panel during Junes RSAC entitled 
The 5 Most Most Dangerous New Attack Techniques
, which is aimed at highlighting emerging threat vectors for ransomware (and other cyberattacks). 
A Dominant and Evolving Threat
Donahue says ransomware was one of the most dominant threats in 2017 and remains a major threat in 2022. Worm-like ransomware threats have transitioned from being an emergent threat to the de facto standard for ransomware campaigns. Even more than that, the adoption of exfiltration techniques to perform double extortion was uncommon in 2017, but its extremely common now.
The ransomware industry has evolved in other ways as well since the WannaCry outbreak. Researchers at Bishop Fox who analyzed the threat space recently spotted a trend toward the use of
ransomware as a decoy
in state-sponsored attacks, cyber warfare, and criminal activity. They noted how WannaCry, NotPetya, and WhisperGate were disk wipers disguised as ransomware that tricked victims into believing they could get their data back if they paid a ransom. 
In the same manner, attackers are using ransomware to distract victims from an attackers true motives, according to Bishop Fox.
Todays ransomware attacks are also a lot more tailored and customized compared to WannaCry, which spread indiscriminately in automated fashion, says Trevin Edgeworth, red-team practice director at Bishop Fox. He points to DarkSide, the ransomware that hit Colonial Pipeline, as an example of ransomware that is being largely human-deployed and aimed at specific organizations. 
Whether it is patient information that a healthcare provider maintains, or the continued operation of systems critical to a manufacturing company, todays attacks are tailored and customized to each targeted organization and what is critical to them, he says.
In a report this week, Kaspersky said it had identified recent instances of
ransomware groups taking sides
in geopolitical conflicts — such as that involving Russias war in Ukraine. Groups behind the Conti ransomware family, for instance, have allied themselves with Russian interests, while others such as the IT Army of Ukraine are on the opposite side. That alignment could have an impact on targeted organizations.
WannaCry was a wake-up call
for many organizations around their patching practices, and it did foster stronger vulnerability management programs. However, many organizations continue to prioritize operating system patching over patching key applications such as Java, Office, and Adobe products that are installed ubiquitously throughout their environment, Edgeworth says.
Ransomware preparedness starts first with excelling at basic security hygiene, such as secure network architecture, reducing unnecessary attack surfaces, and enforcing least privilege around Active Directory and crown jewels systems, Edgeworth says. Organizations must have a plan in advance on how to respond to a ransomware attack.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
5 Years That Altered the Ransomware Landscape