Imagining The Ransomware Of The Future

Cisco Talos Lab paints a dark picture of what ransomware could have in store next.

Ransomware that can encrypt and lock 800 of your organizations servers, 3,200 workstations, and the vast majority of your data...in one hour flat. Thats the nightmare that researchers at Cisco Talos Labs described in a
report
today: a self-propagating, stealthy, modular ransomware that can move laterally across internal networks and cross air-gapped systems.
In addition to the standard core ransomware functionality, Cisco Talos hypothesized Kings Ransom framework has a variety of modules for both stealth and propagation.
Gain insight into the latest threats and emerging best practices for managing them. Attend the
Security Track
at Interop Las Vegas, May 2-6.
Register now
!
To avoid detection, kings ransom would have a rate limiter module -- to prevent the code from eating up too many system resources and therefore attracting the users unwanted attention. In this framework, the ransomware would also eschew the traditional command-and-control infrastructure; it would instead transmit a beacon, containing global unique IDs (GUIDs), to a C2 domain via common protocols like HTTP or DNS. This domain could then collect these GUIDs, and use them to monitor and manage stats about infection rates.
The framework would contain modules for propagating through a variety of vectors. With a file infector module, the ransomware would attempt to add itself to other executables already residing on the infected system, which would both help the code spread and re-infect the system if its somehow ejected.
With a USB mass-storage propagator, the ransomware would copy itself to mapped drives, and be configured to automatically connect and run; it could thus cross air-gapped systems. Authentication infrastructure exploits (similar to mimkatz) would enable the attacker to gain admin privileges to a variety of systems and domains. An RFC 1918 target address-limiter would be used to attack targets using RFC addresses -- used by internal networks, as opposed to Internet-wide.
In the devastating scenario Cisco proposes, the ransomware takes over up to 800 servers, 3,200 workstations, half the digital assets and the vast majority of data in an organization within the first hour of infection. The attackers request a $1 million ransom, which will automatically increase to $3 million eight days later.
Will organizations pay such a steep price, even after such an extensive infection? Cisco Talos Labs says that depends upon a number of factors, such as the value of the data they cannot access and their ability to restore that data. Do they have sufficient off-site backups that were not affected? Can they do manual restoration of data, and if so, how much will that cost, in comparison to the cost of the ransom?
Although its just theory now, the quickly increasing sophistication of ransomware makes it all too believable.
Related Content:
Ransomware Authors Break New Ground With Petya

Here Are 4 Vulnerabilities Ransomware Attacks Are Exploiting Now
Ransomware: Putting Companies Between A Rock And A Hard Place
10 Shocking New Facts About Ransomware

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Imagining The Ransomware Of The Future