Shock & Awe Ransomware Attacks Multiply

Ransomware attackers are getting more aggressive, destructive, and unpredictable.

RSA CONFERENCE 2017 – San Francisco - The data-hostage crisis isnt going away anytime soon: In fact, its starting to get a lot scarier and destructive, and with a more unpredictable outcome.
Security experts long have warned that ponying up with the ransom fee only plays into the hands of ransomware attackers; it doesnt necessarily guarantee victims get their data back and unscathed, even though most of these bad guys thus far honor their promise of decrypting hijacked data after they receive their payment. Ransomware is rising dramatically, growing by a rate of 167 times year over year, according to SonicWall, with some 638 million attack attempts in 2016, up from 4 million the previous year. Kaspersky Lab data as of last October shows theres a ransomware attack every 40 seconds.
James Lyne, global head of security research at Sophos Labs, warns that ransomware attacks are starting to become more of a no-win for victims, as some attackers are also now stealing the data they encrypt for further monetization, destroying it altogether, and even waging subsequent attacks on a victim. The attackers are more sophisticated with their encryption methods, and more aggressive, instituting tighter payment deadlines and including organized-crime style threats that sound more like a physical hostage negotiation, he explains.
He describes their brazen demands and attacks as a shock-and-awe approach thats catching fire among cybercriminals hoping to more efficiently strong-arm their victims and potentially cash out more quickly.
Were seeing more and more inclusion of a timer and a warning that the victim has X amount of time to pay the ransom or the attackers will begin to delete the files, or purge the data entirely, he says. In one attack Lyne investigated, the attackers warned the victim if he or she balked at payment or contacted law enforcement, they would delete the keys for decrypting the data so it wouldnt be retrievable at all.
Not even the cybercriminals can recover the data then, he says.
It irrevocably shreds them. Youre not going to get the data back even if you go to a forensics specialist, Lyne says. Theyre starting to move toward a more aggressive approach of hand over the money more quickly.
Its a really interesting tactic because it invokes panic in the user so they are afraid to talk to tech support for help, he says.
Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. Traditional blackmailers know if someone pays once, they are probably going to pay again, he says.
Lyne plans to show such case of a repeat attack during his RSAC session entitled
Reversing the Year: Lets Hack IoT, Ransomware and Evasive Payloads
. Im going to show an example of where they got infected and the user pays, cleans up, and the attacker waits a period of time before doing the exact same thing again, he says.
So the days of cleanup post-ransomware infection meaning the event is over may soon be gone. Variants such as Ranscam actually erase the victims files after promising to relinquish the files after the ransom is paid. The Ranscam attackers basically fool the victim into thinking the data is retrievable; they didnt even invest in encryption, so its a rather evil but ingenious way to wage a low-cost, high-return attack, according to Ciscos Williams.
Lyne says another big worry is ransomware attackers pilfering the data they locked for future monetization after the victim pays up. To date, most ransomware attacks have been opportunistic rather than targeted, even though industries such as healthcare and law enforcement have been among the hardest hit.
In truth, most of these weve heard of werent targeted … the samples I look at have no example that they targeted specific types of businesses, he says.
Even so, hes seeing ransomware attackers stealing credentials and other potentially valuable data from their marks. It encrypts your data, you pay money to get it back and it then nicks your data as well, says Lyne, who will demonstrate one such attack here.
Its not widespread … but its something people need to be aware of now, he says. You cant just pay money and consider the incident over.
Another thing to watch for: ransomware targeting databases, which indeed is a sign of fishing for valuable data.
Headless But Deadly
Another sign of the times with the ransomware boom is campaigns that are abandoned by the attackers but still spread to victims, leaving them stranded with encrypted data and no ransom payment option. We see this quite a lot, Lyne says, and it tends to be lower-level, older variants such as Vipasana and Satana, and campaigns where the email or payment contact channel are shut down. Now theres ransomware floating around thats shredware: there isnt a way to get your data back, he says.
Craig Williams, senior technical leader and security outreach manager for Cisco Talos, points to CryptoWall 3 as an example of this: When it was abandoned, it stopped working and there was no key exchange, which made it benign, he says.
The Talos team was seeing 130,000 ransomware samples per day in December of last year.
With the newer generation of more sophisticated and businesslike ransomware, more of the old-school rudimentary variants are likely to be scrapped in favor of more effective attack tools. Even so, the phishing emails and other ransomware-rigged places will still infect users. This is a sign of things to come. So you should prepare, Lyne says.
Meantime, ransomware variants such as Samsam, which included a self-propagation feature that let it spread like a worm, rather than just via email or malicious web content. Worm-like ransomware spreading could infect more victims more quickly, Ciscos Williams says.
Be Prepared Or Prepare To Lose Data
The best defense from ransomware is preparation: expect the worst, and run regular backups. Have a backup that works, one thats not constantly connected to your computer such that you end up with an encrypted backup thats also infected with ransomware, Lyne says. There are even ransomware variants that target backups, so offline data backups are the best bet.
Cloud-based backups can be helpful as well, Ciscos Williams says. Dont put your eggs in one basket … Have unique usernames and passwords for those types of services, he says.
Related Content:
6 Free Ransomware Decryption Tools
Why Ransomware Is Only Going To Get Worse
Ransomware: How A Security Inconvenience Became The Industrys Most-Feared Vulnerability

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Shock & Awe Ransomware Attacks Multiply