The Evolution of Ransomware

31st October 2019

Stuart Reed
VP Products

Though ransomware may seem like a modern threat, it’s been in use for over a decade. Like many malware techniques, ransomware has evolved and expanded in recent years, making it even harder to detect, and consequently to prevent.

Indeed, nearly a third of UK organizations suffered a ransomware attack in 2018. Another global study also revealed that attacks against corporate targets in Q1 2019 climbed 195% from the previous quarter and increased by over 500% from the same time in 2018.

Ransomware falls into two main categories: screen lockers and crypto-ransomware (encrypted malware). In the past, screen lockers dominated the world of ransomware, with most attacks scaring victims into paying by flashing up messages which accused them of accessing illegal content. Payment was then demanded via premium rate SMS, money transfers or even by check.

Today, on the heels of the 2013 CryptoLocker attack, crypto-ransomware has brought in a new era of ransomware. Payment is demanded via virtual currencies, which keeps attacks anonymous, and victims are given a set deadline after which their data will be erased. If organizations have gone a while without backing up, they may feel they have no choice but to pay. Police advise against this as hackers may not provide victims with a decryption key, and some modern variants have even been found to entirely wipe data rather than encrypting it. In these cases, payment comes as too little, too late.

In recent years, ransomware attacks have become more targeted, business-focused and sophisticated. Where previously variants were spread in a scattered approach through phishing links and malicious attachments, hackers now focus their attention on targeted and high-value victims. Strains including SamSam, GandCrab, Ryuk and LockerGoga are particularly prolific, but hackers are constantly evolving. Recent emerging tactics include:

  • Selecting targets using the distribution and victim base of banking trojans Emotet and Trickbot
  • Using fileless malware techniques and “living off the land” to avoid traditional detection tools
  • Spreading malware by exploiting the Remote Desktop Protocol (RDP)

The escalating level and increasing sophistication of these attacks led Europol to declare in 2018 that ransomware is the biggest malware threat to global organizations.

There are various ways to minimize the impact of ransomware attacks, including network segregation, regular patching, multi-factor authentication and best practice back-ups. Despite this, targeted attacks continue to challenge CISOs across the globe.
One way to improve insight into ransomware threats, and prevent attacks before they can impact an organization, is to utilize the DNS. As a critical source of information for checking threats and monitoring the health of a network, analyzing DNS traffic can identify both known and unknown threats.

Nominet’s NTX platform uses machine learned algorithms to provide network detection and response capabilities to provide visibility, control and proactively eliminate threats seen at the DNS level, including identifying zero-day activity which narrows the opportunity for malicious activity to cause harm.

Listen to Stuart speak more on ransomware on US radio station, WDUN-AM:

Whitepaper: Has Ransomware Finally Met its Match?

Download here