The past year of headlining ransomware is a result of what we can describe only as an evolutionary leap. Serious-minded cybercriminals have transformed the once-simple file encryption threat into a fairly intricate tool — and all signs point to the evolutionary trend continuing.
In the “good old” days, ransomware victims were predominantly casual bystanders. Cybercriminals slung spam far and wide, hoping to find at least one user with important files on their computer who would open the malicious attachment.
But the situation changed in 2016. Increasingly, spammers’ random lists were replaced by addresses, specially harvested, of company employees found online. The perpetrators had clearly figured out that attacking businesses was more profitable. The message content changed accordingly as well: Instead of masquerading as personal correspondence, the messages now seemed to come from partners, customers, and tax services.
In 2017, the situation changed again, this time radically. Two large-scale epidemics causing damage in the millions showed that ransomware could be used for purposes other than extortion. The first, the notorious WannaCry, was a technological trailblazer. This ransomware exploited a vulnerability in the implementation of the SMB protocol in Windows. It was a vulnerability that had already been fixed, but many businesses just hadn’t bothered to install the patch. But that wasn’t the half of it.
WannaCry was not successful as ransomware. Despite infecting hundreds of thousands of machines, WannaCry yielded only modest payoffs to its creators. Some researchers began to wonder whether the goal was money at all, or if it might instead be sabotage or data destruction.
The next threat erased any doubts. ExPetr was not even capable of recovering encrypted data — it was a wiper disguised as ransomware. Moreover, it employed a new piece of trickery. Using a supply-chain attack, the creators managed to compromise a piece of Ukrainian accounting software called MeDoc, exposing almost every company doing business in Ukraine to the risk of infection.
Events so far this year show that ransomware is still evolving. Our experts recently investigated a fairly new threat, the latest modification of the SynAck ransomware. It was found to contain complex mechanisms to counter protection technologies, signs of a targeted attack. The countering measures include:
- Applying a process duplication method known as Process Doppelgänging to try to pass off a malicious process as legitimate;
- Obfuscating executable code before compilation;
- Checking to make sure that it’s not being watched in a controlled environment;
- Shutting down processes and services to ensure access to important files;
- Clearing event logs to hinder post-incident analysis.
There is no reason to believe that the evolution of ransomware is complete. Its creators will carry on looking for ways to enhance it.
How to stop ransomware’s evolution
The only way to put an end to the development of ransomware is to render its attacks ineffective. And that requires the latest cutting-edge technologies. Our clients have long been safe and sound: All of our corporate endpoint solutions contain subsystems enabling us to effectively combat ransomware.
But even if you don’t use Kaspersky Lab’s corporate solutions, that’s no reason to leave data unprotected. Kaspersky Anti-Ransomware Tool, our dedicated solution, augments the security mechanisms of most third-party vendors. It uses the latest behavioral detection technologies to reveal ransomware, and it takes full advantage of our cloud-based tools. It, too, evolves to meet the challenge of modern threats — we just released the third version.
This latest version of Kaspersky Anti-Ransomware Tool can be deployed from the command line, facilitating its automated implementation in corporate networks. And if that weren’t enough, the solution is totally free. Sign up, download, and install the application right here.