Sponsored By

McAfee Scientist Details Chilling Future of Ransomware

The ransomware economy is getting broader and deeper.

Edward Gately

September 18, 2020

12 Min Read
Ransomware
Getty Images

If the future of ransomware doesn’t scare you, nothing will.

At last week’s Channel Partners Virtual, Raj Samani, McAfee‘s chief scientist, gave a keynote titled “The Future of Ransomware: Explained.” And while his presentation on the future of ransomware concluded with some encouraging comments, what came before was pretty hair-raising.

Samani-Raj_McAfee.jpg

McAfee’s Raj Samani

“You’ve got some very capable threat actors that are actively innovating, actively developing new ways to be able to demand more money,” he said. “There are other criminal groups out there that are just simply copying. Not only are they copying it, they’re replicating it with such success that they’re making millions and millions of dollars.”

The “siloed” effect of criminal gangs working independently is a thing of the past, Samani said. Therefore, expect the future of ransomware to involve whole groups of cybercriminals working together.

In addition, the psychological barrier for committing digital crime is much lower than for a physical crime, he said.

“Cybercrime is the only area of crime that has a help desk,” Samani said. “We contacted the help desk of a number of ransomware groups and asked … why are you doing this? We pretended to be students. And for those that answered, they said, ‘We’re doing this for the money,’ which we expected anyway. But we asked them, ‘Are you scared or worried about the repercussions?’ And not a single one of them were worried about potential physical harm.”

That likely wouldn’t be the case for those committing physical crimes, he said.

A good indication of the future of ransomware is Snake/EKANS, Samani said. This summer, it targeted a carmaker and went directly after its production systems.

“It’s literally putting a chokehold on a company’s ability to fundamentally do what it does,” he said. “And in this particular instance it was to make cars. What this represents is a further hardening of criminals to identify ways and manners in which they can absolutely squeeze the life out of the victim organization. And if that means going after operational technology (OT), then they will do that. And they will do that for the very simple reason that it allows them to demand more money for ransomware payments.”

Economic incentives are pushing cybercriminals to target organizations they know will pay or believe will pay, Samani said. They’ll go inside an environment, learn how it works and then prevent that organization from operating.

“This is a very simple ROI,” he said. “It’s made considerably easier by the fact that we have now become more digital. The construct and belief that we had an air gap between IT and OT now has very much disappeared because of efficiencies and innovation. And so the world that we live in today and certainly the things that we can expect for the future is these individuals … will continue to identify those specific areas that they believe will allow them to demand a maximum payment from victims.”

The future of ransomware includes continued growth of the “ransomware economy,” Samani said. And cybercrime already has proven itself a recession-proof industry.

“You’re actually going to be introducing a service-based economy that is largely based upon the ability for an individual to demonstrate their craft and skill,” he said. “You’re getting very good developers working with very good, skilled hackers, working with very skilled brute forces working with very skilled people who can traverse and network. Now you have a model where it’s almost like an all-star team.”

This service-based economy is getting deeper and broader, Samani said. That means …

… more individuals will be targeted and compromised.

“And there are a lot more players in this and they are making good money,” he said. “That’s something that we certainly anticipate as the future.”

Malicious hackers will use any method to coerce payment from victims, Samani said.

“And of course, and ironically, the regulatory penalties associated with the release of personally identifiable information (PII) means that organizations are going to be in this awkward position of, if you don’t pay them, the data is going to be released,” he said. “Potential penalties are going to be X or Y. And so the future of ransomware means we’re going to see a lot more ancillary services purely there to facilitate or support the negotiations or the recovery from specific incidents.”

These services are necessary because ransomware developers are constantly innovating and finding ways to coerce payment, Samani said. And the amount of payments will continue to rise.

The future of ransomware is “building up to this crescendo … the number is increasing, the impact is increasing, the damage is increasing, and it does seem quite bleak,” he said.

“It’s absolutely imperative that we learn and understand the way this particular market is adapting and evolving,” Samani said.

Companies already are paying millions, and bad actors are holding cities hostage, with citizens unable to get access to their services, Samani said. The future of ransomware will feature more attacks on production facilities and hospitals.

The future of ransomware may look hopeless, but there is some good news, he said. The methods cybercriminals use aren’t the most sophisticated. Email phishing remains fairly high and constant, but remote desktop protocol (RDP) is actually the most common methodology.

“In many cases, many organizations leave the front door open,” Samani said. “So what can you do? Obviously, the first thing is looking at organizations and making sure that basic cyber hygiene is in place, making sure you don’t use things like RDP out on the internet without stronger authentication. That’s fairly straightforward and easy to do.”

For ransomware victims, No More Ransom can help, he said. Its goal is to help ransomware victims retrieve their encrypted data without having to pay the criminals.

“This is an initiative where we now have well over 100 decryption tools,” Samani said. “It is there to provide a service and it has now prevented 632 million euros from going into the hands of criminals. So it’s been a tremendous project.”

Start Building Your Data Privacy Program Now

By 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations. That’s up from 10% in 2020.

Gartner analysts presented these findings during this week’s Gartner Security and Risk Management Summit 2020.

More countries are introducing modern privacy laws in the same vein as the General Data Protection Regulation (GDPR), said Nader Henein, research vice president at Gartner. The world has reached a threshold where the European baseline for handling personal information is now the de facto global standard.

Some organizations are focusing on cutting expenses during the global COVID-19 pandemic; however, it’s important that they incorporate the demands of a rapidly evolving privacy landscape into their business’ data strategy.

Security and risk management (SRM) leaders should adopt key capabilities that support …

… the increasing volume, variety and velocity of personal data. Gartner recommends a three-stage technology-enabled privacy program:

  • The establish stage includes foundational capabilities of a privacy management program. These include discovery and enrichment, which allow organizations to establish and maintain privacy risk management tools.

  • The maintain stage allows organizations to scale their privacy management programs. Capabilities focus on ongoing administration and resource management. These include augmenting incident responses to address personal data breaches, as well as bringing automation to privacy impact assessments.

  • The evolve stage includes specialist tools that focus on reducing privacy risk with little or no impact on the data’s value. One of the more popular capabilities allows organizations to extract insight about their consumers from large pools of data without exposing them to excessive privacy risk. This has been a critical feature for marketing teams.

Establishing a privacy program doesn’t have to be expensive or difficult, Henein said.

Henien-Nader_Gartner.jpg

Gartner’s Nader Henein

“You can bootstrap your program,” he said. “The cost of a privacy program is proportional to the size of the organization’s user base. For small business, it’s not going to cost you much. It’s not like a small business is going to have a massive bill at the end of this exercise.”

You can use a lot of the tools you already have and do a lot of things manually, Henein said.

“In the establishment phase, you could do the whole thing manually,” he said. “It’s not going to be pretty, and you could probably scrimp out with bits and pieces of your existing tools that are available to add a bit of automation. But it’s ultimately going to be on a shoestring budget.”

As you evolve, you can start to automate and invest more, Henein said. And it becomes a much smaller burden on the organization to handle that program from a human resource perspective.

And if you keep putting off establishing a data privacy program, chances are your competitors aren’t.

“It’s becoming part of that competitive advantage,” Henein said. “It’s going to be an erosion of trust, which means the next time the customer’s going to have a better offer across the road, they’re going to take that offer. In fact, in some instances, the customer is going to cross the road and pay a premium because that’s where they think their information is going to be better handled.”

Medigate Gets Funding for IoT and Medical Device Security

Medigate, the provider of IoT and medical device security, and asset management, has completed a $30 million Series B funding round led by new investor Partech. This brings Medigate’s total funding to $50 million, including a Series A round completed last year.

Cervantes-Mark_Medigate.jpg

Medigate’s Mark Cervantes

Mark Cervantes is Medigate’s global director of partner channel.

“This additional funding will help Medigate to expand its partner channel efforts in the way of certification programs, enhancements to the partner portal and state-of-the-art digital strategies for joint marketing efforts,” he said.

Medigate’s offering addresses patient safety and privacy. That’s because it locates, identifies and managed the security of all devices connected to the network, It also provides clinical engineering with device data to manage …

… their fleet of medical devices.

“From day one, channel partners have been central to Medigate’s growth strategy in the U.S. and now as we expand globally,” Cervantes said. “The partner channel helps Medigate amplify our value proposition, open doors with C-suite decision makers, help guide the procurement process and provide additional value with their managed services centered around the Medigate solution.”

Gartner says the number of connected devices should reach 25 billion by 2021. And the health care industry will use more than 40% to improve patient outcomes. So say analysts at Healthcare Infomatics Research.

That’s increasing cybersecurity and medical device management challenges for health care delivery organizations.

The new funding will give Medigate and its partners a competitive advantage, Cervantes said.

First, ongoing research and development will keep Medigate in a market-leading position. Second, Medigate will expand its sales and pre-sales teams to align closer with its partners in the field, he said. And third, it’s developing health care-specific programs with MSSPs and newly developing concepts for clinical SOCs to address the clinical environment.

Continued development of partner-centric programs will benefit the client, the partner and the health care industry, Cervantes said.

Nuspire: Cybercriminals Shift to Botnets During COVID-19

At the onslaught of the pandemic, attackers capitalized on launching COVID-19 themed phishing attacks. However, attackers have pivoted away from this strategy, according to Nuspire research.

In the second quarter of the year, Nuspire saw a shift in tactics. Attackers are using botnets to obtain a foothold in the network. During that period, botnet activity increased 29%, with more than 18,000 infections detected daily.

Josh Smith is a cybersecurity analyst at Nuspire.

Smith-Josh_Nuspire.jpg

Nuspire’s Josh Smith

“Botnets can be utilized for numerous nefarious activities,” he said. “They can exfiltrate data, provide persistence in a network, be used in a distributed denial of service (DDoS) attack, or act as a dropper for additional malware such as ransomware.”

The top five botnets Nuspire witnessed during the second quarter were:

  • ZeroAccess, which can drop remote access trojans (RATs) like Nanocore and leverage phishing campaigns.

  • Cidox, which injects itself into running processes like explorer.exe, svchost.exe and chrome.exe. It gathers information on the host machine. Then, it sends the information to command and control servers and redirects users to unwanted links.

  • Conficker uses a variety of attack vectors to transmit and receive payloads. It leverages endpoint weakness like weak passwords on network-enabled systems.

  • Necurs infects machines and gathers system information, It also sends it to command and control servers.

  • Mirai actively scans for exposed IoT devices on the internet. Then, it attempts to infect them and add them to the botnet.

“Like any malware, botnet infections often start from a phishing email attachment,” Smith said. “Organizations must include user awareness training to ensure their users are suspicious of email attachments and are aware of common phishing lures. Anything that includes doom and gloom with a sense of urgency should be treated with the highest suspicion. These often come over as invoices, tax forms, legal documents, and more.”

Additionally, IoT devices are another vector for botnet infection, he said. That’s because they’re not always secure and updated.

“Administrators should be mindful of their IoT device inventory, change default passwords and apply firmware updates where applicable,” Smith said. “High-risk, externally exposed devices should be segregated from the internal network to minimize lateral movement if the device becomes compromised.”

To protect themselves from botnet activity, organizations should leverage threat intelligence, use next-generation antivirus and threat hunt.

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like