Think new targets, technologies, tactics, and business models.
McAfee sees an evolution in the nature and application of ransomware, one that we expect to continue through 2018 and beyond.
The good news about traditional ransomware
McAfee Labs saw total ransomware grow 56% over the past four quarters, but evidence from McAfee Advanced Threat Research indicates that the number of ransomware payments has declined over the last year.
Our researchers assert that the trend suggests a greater degree of success during the last 12 months by improved system backup efforts, free decryption tools, greater user and organizational awareness, and the collaborative actions of industry alliances such as NoMoreRansom.org and the Cyber Threat Alliance.
How cybercriminals are adjusting
These successes are forcing attackers to pivot to high-value ransomware targets, such as victims with the capacity to pay greater sums, and new devices lacking comparable vendor, industry, and educational action.
Targeting higher net-worth victims will continue the trend toward attacks that are more personal, using more sophisticated exploitation of social engineering techniques that deliver ransomware via spear phishing messages.
These high-value targets will be attacked at their high-value endpoints, such as their increasingly expensive personal devices, including the latest generation of smart phones. Cloud backups on these devices have made them relatively free from traditional ransomware attacks.
McAfee predicts that attackers will instead try to “brick” the phones, making them unusable unless a ransom payment is sent to restore them.McAfee believes this pivot from the traditional is reflected in the slight decline in the number of overall ransomware families, as criminals shift to a smaller number of higher-value technologies and tactics, more talented purveyors of techniques, and more specialized, more capable ransomware-as-a-service providers.
New ransomware families discovered in 2017
On average, 20%‒30% of new samples per month are based on Hidden Tear ransomware code. Source: McAfee Labs
The less sophisticated, mostly well-known, mostly predictable, one-to-many technology, tactics, and providers are simply failing to deliver the rewards to justify the investments, even modest ones.
If well-understood ransomware families survive and thrive, McAfee believes they will do so in the hands of trusted service providers that continue to establish themselves with more established, sophisticated backends, as is currently the case with the Locky family.
Where the digital impacts the physical
Every year, we read predictions about threats to our physical safety from security breaches of industrial systems in transportation, water, and power. We are also perennially entertained with creative depictions of physical threats brought about by the imminent hacking rampage of consumer devices, from the car to the coffeemaker.
McAfee resists the temptation to join the cybersecurity-vendor chorus line to warn you of the danger that lurks within your vacuum cleaner. But our researchers do foresee digital attacks impacting the physical world. Cybercriminals have an incentive to place ransomware on connected devices providing a high-value service or function to high-value individuals and organizations.
Rather than seize control of your grandmother’s automobile brakes as she drives along a winding mountain road, our researchers believe it more likely and more profitable for cybercriminals to apply ransomware to an important business executive’s car, preventing them from driving to work.
We believe it is more likely and more profitable for cybercriminals to place ransomware on a wealthy family’s thermostat in the dead of winter, than to set the homes of millions ablaze through their coffeemakers. In these and other ways, we believe cybercriminals will see greater return in orchestrating digital attacks that physically impact individuals for profit, rather than fatal damage.
Beyond extortion to disruption and destruction
The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage.
The WannaCry and NotPetya campaigns quickly infected large numbers of systems with ransomware, but without the payment or decryption capabilities necessary to unlock impacted systems. Although the exact objectives are still unclear, McAfee believes the attackers could have sought to blatantly disrupt or destroy huge networks of computers, or disrupt and distract IT security teams from identifying other attacks, in much the same way DDoS attacks have been used to obscure other real aspects of attacks. It is also possible that they represented spectacular proofs of concept, demonstrating their disruptive and destructive power, intending to engage large organizations with mega-extortion demands in the future.
In 2018, McAfee expects to see ransomware used in the manner of WannaCry and NotPetya. Ransomware-as-a-service providers will make such attacks available to countries, corporations, and other nonstate actors seeking to paralyze national, political, and business rivals in much the same way that NotPetya attackers knocked global IT systems out of commission at corporations around the world. We expect an increase in attacks intended to cause damage, whether by unscrupulous competitors or by criminals trying to mimic a mafia-style protection racket in cyber form.
Although this weaponization of ransomware at first seems to stretch the definition of the technology and tactical concept, consider the incentive of avoiding a WannaCry or NotPetya specific to your organization, complete with rapid, wormlike propagation and a demonstration of material disruption and damage, but with a demand for payment to make it all stop.
Of course, this raises the biggest, unavoidable ransomware question of 2017: Were WannaCry and NotPetya actually ransomware campaigns that failed in their objectives to make significant revenue? Or perhaps incredibly successful wiper campaigns?
Finally, McAfee predicts that these shifts in the nature and objectives of ransomware attacks, and their potential for real material financial impacts, will create an opportunity for insurance companies to extend their digital offerings with a range of ransomware insurance.
Ian Yip, Chief Technology Officer, McAfee Asia Pacific
For more insights on cybersecurity, join McAfee Asia Pacific’s Chief Technology Officer, Ian Yip, at ConnecTechAsia Summit 2018’s EmergingTech Track. Marina Bay Sands, 26 June 2018. Delegates may register for the Summit here.