Ransomware attackers shift focus and resources to high-value sectors

Ransomware attacks shifted focus last year to the industries most likely to pay up, such as healthcare, government, critical infrastructure, education and small businesses.

Phishing volume grew by an average of more than 33% across the five most-targeted industries, according to a study released by phishing defense company PhishLabs last week.

Phishing is, by far, the most prevalent way for ransomware to latch on to organizations’ files and encrypt them, holding them ransom until a) the victims pay for a decryption key, b) the victims pay for a decryption key that never comes because crooks took the money and ran, or c) until victims snub crooks’ demands and their data winds up destroyed.

PhishLabs noted that ransomware has had a high infection rate but a low rate of success, given that a “small fraction” of victims pay the ransom. It’s growing in popularity nonetheless, given that it’s simple, it’s profitable, and it’s viable. From the report:

Ransomware allows attackers to effectively utilize one configuration for all targeted users. It also allows for instant monetization – there are no credentials to sell, no fraudulent transactions to initiate, and no further social engineering is required.

In addition, cryptocurrency’s injection into the mainstream economy has meant that crooks aren’t sticking their necks out by relying on credit card payments or prepaid cards: old-school payments that don’t keep criminals as anonymous as their now preferred payment mechanisms, such as Bitcoin.

Simon Reed, SophosLabs Guru, agrees that it’s good business for the bad guys. He says:

Ransomware has been the most dominant and most successful commercial malware attack of recent times. Cyber-criminals have succeeded in developing a viable and sustainable commercial business against the unprotected or unprepared.

Another key to ransomware’s viability and profitability has been a shift away from targeting individuals and instead going after companies that have little option but to pay.

Hospitals are a prime example. Hollywood Presbyterian was held to ransom a year ago and coughed up $17,000 to get back its vanished EMRs, access to X-ray and CT scan info and ability for employees to turn on their computers again, after a week of shutting off computers and relying on fax machines and paper records.

Multiple studies have shown that healthcare is attacked more than any other industry, and it’s easy to see why: simply put, because that’s where the money is.

The profit can come through ransomware payments or by selling extremely profitable medical records.

According to account monitoring company LogDog, coveted Social Security numbers were selling on the Dark Web for a measly $1 as of last February – the same as a Facebook account. That pales in comparison with the asking price for medical data, which was selling for $50 and up.

Healthcare IT is just like every other kind, except it’s more critical. Law enforcement is one industry that can say no to paying ransom … and lose years’ worth of digital evidence in a ransomware attack, as happened earlier this month to a Texas police department.

That was a mess, but nobody’s life was lost. In contrast, lives are always at stake when it comes to access to healthcare IT, making the possibility of ransomware payments far more likely.

With regards to crooks focusing on businesses instead of individuals, PhishLabs says the crooks’ targeting schemes are maturing. Rather than broadcasting attacks, as the year went on, there was a shift toward targeted spear-phishing campaigns that focused on small businesses, schools, government agencies, critical infrastructure facilities, and medical facilities.

They’re prime targets for a few reasons cited in the report:

  • They have valuable data. Data availability is paramount to the day-to-day operations of these organizations and in many cases, they’re willing to pay a ransom to restore access quickly.
  • They often have small budgets for IT staffing and may not be adequately prepared to protect their IT assets or respond to an incident.
  • Such organizations are often subject to regulations that can complicate their ability to create and store backups. In such cases, paying a ransom may be the only means to recover the encrypted data.

Future trends in ransomware

It’s nasty enough now, but there are already new trends beginning to develop. For example, PhishLabs notes that a large percentage of ransomware targets Windows users, but it’s starting to see some malware authors begin to create samples targeting other platforms, and it’s expecting to see more sophisticated malware targeting OS X, Linux, server operating systems, and mobile platforms.

Other developing trends include increased attacks on the Internet of Things (IoT). Not surprising, given the state of security in these proliferating connected gadgets, far too many of which are vulnerable due to being designed without adherence to the information security principle of least privilege.

PhishLabs says that attackers are also likely to seek expanded functionality. Whereas ransom messages have long threatened public disclosure, recent ransomware samples have actually included exfiltration functionality to allow such threats to be acted upon.

The company’s also seen ransomware samples enrolling computers in botnets, stealing bitcoin wallets, purposefully destroying data, and harvesting email addresses and login credentials.

Simon Reed adds:

Now we see the cyber-criminals optimizing the business model and focusing on increasing their return-on-investment by being more selective, going deeper to achieve a successful attack and widening the range of IT assests being targeted.

What to do?

We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.

Here are some links we think you’ll find useful:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)