Security Market Segment LS
Thursday, 13 August 2020 09:43

Ransomware likely to be around for a while, says Sophos researcher Featured

Chester Wisniewski: "The days of loading security software on your endpoints, dusting off your hands and walking away are long gone." Chester Wisniewski: "The days of loading security software on your endpoints, dusting off your hands and walking away are long gone." Courtesy Sophos

Ransomware has evolved considerably from its first sighting — Cryptolocker was spotted on 5 September 2013 — and is unlikely to disappear anytime soon as the people behind this breed of malware develop more and more sophisticated ways of weaponising it, a senior security official from global vendor Sophos says.

Chester Wisniewski, principal research scientist in the office of the company's chief technology officer, said in a blog post that five weeks out from the seventh anniversary of the appearance of ransomware, the difficulty in combatting this form of malware had also been made more difficult by the inability to trace payments after the rise in the use of cryptocurrencies.

Wisniewski's post was the fifth and final in a series published by the company under the title The realities of ransomware. iTWire has covered the other blog posts, one last week and the others on Monday, Tuesday and Wednesday.

"That fledgling ransomware (Cryptolocker) pioneered a new technology to extract wealth from victims, which, in past cyber attacks, had always been the hardest path to success," he wrote. "Money is inherently traceable and is difficult to obtain electronically if you are a criminal, but Cryptolocker had a new trick up its sleeve: bitcoin."

He said ransomware operators had upped their game, particularly in the last 10 months, with the addition of data theft to their arsenal in order to create more social pressure on victims to pay up.

Wisniewski pointed out that while security firms had done a great deal to force attackers to switch to different tactics, the attackers had been equally good at finding other, less obtrusive, ways of achieving their ends.

"When ransomware was introduced it depended on infecting large numbers of innocent people and demanding US$400 (A$558) to -US$1000 each to make money, causing widespread harm," he noted. "These attacks were automated and were largely a numbers game. This is not how ransom attacks look today. Once again, the attackers shifted."

In today's world, attackers needed to get past endpoint security that had improved greatly and hence they had to expend more effort by people with better skills. This meant, in turn, that the ransoms had to be bigger amounts, often running into millions, to make it worthwhile for the attackers.

Wisniewski said the modus operandi had now shifted to low-key attacks that did not register on the radar, with attackers trying to avoid indulging in acts that could put them on the wrong side of the law.

"The result is that average organizations, not just governments and defence contractors, now have human adversaries," he said. "This was not in most organisations’ plans. They were, and are, woefully unprepared for this new reality which has led to the deluge of news stories about ransom, extortion and data breaches."

One of the major innovations by attackers had been the bypassing of security tools, he said. Given that there were humans involved, the tactics employed often differed from attack to attack.

"If they can phish a password for an admin, they log into the security management console and simply turn everything off. If that doesn’t work, groups like Snatch have turned to booting into Windows 'safe mode' where many security protections are disabled before launching their encryption routines," he explained.

"And, now, with Wasted Locker, we are seeing the depths of internal Windows behaviours like memory mapping and caching being abused to bypass behavioural anti-ransomware technologies."

Another characteristic of modern-day attackers was the degree of persistence they showed, he said. "If your tools succeed at blocking the initial attack, they will not just give up. They are humans and will find a way around any programmatic barrier.

"Humans are tenacious, we are creative and we don’t give up easily. To defend against this you need humans to sort the wheat from the chaff. Tactics change on a weekly basis and knowing the signs of your own tools turned against you is the key to early detection."

Wisniewski said the fight against ransomware gangs was no longer a battle. It had become a war. "To stay ahead you need to be vigilant and have the right people, the right training and the right tools. The days of loading security software on your endpoints, dusting off your hands and walking away are long gone," he observed.

Defenders needed to use the same hybrid tactics as attackers did: "combining automation to find victims with a gap in their defences and humans to creatively use existing tools from the victims own network against themselves. This business model can net them millions of dollars per victim and cause uncountable additional damage."

He said while computers, automation and tools were amazing, when "combined with human intellect, pattern recognition and our ability to extrapolate from the past into the future they provide a formidable defence. Those that are having success at defending themselves almost always have the right mix of investment in people, training and tools".

Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.


WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News