Last year was the year of cryptojacking. The first quarter of 2018 saw a 4000% increase in this kind of attack, while, in the same period, ransomware detections fell 2%. Nevertheless, it seems that ransomware is returning to the limelight in 2019. This time, however, with more select targets, rather than massive campaigns.
The latest victims are two cities in Florida, USA. On May 29, an employee in the Rivera Beach police department opened an email that triggered a piece of ransomware on the whole city’s network. This ransomware encrypted city hall’s files and brought the city’s services to a standstill; all except the 911 services, which were nonetheless limited by the attack.
One month later, the city caused controversy when it announced that it intended to pay the 65 bitcoin (over €600,000) ransom in order to recover its files. Just a week after Lake City, another city in Florida payed a 42 bitcoin (€420,000) ransom to recover their files after an attack using a piece of ransomware they called “Triple Threat”, which had encrypted their files on June 10. The city hall also fired its IT director in relation with this attack. In less than a week, cybercrime had earned over a million euros.
These two incidents are just the latest in a series of attacks specifically targeting local governments in the United States. This year Jackson County, Baltimore, Cartersville and Lynn have also been affected. And just last week, a third city in Florida fell victim to a ransomware attack. These ransomware attacks are part of a more generalized trend: targeted ransomware.
In their efforts to evolve, cybercriminals are increasingly turning to targeted ransomware attacks instead of indiscriminate campaigns. The driving force behind this change is, as ever, money: a successful attack carried out against a specific company can be much more lucrative than a generalized campaign.
For proof of this, we need look no further than the WannaCry attackers. According to some calculations, this attack, which affected some 200,000 computers around the world, netted the attackers just €120,000. If we compare this with the €600,000 earned in the River Beach attack, it is easy to see why targeted ransomware is gaining popularity.
Norsk Hydro suffers the consequences of a targeted attack
In March last year, the aluminum producer Norsk Hydro was hit by a highly targeted attack. According to the BBC, the attackers spent weeks inside the company’s IT system, searching for weak points and vulnerabilities, before launching a piece of ransomware that affected 22,000 computers across 40 countries. The whole company—over 35,000 employees—had to resort to manual work.
Nevertheless, the company’s reaction has been described as the “gold standard” by the authorities; it has refused to pay the ransom, and has been open and transparent at all times about what happened. Nonetheless, despite doing everything right, the scale of such a targeted attack has meant that, to date, the company has spent over £45 million (€50 million) recovering from the attack.
Why targeted ransomware is so dangerous
The cybercriminals that carry out this kind of attack don’t choose companies at random; their victims are chosen according to the vulnerabilities that exist within the organization. This means that if a company is hit by a targeted ransomware attack, there is a high likelihood of it succeeding. As CSO explains, attackers tend to search for companies with an insecure RDP connection to start the attack.
This connection is used to escalate privileges and eventually get administrator controls. This way, they can deactivate security solutions and then infect the system with ransomware.
The role of the attacker is also changing. During a mass ransomware campaign, the attacker sends out the ransomware and waits for the results. In targeted attacks, however, the attacker is present at all times, proactively working to infect the system. These attacks are a good example of live hacking, where the attacker manages to get around traditional cybersecurity solutions to install the ransomware on the company in question’s system.
The importance of constant monitoring
To tackle the way that attackers now act, it is vital that cybersecurity solutions use proactive strategies. Panda Adaptive Defense proactively monitors all the processes on your system in real time. It detects any anomalies in all activities that are being carried out on your network, thus stopping any threat even before it can happen.
Another thing to bear in mind is the fact that attackers are not looking for a challenge. That is, they are not interested in well-protected companies, since attacking them would involve investing more money and more resources. To stop attackers from gaining access to your system, you need to close all weak points. This includes weighing up whether an RDP connection (a protocol whose reputation has taken a hit over the past few weeks) is necessary, or whether it is best to do without it. It is also essential to patch all vulnerabilities.
Targeted ransomware can affect organizations of all shapes and sizes. However, the ideal target is a poorly-protected company. Cybersecurity is therefore an essential tool.