Ransomware is increasingly effective because of changes in the way it operates. As cyber-extortion is a numbers game – the more devices you infect the more you earn – the objective of the attackers is to infect as many devices as quickly as possible, said Paul Edmunds, head of technology at the National Crime Agency (NCA). Therefore they need to get around defences such as restricted admin rights.
Describing ransomware as a “growing and present threat”, he told the audience at last week’s Computing Security and Risk Management Summit that whereas early examples tended to be delivered as email attachments which had to be downloaded and executed by the victim, subsequent strains such as WannaCry and NotPetya were much more proactive in seeking out and infecting vulnerable machines.
“We’re starting to see other attack vectors that are growing in importance, scanning and finding unpatched vulnerabilities on a machine,” Edmunds said.
WannaCry is an example of this type he went on: “It has a component built in that scans the network for a vulnerability and it can remotely deposit some code on a machine and encrypt it. This makes it much more virulent.”
Experiments carried out by the NCA revealed exactly why WannaCry ransomware spread so quickly, infecting NHS Trusts, shipping and logistics firms and many other organisations in a matter of hours.
“We ran some tests on it in our sandpit,” said Edmunds. “We saw it infect the sandpit and then it went absolutely crazy, scanning the local network for machines it could deposit its payload onto and actually scanning machines on the open internet as well at random to see how fast it could spread. That accounted for the speed it spread through networks; it was that extra bit of code added on.”
Exploit kits incorporating such functionality are readily available for sale on the dark net.
“They’re really quite sophisticated and the people who are making them are very good at what they do,” Edmunds said.
The second strategy used by newer strains of ransomware is the indirect attack. Instead of going after an organisation head on, perpetrators seek to infect the supply chain. This was the method used by NotPetya malware.
“It might be a partner or a software company that gets attacked,” Edmunds explained. “It hit Ukraine quite badly and then hit companies who were doing business with Ukraine and it was delivered via software updates to some common accounting software. There was no real block to that delivery mechanism and attack vector.”
This means that, while still important, the defensive focus needs to move away from users clicking on links in emails and onto updates, patch management and network segmentation.
“It’s about the vulnerabilities in the machines, and also the supply chain – who’s providing you with the software? That’s one thing we’re doing now, looking at these attack vectors and new ways that attackers are trying to get their payload onto your systems,” he said.
In terms of defence, Edmunds recommended reducing the patch management cycle, user education, ensuring the latest versions of operating systems and other software are being run, filtering web traffic and controlling code execution. Eventually some malware will get through and a strength-in-depth approach can ensure that any damage is limited in impact. Running AV software, subdividing the network and taking regular back-ups are all measures that can be taken.