Digital threats and ransomware, in particular, are much bigger than people realize. In the old days of virus outbreaks, it was reasonably easy to determine their spread and efficacy and people didn’t mind reporting on it. After all, you were generally just an unwitting host to a small piece of code which was trying to send itself to your friends and associates. My first experience with a virus, laughable now, was the Ping-Pong virus released in 1988. It occasionally created a little ball which bounced across your screen and made it difficult to get on with your work (or in my case play Kings Quest).
Ransomware is much more insidious and in my opinion massively under-reported. The General Data Protection Regulation (GDPR) has become effective in the EU and could mean serious penalties for businesses who don’t take data protection seriously. The same goes for the Protection of Personal Information (POPI) Act in South Africa. In this age of data sensitivity which business would, therefore, report that their data had been compromised and that an unknown hacker held the key? If this business didn’t have adequate backups would it admit it had to pay the hacker in Bitcoin to get the data back? Would internal IT teams confess they hadn’t done their job properly and allowed the infection in? Would IT support companies confess? The answer is no. Ransomware is like a sexually transmitted disease – you want it sorted out as quickly and quietly as possible.
Unlike STD’s, the Ransomware business is very profitable so I have long been saying that it will evolve and become more prevalent and this certainly seems to be the case. I believe, from now on, that whenever a vulnerability is discovered there will be a spate of Ransomware variants to follow. The WannaCry ransomware famously made use of the EternalBlue exploit which was allegedly discovered by the NSA. The proven ransoms collected from WannaCry only added up to $130,000 but the spread was enormous and the potential ransoms could’ve added up to billions of dollars. A lot of hackers sat up and took notice and are, in my opinion, busy working on their versions of a ‘killer app’ as we speak. The Liberty hack does not look like a Ransomware incident but there is a ransom and the hackers have gained access to their network. This is simply an improvement to the hacker business model.
Here at Dial a Nerd we are currently seeing a new type of Ransomware, daily, and it doesn’t rely on the ‘traditional’ method of delivery such as an email attachment or dodgy link. This new form is a targeted attack which is, at least initially, being carried out by bots scanning for open Remote Desktop (RDP) ports. Once they detect such a port they begin a ‘brute-force’ attack which means a constant stream of usernames and passwords. If this attack works it looks like a human becomes involved and will access the network to deliver a ransomware payload (or payloads). What makes this much worse than a traditional ransomware attack is that this hacker, depending on how the network is configured, could delete backups, create a back door, or steal data in addition to delivering the ransomware. We have observed numerous versions of ransomware being delivered in this way: SamSam, .Arrow and Decrypthelp@qq.com.
The good news is that this type of attack is quite easy to thwart. A simple change of the RDP port number could prevent it as could a very complicated password. Its effect could also be restricted if a network is set up with the ‘zero trust’ methodology. However, the fact remains that ransomware is a profitable business and like all profitable businesses in this age of disruption, it’ll adapt to survive.