Fresh from peering into our crystal ball and outlining some of the trends that we expect to dominate the cyber-landscape in the coming year, we will now offer a snapshot of 2017. In a way, this year may be seen as a ‘year of wake-up calls’. Alarm bells barely stopped ringing as we kept waking up to the reality of a rash of fresh cyber-incidents. Striking far and wide, such incursions provided everybody who goes anywhere near the Web with abundant fodder for reflection on how unsafe our online worlds can be. Rather than ‘sit back and relax’, it is now often ‘sit up and take notice’.
As part of our narrative, we will draw attention to key events, and pinpoint common features underpinning some of the main trends and topics that have defined this year. We will also review some of the predictions for 2017 that our thought leaders made a year ago.
Going down the rabbit hole with ransomware
The amount of attention grabbed by ransomware or ransomware-esque attacks (such as wipers and some tech-support scams) this year also makes it tempting to conclude outright that 2017 will be remembered as ‘the year of ransomware’. In fact, chances are you’ve heard the phrase before, including with some caution in our review of 2016.
The picture may be a little blurrier, however. Not to be outshone by mere malware, large-scale data breaches continued to abound – and, indeed, spiked – this year, signaling that being affected by a data breach is no longer a matter of ‘if’, but of ‘when’. Ransomware and data breaches remain major thorns in the sides of users and organizations across the world, often piercing their defenses without too much effort. In fact, sometimes the two threats even become intertwined, resulting in a highly volatile concoction of cyber-insecurity ingredients.
While the vexatious problem that is ransomware has been stooping to ever new lows in recent years, profits – and, by extension, demand for profit – have been trending in the opposite direction. So much so that the drive to ever-greater profits has continued to encourage a flourishing trade in ransomware-as-a-service (RaaS) kits, enabling even not-particularly-tech-savvy attackers to strike their targets hard. Put bluntly, all it now takes is ill intentions and chump change. Contrast those negligible outgoings with the potential profits: the FBI estimates the total amount of cyber-ransom payments as close to US$1 billion annually.
In another shift in the ransomware paradigm, many attacks are now sophisticated, and even customized, campaigns involving deliberately-chosen sectors and victims, rather than being spray-and-pray attempts at squeezing whatever cash may be extorted from random victims.
Ransomware meets data breaches meets DDoS … is en route to meeting gaping holes in IoT security?
Ransomware has also been evolving in many other ways, ultimately resulting in hybrid threats. The profitability of the ‘business model’ based on cyber-extortion is also evidenced by the fact that these tactics were carried over to other platforms (Android) quite some time ago, and are also the backbone of hacks followed by shakedown threats on pain of going public with the stolen data. Television network HBO and streaming platform Netflix were in the limelight earlier this year for leaks that were reminiscent of Sony’s woes in 2014, in what effectively equates to weaponization of their own data.
“Ransomware has also been evolving in many other ways, ultimately resulting in hybrid threats”
Developments over the past few years have also validated some of our concerns regarding a degree of crossbreeding between extortion, DDoS, and/or the exploitation of IoT vulnerabilities, as further threat layers on top of tried-and-tested crypto-ransomware. In an unsurprising step in this evolution, an unpalatable witches’ brew of extortion and DDoS has had miscreants salivating even more this year and has gained further traction especially after a successful blackmail campaign that netted its orchestrators $1 million worth of bitcoin in June.
In the grand scheme of things, the appetite for hectoring victims into paying up under the threat of a DDoS attack is also being fueled by the easy availability of both ‘services’ – RaaS and DDoS-for-hire. While pay up or be DDoS-ed threats often turn out to be all bark and no bite, the prevalence of DDoS makes these onslaughts one of the real menaces faced most often by organizations. Making things worse, such attacks are often intended as smokescreens for other incursions, notably malware compromises or data thefts.
Adding further to the woes is the proliferation of IoT devices. Leaving aside proofs-of-concept, we have yet to see a fully-fledged attack involving ransom demands in exchange for releasing hijacked “smart things”. However, the writing is, arguably, on the wall. While such hijacking is not necessarily as simple as sometimes reported in the media, we cannot help but echo our long-standing concerns as to what may happen if/when an in-vogue attack method, such as ransomware, converges with countless unsecured IoT devices ripe for exploitation.
DDoS attacks – such as the one that caused widespread disruption of legitimate internet activity in the United States a little over a year ago – are normally conducted by machines conscripted into botnets. Developments in the botnet space saw a notable feat just a few weeks ago, when an international law enforcement operation laid waste to hundreds of long-running botnets powered by a malware family called Wauchos (aka Gamarue aka Andromeda) following an effort that lasted for more than a year and involved technical assistance from ESET researchers.
WannaCryptor as a canary in a coal mine
May 12th, 2017, was an ordinary Friday until reports started pouring in of thousands of computers worldwide being locked up, only to be freed in exchange for $300 worth of bitcoin. The unprecedented infestation – ransomware called WannaCryptor (detected by ESET as WannaCryptor.D and also known as WannaCry and Wcrypt) – spread at a dizzying rate, affecting around 300,000 computers in approximately 150 countries. In contrast, the payouts were by no means hefty given the epidemic’s reach.
As the victims tried to make sense of the mayhem and attempted to recover their scrambled data – which was actually close to a fool’s errand – the outbreak was soon all but stopped dead in its tracks after a security researcher registered a ‘kill switch’ domain, halting the ransomware’s ongoing spread. That domain was soon under siege, however, as some hackers sought to resurrect WannaCryptor via DDoS attacks aimed at knocking the kill switch domain offline, utilizing their copycat versions of the Mirai botnet in the process.
WannaCryptor propagated by exploiting a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol, co-opting the EternalBlue and DoublePulsar hacking tools developed by the National Security Agency (NSA). Microsoft had actually released a security update for supported versions of Windows to patch the hole exploited by EternalBlue two months before the outbreak and a month before a hacker or group known as Shadow Brokers released the two tools to the wild. In order to stymie later iterations of the attack, Microsoft even took the unusual move of issuing emergency patches for no-longer supported systems, such as Windows XP. Contrary to initial reports, nearly all of WannaCryptor’s casualties were found to be running (unpatched, obviously) Windows 7 systems.
Another global attack
Around six weeks later, with memories of WannaCryptor’s red-and-white ransom note still fresh, all eyes were riveted on another virulent threat with quirks of its own. On June 27th, ransomware detected by ESET as Diskcoder.C (aka ExPetr, PetrWrap, or Not-Petya) began to make the rounds and, while hitting organizations globally, most of the companies laid low were based in Ukraine.
“Put bluntly, all it now takes is ill intentions and chump change”
The Diskcoder.C malware exemplified just how deceiving appearances can be in cybercriminal wares. In a departure from the previous trend and contrary to initial beliefs, this malware turned out to be a destructive wiper, rather than ransomware that should, at least in theory, be able to revert its own changes.
Diskcoder.C used a modified version of the same EternalBlue exploit as WannaCryptor, but went deeper inside the victim’s system. Instead of encrypting individual files, its payload overwrote the hard drive’s Master Boot Record (MBR) and triggered a restart. Consequently, although the ransom note and the demand for an unlock key were displayed, it was only the malware that started up after the machine’s reboot and there was no way to restore the files.
At the root of this global epidemic was a successful compromise of accounting software M.E.Doc, popular across various industries in Ukraine. A number of organizations executed a trojanized update of M.E.Doc and suffered the primary infestation, with the malware then propagating into global systems via businesses interconnected with their Ukrainian partners. Global multinationals put the damage at hundreds of millions of US dollars. While that spillover damage may be viewed as collateral, it laid bare the magnitude of the threat that malware attacks represent for infrastructure and supply chains.
In Bad Rabbit’s burrow
Fast forward to October 24 and a variant of the Diskcoder family with worm-like capabilities brought with itself another cybersecurity meltdown, although the infestation was largely confined to Russia and Ukraine. Dubbed Diskcoder.D and also known as Bad Rabbit, it propagated in the guise of a fake Flash update installer displayed as a pop-up on legitimate – but hacked – news and media websites. In addition to brute-forcing its way across networks, it also leveraged EternalRomance, another SMB exploit leaked by Shadow Brokers.
Mobile devices aren’t spared
The Android platform, nearly a decade old, remains the prime target for miscreants aiming at mobile devices, and mobile ransomware specifically has been a full-scale and continually rising global threat for quite a while now. Banking Trojans remain another mainstay in the Android space. In fact, the two functionalities may collude, as ESET malware researcher Lukáš Štefanko found out earlier this year.
Štefanko discovered a strain of Android ransomware with two firsts. For one thing, DoubleLocker not only encrypts the user’s files, but also locks the device by changing its PIN. Adding insult to injury, it’s also the first known ransomware to spread by misusing the platform’s accessibility services. DoubleLocker is actually derived from an established banking malware family and can be turned into what Štefanko called a ‘ransom-banker’ capable of wiping out a victim’s bank or PayPal account before locking the device and data and demanding a ransom. A test version of the ‘ransom-banker’ was detected in the wild in May 2017.
In part 2 of our of Cybersecurity in 2017 the focus will be on data (in)security, vulnerabilities and the dangers facing critical infrastructure.
Author Tomáš Foltýn, ESET