How ransomware is going manual to target victims [Q&A]
The ransomware attacks that make the news are the ones like WannaCry and NotPetya that spread rapidly and affect many businesses.
But there's a new breed of manual ransomware attack happening that seeks to pick its victims much more selectively with a view to causing maximum disruption. We spoke to Roy Fisher, incident investigator at cyber security company MWR to find out more.
BN: What makes manual ransomware different?
RF: Traditional ransomware comes through some form of phishing attack or other 'spray and pray' technique. Manual ransomware requires much more time and effort from the attackers. They're trying to break into the network and find out what the critical systems are. They're then targeting specific systems to do maximum damage. So it's a much more focused attack.
BN: Is it delivered in the same away as other attacks, relying on social engineering for example?
RF: It can be, but what we generally see is that it's more of a traditional network compromise. The attacker will breach the perimeter in some way, spend a bit of time exploring the network estate. Once they've done that they'll be able to understand what is critical for the operation of the business and therefore what to target to cause maximum impact.
The attacker will spend a much larger amount of effort before the ransomware is triggered. This means that it's more likely that they will achieve maximum impact and potentially get a higher payout.
BN: Is manual ransomware primarily aimed at making money, and where are these attacks coming from?
RF: Yes it is, but also we have seen that it can be aimed just to disrupt business in some way. It's intending to maximize the damage to business operations.
We suspect that most of the attacks are coming from organized crime groups. These won't be focused exclusively on manual attacks, they're looking to make as much money as they can, so they'll be employing other untargeted attack methods too. The alternative type of attack we see is when somebody's got inside a network they then will drop manual ransomware to distract the security team allowing them to perhaps steal sensitive data.
BN: Do we know how big a problem this is?
RF: From what we've seen it's not like the big attacks that make the headlines. It's very targeted so when we do hear about it it's because it's coming up in investigations. At MWR we've seen it a few times, nothing excessive at the moment. We suspect that it will be used more as a distraction tactic in future.
BN: Is a particular type of ransomware being used?
RF: No, it could be anything, it can be off-the shelf code or it could be customized to target a particular application within a company. Because the attackers have a better view of what the internal systems of the victims look like, they have the ability to customize the ransomware and target that internal environment in the best way possible.
It's not aimed at a particular platform either, it could be used to attack any type of system.
BN: Are particular types of organization being attacked?
RF: At the moment it seems to be across the board but we are only seeing isolated cases at the moment so it's not widespread and it's too early to see a trend. Geographically too it's happening wherever it can be most beneficial for the attacker in relation to the current compromise or goal that they're trying to achieve.
BN: How well are these attacks working, are they making money for the perpetrators?
RF: It's hard for us to know how well they're working financially. In terms of covering the attackers' tracks it's a technique that's quite effective making the forensic work to uncover what is going on more complex.
These attacks are at quite a low level compared to spray and pray type attacks and because they're well targeted they are smaller in nature, but the volume of attacks does seem to be increasing.
BN: What do companies need to do to protect themselves?
RF: Due to the nature of the attack, the best approach is to follow a traditional detect and respond path. Making sure that any compromises can be picked up through detection technologies and then being able to respond quickly in an appropriate manner before an attack can spread. The ransomware component in these cases is really just a piece of a larger attack.
Photo Credit: Carlos Amarillo/Shutterstock