Ransomware Goes Back to the Future

September 30, 2015
| |
3 min read

As a senior incident response analyst for IBM Emergency Response Services, I’ve got a front-row seat to observe the latest trends in cybercrime and cybercriminal behavior. Any organization that experiences a breach or other security incident can call our hotline for help.

Ransomware Isn’t Going Away

Over the past six months we’ve seen a huge uptick in the number of calls concerning ransomware. Lots of organizations are getting hit with it, and it’s interesting because, like distributed denial-of-service (DDoS), ransomware is generally considered to be an old-school style of attack. Some of the technologies used in today’s attacks may be new, but the vectors employed to actually deliver the malware are not dissimilar from the techniques of the late 1990s.

For example, Word macros have experienced a huge resurgence as a way for cybercriminals to infect targeted endpoints. Macro viruses and malware have been around for years, but in the face of newer and more advanced threats, they’ve actually fallen off the map a bit. In many instances, Word documents and PDFs have completely dropped off the syllabus of organizations’ user education programs, where the focus has shifted to zip files and executables as the primary potential threats.

I can’t enter the mind of the attacker to say exactly why they’re reverting to these old methods, but we have to admit it does make some sense. Word documents and PDFs are used so commonly by most organizations that employees don’t even consider they might be weaponized. The lack of user education on the topic just gives attackers an extra edge.

So let’s say an employee who receives multiple Word docs every day and is not trained to treat them with suspicion happens to access one that’s weaponized with a macro that fetches an encrypted payload. Something like an SSL gateway would see the traffic but can’t decrypt it, and so it comes across the network and reaches the endpoint. Then the code in the macro decrypts the malware, drops it, and now it’s on the endpoint. The only chance left is for your antivirus solution to pick it up. If that doesn’t happen, then the malware has free rein inside your environment.

Old-School Attacks Are Back in Style

This renaissance of old-school tactics is affecting a growing number of companies and bringing difficult business decisions to the fore. Getting hit by CryptoLocker or other ransomware, especially when it encrypts files on your network share, is devastating and can slow business to a standstill.

One interesting related phenomenon we’re seeing is that many organizations that suffer a ransomware attack realize that the incident response processes they had in place are not adequate. In other words, the incident response plan that’s been on the shelf for two years has never been updated and is now revealed to be antiquated or broken. Or maybe the company just didn’t do a good job of following the plan because they had never rehearsed. Getting hit by ransomware can be a painful lesson: Many of us are not as prepared as we think we are.

An additional consequence of not maintaining an up-to-date incident response plan may be discovered when an organization decides to try to avoid paying the ransom by turning to backups. Even if you are performing back-ups every week, if you aren’t regularly testing to make sure your critical data is actually being copied and stored as necessary, in the end there may be no choice but to pay up.

The bottom line is ransomware is working. As long as it continues to make money for attackers, it will exist. But while today’s cybercriminals are reverting to the past when choosing their attack methods, your organization’s best hope is to make sure you have effective incident response processes that look to the future.

Read the IBM research paper to learn more about ransomware

Lance Mueller
Senior Incident Response Analyst, IBM Emergency Response Services (ERS)
Lance Mueller is a contributor for SecurityIntelligence.