As a senior incident response analyst for IBM Emergency Response Services, I’ve got a front-row seat to observe the latest trends in cybercrime and cybercriminal behavior. Any organization that experiences a breach or other security incident can call our hotline for help.

Ransomware Isn’t Going Away

Over the past six months we’ve seen a huge uptick in the number of calls concerning ransomware. Lots of organizations are getting hit with it, and it’s interesting because, like distributed denial-of-service (DDoS), ransomware is generally considered to be an old-school style of attack. Some of the technologies used in today’s attacks may be new, but the vectors employed to actually deliver the malware are not dissimilar from the techniques of the late 1990s.

For example, Word macros have experienced a huge resurgence as a way for cybercriminals to infect targeted endpoints. Macro viruses and malware have been around for years, but in the face of newer and more advanced threats, they’ve actually fallen off the map a bit. In many instances, Word documents and PDFs have completely dropped off the syllabus of organizations’ user education programs, where the focus has shifted to zip files and executables as the primary potential threats.

I can’t enter the mind of the attacker to say exactly why they’re reverting to these old methods, but we have to admit it does make some sense. Word documents and PDFs are used so commonly by most organizations that employees don’t even consider they might be weaponized. The lack of user education on the topic just gives attackers an extra edge.

So let’s say an employee who receives multiple Word docs every day and is not trained to treat them with suspicion happens to access one that’s weaponized with a macro that fetches an encrypted payload. Something like an SSL gateway would see the traffic but can’t decrypt it, and so it comes across the network and reaches the endpoint. Then the code in the macro decrypts the malware, drops it, and now it’s on the endpoint. The only chance left is for your antivirus solution to pick it up. If that doesn’t happen, then the malware has free rein inside your environment.

Old-School Attacks Are Back in Style

This renaissance of old-school tactics is affecting a growing number of companies and bringing difficult business decisions to the fore. Getting hit by CryptoLocker or other ransomware, especially when it encrypts files on your network share, is devastating and can slow business to a standstill.

One interesting related phenomenon we’re seeing is that many organizations that suffer a ransomware attack realize that the incident response processes they had in place are not adequate. In other words, the incident response plan that’s been on the shelf for two years has never been updated and is now revealed to be antiquated or broken. Or maybe the company just didn’t do a good job of following the plan because they had never rehearsed. Getting hit by ransomware can be a painful lesson: Many of us are not as prepared as we think we are.

An additional consequence of not maintaining an up-to-date incident response plan may be discovered when an organization decides to try to avoid paying the ransom by turning to backups. Even if you are performing back-ups every week, if you aren’t regularly testing to make sure your critical data is actually being copied and stored as necessary, in the end there may be no choice but to pay up.

The bottom line is ransomware is working. As long as it continues to make money for attackers, it will exist. But while today’s cybercriminals are reverting to the past when choosing their attack methods, your organization’s best hope is to make sure you have effective incident response processes that look to the future.

Read the IBM research paper to learn more about ransomware

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…