Targeted ransomware attacks spiked in the last part of 2016
Targeted ransomware attacks spiked in the last part of 2016

Kaspersky researchers have detected a spike in targeted ransomware attacks on large organisations.

Kaspersky researcher Anton Ivanov noted that the main goal of these attacks, noticed in late 2016, was to deploy an encryptor on its target's network nodes and servers.

These attacks are not only simple to carry out, but come with a high profit margin. Encryptors are easy to build or are at least easily available. The Mamba encryptor, for example was made using a piece of open source software called DiskCryptor. Ivanov noted:  “Some cyber-criminal groups do not even take the trouble of involving programmers; instead, they use this legal utility ‘out of the box'.”

Ransomware is often noted for attacking civilian computers in wide ranging attacks which go after many systems and successfully ransom a few. These more targeted attacks might seem like the realisation of a bad dream for some.

Brian Chappell, senior director, enterprise and solutions architecture from BeyondTrust told SC that companies are right to be scared: “The effects could be completely paralysing for any organisation as all their business-critical data is tied up behind a wall of encryption.”

It turns traditional security against itself: “The whole purpose of encryption is to provide a secure mechanism to prevent unauthorised access to data, it is the inherent security of the mechanism that makes it so damaging when turned against organisations.”

Javvad Malik, security advocate at AlienVault told SC that companies, and their security teams, are often afraid of the visibility that a ransomware infection can bring about: “Much like a DDoS attack, the attackers don't try to hide the fact that they have infected you. This leads to a lot of discussion and possibly leaking to the media.”

It can also lead to a lot of hard questions within the company, added Malik: “Executives will directly see the impact and direct many hard questions towards effectiveness of security controls, what went wrong, how it can be improved etc. Nothing that a CISO will look forward to.”

Ivanov's post advised organisations worried about the threat of a ransomware attack to audit the software installed on their nodes and servers. Outdated software should be updated immediately.  

Corporations might be slow to heed that advice. Graham Mann, managing director of Encode Group UK told SC that though they might fear ransomware, “corporations are very slow to react by implementing procedures to prevent such attacks, and to recover if an attack is successful.”

Many companies, “simply can't restore fully after a ransomware attack for a variety of reasons, and even if they can, it still means the loss of potentially a day's work. If an entire server farm is infected you could be out for days restoring the data.”

Kaspersky isn't the only group to notice this development. F5 Networks recently noted campaigns exploiting the Apache Struts2 vulnerability to deploy Cerber ransomware on servers.

F5 researchers noted that, targeting servers, over individuals, with ransomware could provide a better payout because they are more likely run by private business and organisations “with deeper pockets and better infrastructure that might be critical for their business”.