Ransomware is getting more targeted (pic: Glegorly/GettyImages)
The National Cyber Security Security Centre (NCSC) has warned of a growing trend of more targeted ransomware attacks throughout 2018 .
In an advisory issued today, the NCSC warned that attackers are exploiting native tools for attacks. "Attack vectors include remote administration tools, such as Remote Desktop Protocol (RDP). Cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions by stealing login credentials and other sensitive information. Other attack vectors are propagated by use of other malware such as Trickbot," the NCSC said.
The advisory follows a similar advisory issued by the FBI and Department of Homeland Security (DHS) in the US. Their joint warning said that attackers were exploiting RDP by targeting open ports or intercepting RDP sessions to inject malware into systems which were being remotely accessed.
The NCSC said that ransomware has been a growing threat since 2016. Attackers have concentrated on bulk attacks, relying on "economies of scale" to extract profits by "targeting high volumes of users of vulnerable devices".
"The number of successful attacks was often enough to enable significant financial gain, even for only modest ransom demands," the NCSC said.
However, 2018 has seen a step change toward more targeted attacks. "Criminal actors analyse victim networks to understand their ‘value’ and set a ransom demand based on that perceived value. Through analysis of the victim network and lateral movement, actors also seek to ensure that their malicious activity has the maximum impact on the victim organisation – potentially denying the victim access to business-critical files and systems and disrupting the operations of the victim organisation," the NCSC said.
It said attacks against Windows are still commonplace, but disturbingly attacks against Mac and Linux systems are growing.
In its 2019 Threat Report, SophosLabs researchers noted a distinctive change in cyber-criminal behaviour toward more targeted attacks.
"In 2018, cyber-criminals banked millions of dollars with hand-crafted, targeted ransomware attacks. These interactive, premeditated attacks are different than ‘spray and pray’ style bot-attacks that are automatically distributed through mass emails and are more damaging," SophosLabs said. "Human attackers can find and stake out victims, think laterally, troubleshoot to overcome roadblocks, and wipe out back-ups so the high-stakes ransom demand must be paid."
The success of targeted ransomware such as SamSam, BitPaymer and Dharma will inspire further copycat attacks in 2019, SophosLabs believes. It also noted the use of Windows’ own admin tools to defeat system defences and the ongoing use of the leaked NSA tool EternalBlue for cryptojacking despite Microsoft providing a patch for it more than a year ago.
SecureWorks has also noted the use of TrickBot in its 2018 State of Cybercrime Report. Based on its incident response analysis, it found that the operators of Trickbot added more than 400 organisations worldwide to its target set in 2018 including 50 in the UK.