Ransomware is the future.

     

When I first started fighting ransomware in late 2013, I had a premonition that this was something serious. While CryptoLocker was rather easily defeated in the enterprise and ultimately killed by killing the botnet, media outlets and tech sites ran with the story. It showed this small group making millions and millions of dollars. Guess what? More people started writing ransomware.

Cut to now. Ransomware-as-a-service is a real thing you can buy, some variants have live chat support to receive payment, and we routinely see new versions with bugfixes and feature-adds. One of the last major flaws in ransomware, the inability to enumerate non-mapped network shares, was overcome in the latest Locky build that calls WNetOpenEnum() to attempt to traverse every share on the network.

For several years, the endgame was more abstract. Hit the PC with your rootkit, join it to your botnet, sell botnet access to spammers for a fee. Now they can cut out the middle man and have less overhead, since there’s not a need for constant command-control oversight. It’s a path to riches hampered only by the still-high knowledge barrier to acquire and send bitcoin. And by affecting the user’s files, rather than a popup about the FBI or TotesLegit AntiVirus which can simply be fixed by backing up the data and nuking the PC, you’ve got them at your mercy.

This is going to get worse way before it gets better. You’ll see builds that try to invoke APIs for popular cloud storage providers to delete the versioning. They’ll find ways to avoid taking ownership of a file to quickly spot the vector of infection. While it’s almost impossible to be truly proactive to effectively block ransomware, there are things that can be done.

Ransomware has evolved a lot in just a couple of years, and the end is nowhere in sight. Get your defenses up, and know the enemy. There’s a lot less heartache doing the prevention before you’re hit than after.

comments powered by Disqus