Understand and Manage Pesky Persistent Threats

By on Aug 26, 2020

Ransomware Evolution to Most Promising Victim (MPV) Attacks

Ransomware cost businesses over $11.5 B with a 500% increase in attacks in 2019 according to Forrester Research. It’s your persistent threat.   Ransomware is a type of malicious software that infects a computer and restricts users’ access to it and their data until a ransom is paid to unlock it. It significantly challenges CIA (confidentiality, integrity and availability) all in one swoop. To understand the current ransomware, it’s best to review its evolution of attack structures.

Ransomware has been around for over 30 years, or three generations, ironically starting at a 1989 global health conference where an infected diskette was distributed to over 20,000 attendees.  As the internet evolved with access to more compute devices and online payment capabilities so did the attackers playing field.

Early variants of ransomware merely locked individual computers, sometimes even without encryption, thus preventing single user access. However, this has now evolved to locking entire organizations down. Criminals got clever with social engineering by masquerading the ransomware as a law enforcement agency (perhaps the FBI) and making accusations that illegal files are on the system.

With CryptoLocker in 2013, ransomware moved beyond scare tactics and became more aggressive and straightforward with demands of damaging systems by a certain timeframe. It seems 2014 is when ransomware took great strides forward. CTB –Locker, partly due to their business model, created hundreds of thousands of infections through phishing, making it the most dangerous ransomware family of 2016.

But the ransomware that got the world’s attention was WannaCry.  Why?  It practically held the world hostage. It took only days to infect over a quarter million computers.  The ransomware worm targeted older versions of Windows. Once in a network on a device, it searched for more devices to exploit. Given this vast global reach, WannaCry received a massive amount of media attention. .   One could argue it was pivotal to bringing cybersecurity to the boardroom as noted by research , making cybersecurity a mainstream business concern.

The most recent evolution— a business model called Ransomware-as-a-Service(RaaS)— worked for CTB locker and was taken to  another level  by GandCrab,  becoming the most prolific ransomware of 2018 and  Q1 2019.  This model lowers the bar and gives cyber criminals a platform to deliver ransomware thus commoditizing the business.

Ransomware’s transformation over the years has been built on technology advances i.e.. Internet, mobile, crypto currency, etc. and a range and combination of malware tactics. Given the historical legacy of malware tactics, cybersecurity solutions should leverage this knowledge to hunt and investigate these artifacts and indicators of compromise.

Today’s Ransomware

So where are we today? Ransomware market has advanced with highly targeted tactics moving away from casting a wide net in the hopes some will engage. Threat actors now tailor the attack to target organizations with money, essential IP or sensitive critical data on their IT systems and organizations that are heavily depended on business continuity—as the most-promising victim (MPV).  Adversaries infiltrate first to scout the ransomware opportunity, and appear to be using the infected organizations to do reconnaissance and decide to as select the most-promising-victims for further exploitation and ransomware. In addition, they employ effective data deletion attack structures to prevent recovery.  A new threat of “pay or your data goes public” has emerged as well

Could your organization be a target or MPV for sophisticated tailored ransomware? Watch this video on a recent example of MPV attack.

Get Ahead of the Savvy Ransomware

Ideally one does not want to be an MPV.  The best position to avoid becoming an MPV is to become proactive.  What if your cybersecurity could automatically prioritize these attacks based on industry, region and your security posture? What if you could get detailed information on how the attack works before you get hit? What if you had the ability to predict the likelihood of being an MPV? More importantly what if you were prescribed specific actions to take to counter these attacks before they hit.  Enter MVISION Insights intelligently driving your endpoint security!

Fruits of Human Interface and Artificial Intelligence

The Advanced Threat Research (ATR) team is the human intelligence powered with artificial intelligence to bring these proactive insights to your attention.  As a researcher on the ATR team I am getting a wealth of ransomware and other advanced threats insights from our over one billion sensors.  McAfee’s footprint and community brings a hefty outlook on the threat landscape and real-life best practices on what to do.  A recent and worthy ransomware find is Netwalker and its variants.  We perform a deep dive on Netwalker Ransomware.  We not only looked at the technical details of the ransomware itself but tracked a large portion of the criminal profits. Netwalker has gained some quick success by gathering more than 1900 BitCoins in one quarter! Literally picking out MPV’s one by one.

MVISION Insights automates the findings to be delivered proactively to alert and advise you what threat matters to you.  Is there any other offering that brings the power of human intuition and machine learning at this grand level?  To explore what MVISION Insights offers, check out the Preview of MVISION Insights.  This is a web-based experience of a sampling of threats and proactive actionable intelligence that MVISION Insights automatically offers you.  Don’t miss out!

About the Author

John Fokker

John Fokker is a Principal Engineer and Head of Cyber Investigations for McAfee Advanced Threat Research. Prior to joining McAfee, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence ...

Read more posts from John Fokker

Categories: Enterprise

Subscribe to McAfee Securing Tomorrow Blogs