Ransomware: Growing Threat for SMBs

Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016. In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access. Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms. That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools. Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets. Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars. Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front. Fewer are immune to attack Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.

  Kowsik Guruswamy, chief technology officer at Menlo Security, says that, unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system. “Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.” Related video: A case for making software more resistant from the start Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account. The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total. DIY kit for bad guys Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack. “Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.” Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says. Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves. Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems. SMBs have limited defenses “Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].” One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom. Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price. There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany. “A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.” This article was written by Third Certainty's Jaikumar Vijayan.