Why Ransomware Is Still An Active Threat

RSA Conference 2019: Ransomware in 2019 doesn't have the same volume as it did in 2017, but that doesn't mean it isn't an impactful threat.

McAfee Ransomware

SAN FRANCISCO - For several years, ransomware was a rising threat, causing hundreds of millions of dollars in damages and disrupting operations around the world.

But what is the state of ransomware in 2019?  In a session at the RSA Conference here, a pair of McAfee researchers detailed how the threat landscape for ransomware has changed and where it is headed. They also provided insight into what organizations can now do to help minimize the risk of being a victim of ransomware.

"There is a myth that ransomware is dying, but it's not," Raj Samani, Chief Scientist, McAfee told eWEEK in an interview. "We've seen a lot of activity with Gandcrab over the last 12-24 months and that's not going away."

Ransomware is an attack in which a victim's system is somehow compromised or infected with some form of malware, which then encrypts user data. The user is then asked to pay a fee, or a 'ransom' to the attacker in order to get their data back.

Gandcrab is a particularly virulent form of ransomeware that has been successful at infecting users. Samani said that it has been a game of 'cat and mouse' between gandcrab and the cyber-security industry.

Samani noted that the NoMoreRansom project, which is a multi-stakeholder effort to help individuals and end users protect themselves against ransomware, posted a new version of a decrypter tool for Gandcrab at the end of February. Within hours of the decrypter tool release, Samani said that the gandgrab authors had already released a new version of the ransomware, that the tool wasn't able to decrypt.


So what exactly is Gandcrab? Samani said that it's a ransomware-as-a-service operation, where any hacker can make use of the service to launch their own attack.

Samani said that by looking at the underlying code infrastructure of Gandcrab, it's possible to map out the affiliates that are using the ransomware. In the Gandcrab ransomware as a service model the operators and developers of Gandcrab have affiliates that target victims. The affiliates will then pay the primary Gandcrab operators a percentage of the ransom, when a victim pays.

While Gandcrab is still an active risk, one thing that has changed is the volume of new ransomware families. In the fourth quarter of 2017, Samani said that there was approximately 2.2 million new ransomware samples. By the second quarter of 2018 the volume of new ransomware declined to just over one million.

"New ransomware growth is significantly lower than we had once expected, but that only tells part of the story," he said.

The other part of the story, is that while new ransomware has declined, organizations, as opposed to random individuals, are being increasingly targeted. Samani said that for example the Ryuk ransomware family only goes after a limited number of companies. He said that while broad based ransomware attackers like crytolocker only tended to ask for approximately $400 in ransom, Ryuk tends to ask for $100,000, or more. Rather than a random form of infection, Ryuk often gets into organizations by exploiting Remote Desktop Protocol (RDP)

"The noisy ransomware with lots of attack volume are certainly still around but they are not as prevalent as they were before," Samani said. "Now we're seeing more criminal operations, doing research in the organizations they attack and then dropping in ransomware."

Samani said that Ryuk for example has made $4 million in ransom in the past five months.

"So, the overall volume may have decreased but the impact to companies has increased, " he added.

How To Defend Against Ransomware

In 2016, McAfee was one of a number of firms that helped to start the NoMoreRansom effort, which Samani said has had a positive impact on reducing the risk of ransomware attacks. Samani said that one of the goals of the RSA Conference talk is to encourage more companies and groups to join NoMoreRansom and support the effort to eliminate ransomware.

NoMoreRansom now has over 85 tools available to help combat ransomware and benefits from the support of over 140 vendors and organizations.

Aside from NoMoreRansom, Samani said that the single most important thing that any organization can do to help minimize the risk of ransomware is to have a backup of their data. While backing up data might seem like common sense, there are still many organizations that don't do it.

Samani said that data security is still a somewhat abstract idea for many organizations. He said that data breaches are often reported in terms of how many records were lost, but rarely, if ever do reports actually quantify the impact on real people and organizations.

"Everybody is aware about cyber-security risks and yet, how many people back up their data?" Samani said.  "I don't think the issue is a lack of awareness. I think the issue is a lack of understanding."

Overall, Samani said that in his view cyber-security isn't all that hard, the simplest things for a user to do are to change passwords regularly, not to click on un-known links in emails and have a backup.

"If every single person did those things how many threats would we see? It would be reduced by 90 percent," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.