Ransomware Trends to Watch in 2019

February 25, 2019 • Zane Pokorny

2018 was an interesting year for ransomware — there were more documented ransomware campaigns than the year before, but there was also a feeling that the focus had shifted to other forms of cybercrime, like cryptojacking.

Our guest today is Allan Liska, senior solutions architect at Recorded Future. He’s the author of a recently published blog post, “4 Ransomware Trends to Watch in 2019.” We discuss the growth of the ransomware market, its impact (or lack thereof), the most effective avenues for ransomware infection, how one strain has found success by bucking the trends, and the increasingly fuzzy line between criminal groups and nation-state actors.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 96 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

2018 was an interesting year for ransomware. There were more documented ransomware campaigns than the year before, but there was also a feeling that the focus had shifted to other forms of cybercrime, like cryptojacking.

Our guest today is Allan Liska, senior solutions architect at Recorded Future. He’s the author of a recently published blog post, “4 Ransomware Trends to Watch in 2019.” We discuss the growth of the ransomware market, its impact (or lack thereof), the most effective avenues for ransomware infection, how one strain has found success through bucking the trends, and the increasingly fuzzy line between criminal groups and nation-state actors. Stay with us.

Allan Liska:

Ransomware is still there, but it’s essentially plateaued in 2018, and into the start of 2019. So there are still, of course, a number of high-profile attacks. We saw Atlanta last year. We saw a number of cities, city governments, and state governments impacted, and some ports, and of course, healthcare providers. But there weren’t as many overall attacks. So, it’s still there. It’s still a problem. It’s not the biggest problem that’s out there anymore.

Dave Bittner:

You’ve been tracking ransomware for several years in a row now. What have you seen in terms of overall trends? Were things a lot different last year than the years you’ve been tracking before?

Allan Liska:

Yes. We’ve seen a transition away from the exploit kit- and phishing-based ransomware attacks. That’s the biggest thing that we’ve seen over the last couple of years. This has been a slowly developing trend. The simple fact is that while exploit kits are still impactful, they aren’t nearly as impactful as they were a couple of years ago. Part of that is simply that the most popular target for exploit kits is Adobe Flash, and fewer people have Adobe Flash installed on their systems anymore. More websites, more web applications are moving toward HTML5-based design rather than using Adobe Flash. Adobe, in fact, has announced it is “end-of-life”-ing Flash. There aren’t as many targeted opportunities for exploit kits to go after the browser market. And then, conversely, there are more and better protections in place against phishing attacks.

So, more people are aware. There’s more knowledge of what ransomware phishing attacks tend to look like, and then there are more systems in place that are blocking things that the ransomware attackers like to use. Where we used to see a lot of Microsoft Office macros, more organizations or disabling macros, and even things like PowerShell and JavaScript that attackers have used in the past, what we call the so-called “fileless malware,” so you don’t have an executable that’s being sent via email. Those are even more often being blocked, or stopped by your mail system. So, we’ve seen a movement away from those type of attacks.

Dave Bittner:

Now, I want to reference your recent blog post. This was “4 Ransomware Trends to Watch in 2019.” Let’s go through these one at a time. The first [trend] that you highlighted here was, “The Ransomware Market Will Continue to Grow, but Few Campaigns Will Have Impact.” What are we talking about here?

Allan Liska:

In January of 2017, which was the first year that I started doing this report for Recorded Future, we had 635 ransomware campaigns that we were looking at. In February of 2018, that jumped up to a little over 1,100. And as of 2019, there are about 1,460 that we’re tracking. So there’s still growth, but it’s slow growth. But more importantly, what we’re seeing is a lot of ransomware campaigns that don’t actually have any impact. It’s really easy. Anybody can go out there and write some ransomware, take the Hidden Tear code and write some ransomware on top of it, and then start distributing it through whatever means you’re going to distribute it.

It’ll get written up. Somebody will catch it. It’ll get written up by Trend Micro, or McAfee, or Symantec, or Carbon Black, or somebody like that. All the hashes and indicators will be widely published. So, it gets noticed, and it is a campaign, but it never actually infects anybody. Or if it does, it infects one or two people, and then you never see it anymore. We do see a continued growth in the number of ransomware campaigns. What we don’t see is a lot of successful ransomware campaigns. Does that make sense?

Dave Bittner:

It does, but I’m wondering, what is contributing to the lack of success? Why are these campaigns that folks are spinning up, why aren’t they being more successful with them?

Allan Liska:

Because, in general, security infrastructure has gotten better at stopping the basic ransomware. So, we see a whole lot of ransomware out there that’s based on older versions of ransomware, whether you’re talking Hermes, or Hidden Tear, or whatever. You get people that dissect that and try and launch a new campaign. But we already have mechanisms in place to stop that behavior.

So, fewer and fewer organizations are relying on signature-based detection to stop the ransomware. They are looking at certain kinds of behavior, whether it’s looking for certain signs in phishing campaigns, or certain signs in executables, and so they’re not getting any kind of penetration. The campaigns that are long-lived and are seeing a lot of success actually have developers behind them that are adapting to the defenses that are in place and figuring out ways around them.

Dave Bittner:

So, when we talk about impact, is this being affected by people’s adjustments when it comes to being able to mitigate the effects? I’m thinking of things like having better backup practices. Those sorts of awareness things that people have put in place thanks to ransomware.

Allan Liska:

Exactly. That’s 100 percent what we are looking at. It’s those mitigating circumstances, whether that’s enhanced email security, better backups, the willingness to say, “You know what? This particular system, if it is infected, it’s not worth paying the ransom on.” All of those things lead to making it harder for a new ransomware campaign to gain any kind of traction.

Dave Bittner:

Well, let’s move on to the second trend that you highlighted here. This was, “Successful Ransomware Campaigns Will Continue to Rely on Open RDP.” Before we jump into this one, describe to us, what do we mean by “RDP?”

Allan Liska:

RDP is Remote Desktop Protocol. It’s basically the way that you access Microsoft-based operating systems remotely. So obviously, there is no SSH, no telnet … Well, in theory there is, but that’s a whole separate story. We won’t get into that. So, the majority of people, if they need to access their systems remotely, use Microsoft’s built-in tool, which is the Remote Desktop Protocol. The problem is that there are just literally hundreds of thousands, if not millions, of systems out there that are exposed to the internet that have Remote Desktop Protocol running.

A lot of those systems, when we say, “Open RDP,” we mean they don’t even require a password. You just have to know it’s out there and you can connect to it. The thing is, you don’t have to, if you’re a bad guy … It used to be, back in the day, if you wanted to find these servers that are running Remote Desktop Protocol, you’d have to spend hours, days, weeks, scanning the internet. You don’t have to do that anymore. You have tools like Shodan, which will present all open RDP systems in a particular network, or in a particular country, or whatever for you. Or, you can just go buy access to a server in the underground market for 15 bucks.

Dave Bittner:

Walk me through this. I’m someone who has inadvertently enabled RDP on my system at work, let’s say, so it has access to the network. How do the bad guys take advantage of that?

Allan Liska:

There are two ways to do it. If you’ve opened it and left it wide open with no username or password required, they connect to it. They then use your system to pivot to other systems in the network. So, they’re really good actors — we mentioned SamSam, CrySIS, BitPaymer — although the SamSam team has since been indicted, and we haven’t seen a lot of activity from them since the indictments went down. They will not use the initial point of entry, that initial Remote Desktop Protocol server. They will jump to other systems on the network using Mimikatz, using whatever other tools they have available to move around the network, essentially. They’ll learn, study the network, and then deploy the ransomware in a way that’s going to cause the most damage. So, they may spend a month inside the target network learning and understanding what is happening in the network, and then deploying the ransomware in a way that they know is going to be more likely to result in the attackers paying the ransom.

Now, there’s a second type of attack with Remote Desktop Protocol, and that’s a brute force login attack. You know that you have Remote Desktop Protocol. You know you have it exposed to the internet, but you secured it with a username and password so that somebody can’t just necessarily jump in and connect to it. But you can also, if you’re a bad guy, you can brute force that. You know that there are very common Windows account names — administrator, local admin, et cetera — that you can try. Basically, you sit and try and use common passwords to connect into those servers remotely until you gain access. Those are two ways that Remote Desktop Protocol can be used as a point of entry.

Dave Bittner:

Now, help me understand why this is such a widely accessible way in. In an enterprise situation, is it hard for an administrator to get a handle on this to have a good view of if RDP has been activated and enabled on any particular system?

Allan Liska:

It can absolutely be. You may run your internal scans on your network and not notice any of this. But if you’re not running external scans on your network, so if you’re not thinking like a hacker and going after those systems, you may not notice it. So, maybe it’s one of those things where a vendor leaves Remote Desktop Protocol open on a server that’s exposed to the internet because they need to be able to access it remotely to work and do things.

Now, there are protections that you can do … That you can put in place in order to keep you safer. You may have to expose a Remote Desktop Protocol-enabled server to the internet, but you can also set up controls that … Compensating controls that say, “Only people from this IP range can actually access the server, or you have to go through our VPN in order to access the server.” Things like that.

There are things that you can do to limit the damage. But often, before you even get to that point, you have to know that those systems are there and running Remote Desktop Protocol, which oftentimes security teams don’t know, or vulnerability teams don’t know that it’s running.

Dave Bittner:

Well, let’s move on to your third point here. You highlighted ransomware that goes by the name “GandCrab.”

Allan Liska:

Yeah. GandCrab is the exception to the rule. Everything that everyone else is doing to be successful in ransomware, GandCrab does the opposite. They started in January of 2018. We mentioned them briefly in our 2018 report. They were just getting started. They have their own exploit kits. They rely heavily on phishing as an attack, and they continue to find a lot of success. They’re using Microsoft Office macros. They’re using VBScript. They’re using PowerShell to avoid detection. They are seeing a lot of success, and they’ve also farmed out their success.

They have a ransomware as a service where they’re offering to deliver their ransomware for other people — not just for their own team. They also have a low cost of entry. So their ransomware … Where something like SamSam would often ask for $10,000 or $15,000, and we’ve seen others go as high as $150,000 for ransomware, GandCrab is $500 to $600, is what they’re looking at as the ransom.

They’re doing everything wrong, but they’re still finding a lot of success. Now, part of that is their adaptability. In the last year, they’ve released at least five new versions. Every time they get stopped, every time somebody publishes a report, or figures out a patch for a vulnerability that they’re exploiting and writes about it, the GandCrab team goes to work and updates their ransomware so that it adopts to the security measures that are being put in place.

We see this on the underground forums where they advertise their ransomware. They often talk about how this new version addresses this particular security fix, and they’ll link directly to the security blog that talked about the protection in place, or the way the new detection ability … Or whatever.

Dave Bittner:

As you mentioned, it seems like with that low ask, that low dollar amount that they’re demanding, that’s more, I guess, consumer-based than going after big businesses?

Allan Liska:

Right. As far as we know, they’re not doing any targeted ransomware. They’re doing mass … They’re basically the next generation of Locky and Cerber and the things that we saw in 2015 and ’16 that made a ton of money, and actually encouraged organizations to put the protections that are in place now in place. They’re successors to that, and they’re going after that same market.

Dave Bittner:

Now, where do we stand … With things like GandCrab, and I guess, some of these others as well, where do we stand in terms of getting your data back? If I pay the ransomware after a GandCrab infestation, am I going to get my files back?

Allan Liska:

With GandCrab, pretty much yes. There is always the risk that something will have gone wrong in the process, and the decryption won’t work. There’s actually a funny story about the team from GandCrab. There was a gentleman who posted on Reddit a while back. He lived in Syria and had been … Unfortunately, his house had been destroyed as part of the fighting that’s been going on there for years. He posted to Reddit that he had been infected with GandCrab, and on top of everything else, he now has … He can’t get access to the files on his system. He’s living in a hotel with his family and so on.

One of the authors of GandCrab replied to him and said, “We’re really sorry about this. Here’s a decryption key for you so that you can get your files back. You don’t need to pay the ransom. We’ll put protections in our ransomware so that then we don’t infect anybody who lives in Syria going forward.”

Dave Bittner:

Wow. So they’re criminals but they’re not monsters, I guess. I guess it’s easy for us to laugh. It’s not so funny for the people who fall victim to it, right?

Allan Liska:

Right. Exactly. It’s like the old joke that we used to make, that the best way to protect yourself from ransomware is to go out and get a Cyrillic keyboard because there are so many strains of ransomware that look for the Cyrillic keyboard, and won’t infect a system that has a Cyrillic keyboard, because they’re operating within … They may not be operating within Russia, but they’re operating within the Russian fear of control, and you don’t want to upset the Russians.

So they just have protections in place so they don’t accidentally infect somebody with a Cyrillic keyboard. Now, the downside is, you have to learn some variant of the Russian language so that you can use the Cyrillic keyboard going forward. The plus side is you don’t get infected with ransomware.

Dave Bittner:

I guess there’s a market opportunity here for somebody to make a Cyrillic keyboard dongle, right? Just plug it in your USB port and it pretends … To the system, it looks like you’ve got a Cyrillic keyboard installed, right? Well, let’s move on to the fourth one here. This is an interesting one. It’s, “Nation-States and Cybercriminals Will Continue to Blend Ransomware Attacks.”

Allan Liska:

So, this is the one that is probably the most controversial of all the points here. An interesting trend that we see … You’ve seen discussions around this already with, for example, North Korea and cryptocurrency, and other cryptomining, and other nation-states engaging in this type of activity as a way to raise funds — ones that are heavily sanctioned. What we’re seeing is, it appears that some of the North Korean actors are using ransomware as part of their attack trend.

Now, what we don’t know is whether these new ransomware attacks are a way to raise money, or a distraction. So, it’s been widely attributed that the WannaCry attack was perpetrated by North Korea. That’s not me saying it. That’s the U.K. government, and a whole bunch of other people. WannaCry was not really about raising money. WannaCry was mostly about either destruction, or distraction at best, or if you believe some of the reports about a happy accident.

What we’re talking about here is deploying the Hermes ransomware as part of an attack. Again, what we don’t know is whether that is a distraction to hide the fact that it was a nation-state attack. Because pretty much, when people see, “Oh, hey, I’ve got ransomware,” you assume cybercriminal, and you clean up with the understanding that it’s a cybercriminal, or whether these attacks from North Korea were an attempt to actually raise money.

I don’t know the answer to that. But it’s definitely interesting that we’re seeing these kind of campaigns where Hermes started out as being sold on Russian underground forums as cybercriminal ransomware, and it’s then adopted by North Koreans. But then, at the same time, the ransomware, which is based on Hermes, is still being used by Russian cybercriminals, or what we believe are Russian cybercriminals.

It’s an interesting blend of attacks. I think we’re going to see more of that, whether it’s to raise money or to distract from the real nation-state attacks. I’m not sure what that’s going to be, but it is an interesting slant going forward.

Dave Bittner:

Yeah. We have certainly heard stories of, well, the possibility of some of these nation-state actors, the folks who are sitting in the chairs in these countries doing the work, perhaps moonlighting on their off hours. Some of the stuff could be coming from the same IP addresses, the same locations using similar tools. Like you say, that fuzzes things a bit.

Allan Liska:

Exactly. I think that’s one of those trends that we want to watch and see if there is an ongoing trend here, or if it’s just something that North Korea is doing, and if they are doing it, if it’s something they’re doing long term, or it’s just here and there where they need a distraction.

Dave Bittner:

So, as we continue along in 2019 here, what are your thoughts? What’s your advice to folks? What’s the best way to prepare myself so I don’t fall victim to any of these ransomware campaigns?

Allan Liska:

I assume you mean aside from the new “fool your adversary with a fake Cyrillic keyboard” company that you and I are starting?

Dave Bittner:

Of course, yes. Those will be available within the next 30 days. Yes.

Allan Liska:

If you are a home user right now, do the same things we’ve always advised. If you have Gmail, if you have Outlook (Microsoft’s email), or even Yahoo, they’re doing a really good job of catching a lot of phishing campaigns that are coming in. But make sure you’re patching your browser. When Microsoft pops up and says you need to install updates, please do it. Don’t do what my wife does and wait three weeks until I see that she hasn’t updated in three weeks. I lose my mind. Just be aware of what’s going on. Keep your antivirus updated, and so on.

If you’re an organization, if you’re doing scans, make sure you’re doing external scans, not just internal scans. When you scan, think like an attacker. Know that attackers are looking for Port 3389 to be open, which is the remote desktop port. But they’re also looking for things like JBoss. They’re looking for things like open FTP. Things that are exposed, and generally lightly credentialed. So not using two-factor and other things like that in order to gain access, and things that have a lot of default passwords, or tend not to get updated a lot.

So, know what the attackers are going after, and scan specifically for those items. Because … On top of the regular scanning that you’re doing, also make sure you’re paying extra care and attention to those. One of the things that I really like about what Record Future does, and one of the things that we really get to help our customers with, and I don’t mean to turn this into a sales pitch, but it’s the fact that we can tell our customers, “Hey, these things are being actively exploited now.”

So, we know that bad guys are going after the new Drupal vulnerability that was announced yesterday. We know that there was an uptick in scanning from that. We know people are already actively scanning for that vulnerability. So, being able to let people know that, “Hey, this is being actively scanned for,” allows you to better prioritize, or, we should be patching these things right now.

Dave Bittner:

Now, what about backup strategies? What’s your advice there?

Allan Liska:

Obviously, have backups. You’ll be amazed by the number of organizations that don’t have them. Test those backups regularly. That’s the biggest thing. Make sure that you can actually restore from the backups.

And then the other thing is, when you’re implementing your backups, make sure that they’re … After everything is backed up, that it’s not easily accessible from the network. A lot of ransomware teams will find the organization’s backups on network-attached storage, and they can then just encrypt the backups. They’ve not only encrypted the systems, but they’ve encrypted the backups for those systems. So, make sure that your backups aren’t easily accessible from somebody scanning the network.

Dave Bittner:

Our thanks to Recorded Future’s Allan Liska for joining us. The research was titled “4 Ransomware Trends to Watch in 2019.” You can find it on the Recorded Future website. It’s in the blog section.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.