A quick bit of background before we dive into the topic of today’s post — the evolution of ransomware. What follows is an admittedly incomplete list of the evolutions and variants of the Cryptolocker virus.
- Cryptolocker — The granddaddy. Infections occurred through spam, fishing and exploit kits. It was famously taken down by Operation Tovar.
- Teslacrypt — A Cryptolocker copycat that was distributed via a Flash vulnerability. It targeted gamers’ files.
- Cryptowall — This was the rightful heir to Cryptolocker. Its deployment was similarly widespread.
- Locky — Its design resembles those that came before. It was likely sourced by the same crew responsible for the Dridex malware, known for encrypted communication.
- SamSam — This is the most recent evolution. It targets the health care industry, utilizing a vulnerability in JBoss servers as a jumping-off point to find shared file servers. One of the most notable features here is that it doesn’t need to communicate with its C2C server to set up file encryption.
This list illustrates one of the things we’ve repeatedly said here: ransomware is constantly evolving. But it’s worth taking a closer look at the last variant on that list, because the most recent evolutions are pretty substantial.
First, by exploiting vulnerabilities in JBoss servers, social engineering could be a thing of the past. No more requiring an attachment to be clicked on to become activated. No more targeting naïve or gullible employees to launch an application that gives the hackers access to the network. Hackers can get in without any help.
But it’s the second evolution that may be most significant. SamSam and another variant called Maktub don’t have to call back out to a host server to get an encryption key. The reason that’s significant is that because for years that call for a key was a proven way to detect a ransomware infection.
Security basics are still effective
Evolving ransomware is a moving target, and you would think that makes it hard to combat. On some level you’d be right. Not knowing what’s coming next always leaves you open for surprises, like SamSam. But that doesn’t mean there aren’t ways to keep your network protected, and, luckily, some of the most effective ways of besting these cyber criminals is Network Security 101 stuff.
Backups, backups, backups — Ransomware, in case that’s a term that’s new to you or maybe a little confusing, is exactly what it sounds like. Once a network is infected, the data on it is encrypted. Whoever has encrypted it also has the encryption key that you’ll need to get your data back. Conveniently, they will give you that key for a price, better known as a ransom. Pretty straight forward.
Now, if you are regularly backing up the on your network, becoming infected with ransomware isn’t as scary. If you do find that your data is encrypted, you access your backups and you’re ready to go. No ransom paid and only limited damage done.
Email filters — These will help keep some of those attachments that a vast majority of hackers still rely on out of your employees’ inboxes. If it’s not there, they can’t click on it. But, the attack vectors are always changing, so …
Patch, patch and patch again — The recent SamSam attacks are interesting, but they really shouldn’t be. Honestly, they never should have happened. SamSam exploits vulnerabilities that were discovered in 2007. They should have been patched years ago, but they weren’t.
This isn’t just a problem in the health care industry. Too many vulnerabilities already have fixes in place, but the people managing our networks are either too busy to make sure that their hardware is updated. That’s why regular patching and regular updates are so critical.
Keep your tools up to date — As this stuff evolves, you need tools that evolve, too. Two that come to mind quickly: Antivirus software and a remotely managed IPS that is updated regularly and can recognize ransomware communication and stop it before it encrypts files.