Labelled “Fatboy”, the ransomware was posted on a Russian cyber-criminal forum and is capable of changing the amount of money it charges, so that victims in areas with a higher cost of living will be charged more to have their data decrypted. Fatboy is also being sold as Ransomware-as-a-Service, offering customer support over the instant messaging service Jabber.
Based on the trends documented in the latest Verizon DBIR 2017 report, ransomware is expected to continue to grow in prevalence and is currently the fifth most common malware threat. In MWR’s caseload, we saw a 250% increase in ransomware cases last year and are on track for a further 300% increase across 2017. Based on this data, it is reasonable to predict that Ransomware-as-a-Service threats like Fatboy will proliferate accordingly, meeting further demands from less sophisticated criminals to acquire customised and effective ransomware that targets larger organizations for larger profits.
Criminals with access to Ransomware-as-a-Service are able to acquire a level of sophistication that could not previously be achieved. Additionally, criminals have begun to replicate the techniques used in espionage-type attacks by causing widespread domain compromise, online backup destruction and enterprise wide infection, with ransoms in the million dollar ranges now becoming more common place. This leads to much more complex and lengthy recovery, with criminals maintaining access on a network and actively working against security teams involved in the restoration of services.
The two most common methods of infection that MWR is currently seeing are related to network perimeter weaknesses - such as publicly exposed RDP ports and unpatched systems - and phishing emails targeting employees.
The following are some of the most effective measures in preventing these types of attacks:
- Secure remote access with two factor authentication.
- Regularly scan the perimeter for vulnerabilities and manage these.
- Limitation of administrative privileges on user systems and permissions on file-shares.
- User behaviour programs to improve email phishing awareness.
- Having good backups to limit the impact of a potential infection.
However, due to the increase in the sophistication of these attacks, a pure preventive approach will not be sufficient. Organisations need to improve their overall detection capabilities to be able to identify threats that use advanced techniques to infiltrate their networks and propagate to their key assets. Particularly for ransomware, in MWR’s experience, a combination of machine learning and behavioural analysis has proven very successful at identifying new strains of ransomware as soon as they run on an infected host. This early detection allows to deploy rapid remote incident response and leads to an effective containment.