If you haven’t embraced backups yet because you think you are so tech savvy that you wouldn’t open spam email or fall for social engineering tricks, then brace yourself for cryptoworms. Security researchers warned that self-propagating ransomware, the semi-autonomous kind that doesn’t need any help from humans to spread, is coming in the future.
The Cisco Talos report, “Ransomware: Past, Present, and Future” first delves into the “traits of highly effective strains of self-propagating malware” before discussing how ransomware could evolve to include powerful, built-in, self-propagating traits like those in worms and botnets.
As for history, let’s just look at one ransomware variant from February. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center. When Locky, which used infected Word files to spread ransomware, was brand new, there were reportedly 100,000 new infections per day; at one point there were between one to five new endpoint infections per second. If only one-fourth of the daily 100,000 victims paid the ransom of .5 bitcoins, which is about $213 today, then the cyberthugs were pulling in over $5 million per day. Even if Cisco Talos suggested about 2.9% of 90,000 daily victims paid the ransom, which means crooks pulled in $546,795 daily, that’s an impressive haul. So it’s not too hard to see why criminals are jumping on the ransomware crazy train to cash in.
Back in the day, worms were wickedly effective and could quickly infect millions of computers and cripple corporate networks with linked workstations. Heck, there are even some businesses which are still infected with Conficker. Now if you imagine those self-propagating features built into ransomware, it’s like a nightmare scenario. The Cisco Talos researchers examined some of the vicious propagation traits of old-school malware and then incorporated some of them into what they described as a potential framework of next-generation ransomware.
Advanced attackers in the Cisco Talos hypothesis would “prefer to use software with a modular design” so they could use certain functions only when needed and have “the ability to switch tactics as required in the event one method is discovered or is found to be ineffective.”
Examples of modules that could be used in the crypto-ransomware of the future included one that scans for “executable files that are not protected by built-in security features.” Another module would hunt for mapped local and remote drives and then have an autorun feature “to request any computer that the drives are connected to in the future to run these infecting programs.” A different module would exploit “known weaknesses in popular authentication infrastructures” and then use those credentials to provide access to other systems. Other modules might help keep the cryptoworm from being discovered, so forget about discovering it via regular Command and Control and ransomware that uses too much CPU or network resources.
It is important to note that it’s not digital black magic and the ransomware doesn’t just appear out of nowhere; the researchers’ scary scenario involves a skilled, financially motivated adversary having previously gained initial access into the network. But once the cryptoworm is launched, “the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3200 workstations are compromised; half the organization's digital assets, and the vast majority of the company's data are encrypted.”
Cryptoworm ransom starts at $1 million
The researchers described the payload:
The payload generated demands 1 million dollars USD in bitcoin to be delivered in 8 days, tripling to 3 million dollars if payment is not made in 8 days. The instructions mention a .onion address (hidden service) and provide instructions on how to use tor2web or the Tor Browser Bundle, and how to purchase bitcoins. Since the attackers know where all the important applications, drives and data are located, they have included custom directories and file extensions for the ransomware to attempt to encrypt as a part of the core implant.
Cryptoworms as an evolution of Samas
If you tend to think this prediction is a FUD-fest, then you don’t need to look any further than Samas, the ransomware that used pen-testing tools for delivery, to see it could happen. Samas, or Samsam, was reportedly the ransomware used in the MedStar Health attack; Cisco Talos issued a warning about Samsam, about how “the doctor will see you, after he pays the ransom,” a few days before the organization that runs 10 hospitals was hit. “The SamSam campaign is unusual in that it is taking advantage of remote execution techniques instead of targeting the user,” it said.
This time the researchers wrote:
SamSam isn't complex, and it not fully self-sufficient, but it does exhibit some of the behaviors of a successful worm - rapid propagation, payload delivery (ransomware), and crippling recovery efforts. The age of self-propagating ransomware, or ‘cryptoworms’, is right around the corner.
Repurposing malware is a common trend now and you should expect that trend to continue in regards to cryptoworms. Craig Williams, senior technical leader for Cisco Talos, told Threatpost, “We are going to see repurposing of older persistent threats. A lot of people would assume that in order for the next generation of ransomware to be effective that they would need a new network vulnerability. The reality is, that’s not the case. These attackers can take any off the shelf network vulnerability and make a worm out it.”
“As of now, no such ransomware even gets close to the concept that Cisco laid out inspired by SamSam's detection,” Softpedia pointed out, “but tools such as Rapid7's Metasploit, Strategic Cyber's Cobalt Strike, or Raphael Mudge's Armitage can prove very useful in creating one.”
Cisco Talos researchers included a number of defense suggestions and even recovery tips. In closing, the researchers wrote, “If enterprises don't start making strides towards defensible architecture today, massive ransoms may end up getting paid tomorrow.”
If you don’t regularly backup, then you might want to rethink that life choice. Williams told Threatpost, “The cryptoworm’s Achilles Heel is a reliable backup, so you don’t have to be extorted.”