One of the silver-lining effects of a global cyber scare such as WannaCry ransomware is the trigger to catch up with friends to discuss fact vs. fiction of the threat research, attribution, remediation, and other ‘bigger picture’ observations.  I recently caught up with a good friend of mine, John Phillips, co-founder of Loki Labs and the conversation triggered some pretty interesting outcomes and mid-year predictions.  A little forewarning to the reader – this isn’t a deep technical blog dissection of WannaCry ransomware as that analysis is available at every turn.

The increase of ransomware attacks was a key focus in nearly every ‘2017 Security Prediction Report’ and nearly half-way through the year it appears to be dead right.  The steady rise of ransomware attacks, viral media coverage, and increasing C-Level fear is the equivalent of a cyber criminal dinner bell.  Cyber criminals motivated by financial gain are immediately attracted to this attack vector and due to the low barrier of entry jump on the “…follow the money” bandwagon.  Unfortunately as defenders, this causes a significant increase in attack sophistication as every bad guy starts to add his (or her) flavor to the ransomware.

WannaCry wasn’t the beginning of the surge and likely not the middle for that matter but several tactics used are a wake-up call to the world to brace for “ransomware-megaddon.”  Most enterprises have either fallen victim to a ransomware attack and paid the ransom or have relied on their best practices efforts and restored from a backup. I see five potential shifts in ransomware attacks which could have painful consequences for defenders:

1. Enterprises actively seeking ransomware pay-out capabilities
2. An increase in the use of ransomware 0-day exploits
3. Adversaries developing custom crypto-currencies
4. Cyber criminals take advantage of pre-attack insider trading
5. An uptick of highly supported ransomware kits with built-in profit sharing capabilities  

Enterprises actively seeking alternate ransomware pay-out channels – It’s not surprising ransomware insurance is finding its way into budgets as a proactive approach for “when” [not if] an enterprise falls victim to the attack.  However, it is interesting that enterprises are beginning to shoulder the effort themselves by opening hot and cold bitcoin wallets to help expedite the payment of ransomware attacks – mind you rather than invest that time and money into the technical countermeasures of ransomware attacks (i.e. patching, backups, detection, etc.).  

The fascinating deviation and twist are companies that want to outsource this effort to more knowledgeable companies and third-party consultants to mediate the ransomware payment.  Traditionally ransomware attacks are pretty medieval in nature so this type of outsourcing service seems a bit extreme but as crypto-currency isn’t mainstream just yet and the possibility of sensitive data being held hostage I completely understand the motivation.  That being said, I can’t help but wonder if there’s any ‘moral bending’ at the heart of the effort as it is easier to camouflage a consulting services budgetary line item than to gain approval to purchase of a bunch of bitcoin to pay off a ransomware attack.

An increase in the use of ransomware 0-day exploits – Traditionally 0-day exploits aren’t worth using in a ransomware campaign as their very use flies in the face of the Stealth/Tradecraft best practice of keeping those 0-day exploits for as long as possible.  Zero-day exploits are coveted gems used to gain a foothold into an organization due to their low probability of detection; however, with ransomware attacks the last stage of the attack is to ‘sound the alarm’ of the victim company in order to convey the ransom terms.  Victim notification will likely expose the 0-day exploit, greatly diminishing its value for future attacks.

However, ransomware attacks like the one at Hollywood Hospital, have a slight shift where the attackers used the 0-day first to gain network access and steal highly sought after medical records and THEN launched the ransomware attack.  This new TTP is a savvy addition in an effort to double down to maximize their financial gain.

Adversaries developing custom crypto-currencies – Bitcoin is the most popular crypto-currency and, therefore, most ransomware attacks require it as payment because it is easy to hide behind.  However, there are dozens of others available which leads me to believe an adversary developing their own custom crypto-currency is not only reasonable but sets the “level of difficulty bar” pretty low as described by Fast Company.

Cyber criminals take advantage of pre-attack insider trading – Crypto-currencies are global exchanges with fluctuating rates based on typical supply and demand economics.  As cyber criminals seek to maximize their profits at every turn the sophisticated attackers will see an opportunity to bump their profit margin before the actual attack by pre-purchasing as many coins in a ‘buy low, sell high’ stock market approach – much like insider trading.  After they launch a widespread ransomware attack or a high-profile attack creating a media frenzy there will likely be a surge of Bitcoin demand, which in turn, will increase the price of the pre-attack purchase.

An uptick of highly supported ransomware kits with built-in profit sharing capabilities – There are no shortage of disgruntled employees with low-bar morals who would jump at the opportunity to take a final jab at an employer while pocketing some cash and at least one ransomware kit is catering to this. The Janus ransomware kit offers FREE use of their kit in exchange for a percentage of the profit. From a disgruntled employee standpoint this could be viewed as a “nothing to lose” situation because there is NO cost of entry…so why not try?!

Ransomware is just the latest mechanism for cyber criminals to turn a financial gain. But regardless of the hype it really demonstrates that employers need to maintain best practices for patching systems and backup solutions to avoid being the next paying victim…I know ‘easier said than done’ but this validates good OPSEC hygiene and a need to get back to the basics.