Where Is Ransomware Going?

As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will go after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Michael Sentonas, President, CrowdStrike

November 23, 2015

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Ransomware, the malicious software that encrypts your files until you pay to get the encryption key to unlock them, is having quite a successful run. Initially targeting consumers, criminals are turning toward businesses and government organizations, demanding higher ransoms for more valuable data. An FBI agent has even commented that ransomware is so good the bureau often recommends that people just pay the ransom.

That is obviously not an acceptable long-term solution to the problem, especially as it appears the criminal technique continues to evolve.

We typically see malware threats go through several phases, starting off with attacks in small volumes, as the authors evaluate target systems’ defenses until they identify approaches that achieve reasonable success rates. Then the attacks increase in volume, going after consumers, then businesses, as the technique matures and gets monetized through massive campaigns. The next phase is a shift from volume to highly targeted attacks, as defenses adapt to the generic approach, criminals identify higher value targets, and special interest groups adopt the technique for their own specific purposes.

Ransomware is currently moving from the volume to targeted phase, increasing in sophistication of the delivery mechanism and looking for more valuable ways to get money from its victims.

Ransomware is nasty because, unlike other malware infections, you cannot run a cleaning or removal tool to get rid of it so defenses have to catch it before it can act. However, an offline backup is a reasonable and effective precaution that disarms most of the power of the ransomware. We (law enforcement and security industry) have also had a fair amount of recent successes finding and taking down ransomware servers such as CryptoLocker.

As a result, we are seeing changes to the ransom model, where encryption of your data is just one step. Using targeted attacks such as emails that look like they originate from within your company, attackers are getting their malicious encryption tools into vulnerable systems. Then, after encrypting the files or data stream, they threaten to publish something that you will pay to keep secret, whether it is valuable financial information or embarrassing emails. A recent ransomware campaign in Germany called “Chimera” threatens to publish your files if you do not pay the ransom of more than 600 euros, according to the Anti-Botnet Advisory Centre. It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will. 

Ransomware’s Next Target

Where will ransomware go next? As we adopt more and more technology in our lives, we are also fueling the creativity of our attackers. As PCs and servers get better protected and employees more knowledgeable about the ransomware threat, criminals will change and multiply their attack vectors, going after less secure systems such as smart TVs, conferencing equipment, or other unsecured devices.

Think about the risk to your organization of criminals threatening to release audio captured from an executive’s television, video from a board meeting, or embarrassing details from your personnel files. This could result in new opportunities for them to make more money than they do today, charging a ransom to decrypt your data and a premium to not publicly release it. 

When threats go from volume to targeted mode, you need a shared intelligence strategy that can detect threats at multiple points, across both your network and the cloud. You need to be aware of the potential motivations, whether that is organized crime looking for payment or hacktivists looking to expose corporate secrets. Understanding the attacker profiles helps you identify what material is valuable and vulnerable, and helps you prioritize your security efforts.

Ransomware is just one threat that is evolving with our technology usage. Whether it is cloud computing, IoT devices, or virtualization, security needs are changing to require greater integration between defenses; broader collaboration with law enforcement, industry organizations, and supply chain partners; and increased automation that can react at digital speeds. 

About the Author

Michael Sentonas

President, CrowdStrike

Michael Sentonas is President of CrowdStrike. Previously, he served as Vice President, Technology Strategy, at CrowdStrike as well as Chief Technology Officer. With over 20 years' experience in cybersecurity, Mike's most recent roles prior to joining CrowdStrike were Chief Technology Officer – Security Connected and Chief Technology and Strategy Officer APAC, both at McAfee (formerly Intel Security). Mike is an active public speaker on security issues and provides advice to government and business communities on global and local cyber security threats.

He is highly sought after to provide insights into security issues and solutions by the media including television, technology trade publications and technology centric websites. Michael has spoken around the world at numerous sales conferences, customer and non-customer conferences and contributes to various government and industry associations’ initiatives on security. Michael holds a bachelor's degree in computer science from Edith Cowan University, Western Australia and has an Australian Government security clearance.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights