Ransomware: the most profitable malware ever?

Shaming victims of ransomware overlooks the many factors that contribute to successful ransomware attacks.
Ransomware may be the most profitable malware ever, according to Cisco’s latest security report.

In-brief:Ransomware may be the “most profitable malware in history,” according to a new report out from Cisco Systems. But it is being helped along by poor management of information technology assets as well as the advent of identity shielding technologies like BitCoin and the Tor network.

Ransomware may be the “most profitable malware in history,” according to a new report out from Cisco Systems. But behind the headlines about  ransomware infections at hospitals, businesses and government agencies is an older and sadder story: aging Internet and IT infrastructure that is poorly maintained is giving ransomware and other malicious software, according to the report.

Cisco Systems’ Mid-Year Security Report, released last week, warns of increasingly sophisticated ransomware scams and said that lax maintenance of application servers and other Internet infrastructure is a major contributor to successful online attacks. The ongoing scourge of ransomware infections was the most notable trend in the first half of 2016. That is due in part to the rise of the BitCoin crypto currency, which has allowed the ransomware industry to flourish by permitting anonymous payments to ransomware scammers. Anonymizing tools and technologies like the Tor network have also allowed the scams to operate anonymously.

The biggest contributor to ransomware infections, however, was lax administration of IT assets and infrastructure, the report argues. Noting the Samsam ransomware campaign, Cisco notes that the campaign leveraged JexBoss, an open-source tool for testing and exploiting JBoss application servers, a common enterprise application software.

Cisco's mid year report finds ransomware infections on the rise.
Cisco’s mid year report finds ransomware infections on the rise.

“Vulnerabilities in JBoss are allowing bad actors to gain entry into networks – and gain time to gather data or launch malware,” the report said. “The JBoss-enabled compromises offer more evidence that poor maintenance of networks provides criminals with access to them—access that can be blocked.”

“Attackers have a lot of opportunities because defenders forgot to close the window,” said Jason Brvenik, a Principal Engineer in Cisco’s Security Business Group in an interview with The Security Ledger. With around 10,000 software vulnerabilities discovered and exposed in the last year, attackers in essence benefitted from 10,000 potential openings to exploit, while companies were presented with a similar number of holes to plug. “It’s a pretty big gap,” Brvenik said.

[Read more Security Ledger coverage of ransomware here.

Ransomware creators are taking advantage of that, moving from deliberate and operator-driven campaigns to fast- and automated propagation on victim networks. Brvenik calls it “ransomware 2.0,” noting that the malware will often move laterally on networks, compromising systems and then lying dormant for long periods before becoming active.

But that provides an opportunity for companies that are the target of ransomware attacks, he said. If they can detect ransomware infections early, they may be able to root them out before the malware is activated and seizes control of critical systems and data. Brvenik notes that malware infections can still take weeks or even months to spot. Driving down the “time to detect” (or TTD) is critical to countering cyber attacks, he said.

Cisco’s mid-year report compiles data from Cisco’s Talos Security Intelligence and Research Group, as well as Cisco’s Security and Trust Organization. The report leverages Cisco’s global network of deployed infrastructure to gather its data, giving the company a somewhat unique perspective on malicious activity – and its causes.

One key contributor appears to be lax maintenance of critical IT assets – Cisco gear included. Last year, the company analyzed 115,000 Cisco devices on the Internet and across customer environments and found that 92 percent (106,000 of the 115,000 Cisco devices) were running with had known vulnerabilities in their software.

Lingering and unpatched vulnerabilities in critical IT assets is promoting infections by ransomware and other malicious programs, Cisco said in its mid year security report.
Lingering and unpatched vulnerabilities in critical IT assets is promoting infections by ransomware and other malicious programs, Cisco said in its mid year security report.

The most recent mid year report updated that research, studying 103,121 Cisco devices on the Internet. On average, the company found 28 known vulnerabilities per device. Worse: the observed devices had been running known vulnerabilities for an average of 5.6 years and 16 percent had vulnerabilities that were seven years old. Almost 10 percent had known vulnerabilities older than 10 years, Cisco said.

Brvenik said that companies worried about attacks will need to do a better job addressing such weaknesses in their core information technology infrastructure – and they have to do it quickly. Already: attackers are improving their tools: migrating from self-hosted attack infrastructure to “malware as a service” and lower the bar for would be cyber criminals.

“We’re watching the entire (cybercrime) industry follow a technology adoption curve that’s similar to the information technology industry – but without the challenges of normal operational controls,” he said.

Comments are closed.