Cybercriminals are now premeditating ransomware attacks and reaping millions of dollars by exploiting the availability of Windows system administration tools, a new report by British security and hardware company Sophos said.
In 2018, hand-delivered, targeted ransomware attacks increased. “These attacks are different than ‘spray and pray’ style attacks that are automatically distributed through millions of emails,” Joe Levy, chief technology officer, Sophos, said.
In targeted ransomware attacks, human attackers can find and stake out victims, think laterally, trouble shoot to overcome roadblocks, and wipe out back-ups so the ransom must be paid, Levy explained.
“This ‘interactive attack style’ where adversaries manually maneuver through a network step-by-step, is now increasing in popularity. Sophos experts believe the financial success of SamSam, BitPaymer and Dharma will inspire copycat attacks and more attacks will happen in 2019,” he said.
The report also said that cybercriminals were using readily available Windows systems administration tools to make the targeted ransomware attacks.
The report uncovers a shift in threat execution as more mainstream attackers now employ Advanced Persistent Threat (APT) techniques and readily available IT tools to advance through a system and complete their mission, a company statement said.
In an ironic twist, or Cyber Catch-22, cybercriminals are employing essential or built-in Windows IT admin tools, including Powershell files and Windows Scripting executables, to deploy malware attacks on users, Levy explained.
He added that hackers were using office exploits that have long been an attack vector, but recently cybercriminals have cut loose old office document exploits in favour of newer ones.
The report also points out the continued threat to the mobile and Internet of Things ecosystem. It said that these networks when infected with malware can affect organisations beyond their infrastructure.
“With illegal Android apps on the increase, 2018 has seen an increased focus in malware being pushed to phones, tablets and other IoT devices. As homes and businesses adopt more internet-connected devices, criminals have been devising new ways to hijack those devices to use as nodes in huge botnet attacks,” Levy explained.
The CTO gave the example of the VPNFilter attack which happened this year and was instrumental in demonstrating the destructive power of weaponised malware that affects embedded systems and networked devices that have no obvious user interface.
Other examples include Mirai Aidra, Wifatch, and Gafgyt which were used in delivering a range of automated attacks that hijacked networked devices to use as nodes in botnets to engage in distributed denial-of-service attacks, mine cryptocurrency and infiltrate networks.