A year on from WannaCry, is ransomware still a threat?
17 May 2018
TEISS guest blogger Ross Rustici, Senior Director, Intelligence Services at Cybereason considers whether ransomware is still a threat, a year on from the WannaCry attack.
Twelve months ago, organisations around the world were still in the grip of one of the most prolific cyber attacks in history. The ransomware campaign that quickly became known as WannaCry hit more than 200,000 devices within the first few days alone, bringing some organisations to a standstill as they were locked out of key files.
The fact that the ransomware locked down 80 NHS trusts across the UK added to its infamy, and the attack dominated headlines for months.
The apparent position of ransomware as a leading cyber threat was cemented a month later with the arrival of NotPetya, another campaign using the same EternalBlue exploit as WannaCry, followed by BadRabbit in October.
While these later campaigns may have actually aimed to destroy files rather than make money, they still helped to reinforce the idea that we were witnessing a new era in cyber-attacks.
A new wave?
Ransomware attacks are still regularly making the headlines as we reach the halfway point of 2018. In March, some manufacturing operations at Boeing, and many public services in the city of Atlanta were both hit by a re-emergence of WannaCry.
More recently, Family Planning NSW in Australia was hit by an attack that locked large amounts of patient data, accompanied with a demand for AU$15,000 in bitcoin.
While these sporadic attacks will continue to persist, it is increasingly apparent that the outbreaks of 2017 represented the crest of the ransomware wave, and not a new beginning.
In 2015, there were roughly 350 different ransomware families, but as of 2017, this had shrunk down to 170, a fall of roughly 50 percent. This shrinkage appears to be continuing as we progress into 2018, albeit at a slower rate.
Also of interest: Claire Cockerton: the woman driving UK’s cyber innovation
Ironically, the widespread notoriety of WannaCry and NotPetya have likely helped to cause the decline of ransomware as a popular money-making cyber-attack.
The attacks served as an extremely effective security awareness campaign, and the huge level of media coverage ensured that many previously vulnerable organisations were now aware of the threat, and able to implement preventative measures.
Many ransomware attacks, WannaCry included, can be defeated simply by ensuring the latest patches are installed.
It also became more widely known that affected organisations should avoid paying ransom demands, with there being no guarantee that attackers would or even could unlock the files.
The fact the NotPetya and BadRabbit attacks actually appeared to be destructive malware posing as ransomware – lacking the ability to undo their own damage – further helped to emphasise the futility of paying ransoms. With fewer victims willing to pay up, the profitability of ransomware began to drastically decrease.
The security industry fights back
Alongside better practices around patching and updating, organisations have also enjoyed increasing access to tools that can prevent infections from spreading in the first place or reverse the damage and unlock files without paying the ransom.
The security community has created many free-to-use software utilities that will render common ransomware useless, so even organisations that are low on resources can defend against most attacks.
As ransomware has become increasingly easy to defeat, it has lost its appeal to opportunist criminals looking to make easy money. We have seen overall infections rates declining steadily after the spikes caused by WannaCry and NotPetya this time last year.
Also of interest: The Netherlands – not the typical cybercrime suspect
Is ransomware still a threat?
The continued decline in the number of ransomware strains appears to be a boon to security teams, as they are less likely to encounter new, unknown malware code. Whereas we previously saw large numbers of malicious coders jumping on the bandwagon to create their own variants, there are now fewer surprises to deal with.
However, while the overall risk of ransomware has declined significantly, it would be a mistake to believe the threat has diminished entirely.
Those criminals that have kept with ransomware have continued to refine their software, with some even using agile software development techniques to create rapid new iterations.
We have also seen attackers shift from large scale spray-and-pray attacks to more targeted campaigns which choose their victims more carefully.
Most attacks previously aimed to ransom access to a company’s intellectual property, locking key files until ransom demands are met – a threat that could often be countered by rolling back or using software tools to undo the encryption.
Today we see more attackers target the critical infrastructure of an organisation to cause widespread disruption – as demonstrated by March’s attack on the city of Atlanta. Public services, hospitals, manufacturers, utilities providers and logistics companies are all vulnerable to this approach.
Additionally, the decline of ransomware by no means represents a decline in malicious cyber activity as a whole. The space left by ransom attacks has been filled by other methods that are harder to predict, from banking Trojans and rootkits to browser hijacks and password loggers.
On balance, while ransomware is less of universal threat than it appeared at its height last year, this new more targeted phase does put certain organisations at greater risk, and remaining ransomware is likely to be used in a more challenging way.
However, with good practice and the use of the powerful tools created by the security industry, organisations can keep the threat at bay.
For more information, go to Cybereason