Does Ransomware Ever Die? Why Locky has Returned
Ransomware attacks grew 600% in 2016, costing businesses and individuals more than $1 billion. Locky was just one example in 2016 of this type of malicious software that threatens to publish the victim’s data or prevent access to data unless a ransom is paid. After many attacks in 2016, early 2017 saw a dropoff in distribution. But now, Locky is back with new variants.
It’s pretty hard to kill ransomware – think of it as a fast-moving zombie and you start to understand the challenge. What makes ransomware so ‘long-lasting’, and what can you do to stop and kill it?
There are two main reasons that ransomware such as Locky persist: a profitable business model and hacker adaptability.
Hackers Evolve the Business Model
Profit is the goal, and ransomware is a quick way to achieve profit. The very nature of ransomware – a tactic that pivots from the traditional hacker model of stealing data and selling the data to a middleman – illustrates the lure of easy and bigger profits. Cut out the middleman and you have a more streamlined operation and a bigger share of the profit. In fact, the newest business model is ransomware-as-a-service. Authors are offering their ransomware as a service, allowing others to download the ransomware and easily deploy it in return for a portion of the returns. Now, criminals don’t need to be technically proficient to exact damage and deliver returns to the authors of ransomware.
Ransomware doesn’t discriminate; there’s a strong financial incentive for going after all types of organizations and all types of data. All organizations are dependent on data, so all organizations are potential targets. In fact, the top 10 industries for average ransomware attacks were targeted at relatively the same rate.
Finally, it’s easy and anonymous to get paid using the thriving market of Bitcoin transfer services.
“Ransomware has become a business model for hackers or criminals in a way that is phenomenal,” says Lior Div of the firm Cybereason.
Hackers Adapt to Evade Detection
Initial versions of Locky were disguised within a Word document attachment. These attachments would masquerade as an invoice requiring payment or a similar type of document requesting action. The current version presents as a PDF document (containing a Word document). Why? Because most antivirus filters will recognize suspicious macros in documents and hiding the document within a PDF may sidestep the antivirus filter.
Cyber criminals also attempt to bypass security tools and tap into the vulnerability of users via social engineering tactics. These tactics can occur online or offline, and are attempts to gain the user’s trust in order to gain access or obtain data.
A McAfee report delves into detail regarding the organization and adaptability of the black hat, or hacker, community. Vulnerabilities that are disclosed publicly are quickly exploited into new attacks.
“The landscape is simple. Attackers can move at will. They’re shifting their tactics all the time. Defenders have a number of processes they have to go through,” says Jason Brvenik, principal engineer with Cisco’s security business group.
Ways to Combat Ransomware
Both earlier and current versions of ransomware such as Locky are very damaging. Files encrypted by Locky cannot be restored. So the best protection is a strong and secure backup program. Obviously, you also want to ensure you are up to date with operating system updates as well.
In parallel, ensure you remain focused on your users. You must protect your network AND your users. The target of the attack – and the gateway into your network – is your user community. Focus on user protection across all devices your employees use. Refresh your user education efforts to inform employees about most recent ransomware versions and show them how to avoid becoming a victim. Consider testing employees periodically with simulated phishing scams.
“The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time,” says Marcelo Rivero, intelligence analyst at Malwarebytes.