Where Will Ransomware Go In The Second Half Of 2019?

Ransomware has been an evolutionary malware family that continues to shift and change over the years. From the first fakeAV, to police ransomware, to the now oft-used crypto-ransomware, this threat just will not go away. Based on the latest trends, we predict this threat will grow in the second half of this year.

At Trend Micro, we’ve been following and tracking the data around ransomware for years. Here are some of the changes we’ve been seeing:

Year-Over-Year Ransomware Detections from Trend Micro™ Smart Protection Network™

2016 1,078,091,703
2017 631,128,278
2018 55,470,005
2019 (Jan to May) 43,854,210

Year-Over-Year Number of New Ransomware Families

2016 247
2017 327
2018 222
2019 (Jan to May) 44

You can see that ransomware actors were very busy in 2016 and 2017 both in launching attacks and in the development of new families and variants of ransomware. In 2018, we had a drop in both figures, which could be due to a number of factors:

  1. Improved practices within organizations to recover from attacks (i.e. backup and recovery)
  2. Improved detection technologies within the security industry (i.e. machine learning can proactively detect new families and variants)

However, in the first half of 2019 we have seen in the news some very high profile attacks against organizations with successful ransomware causing some victims to pay high ransom amounts or taking weeks to months to recover from the attacks. These attacks have shown that we still need to be very vigilant in protecting networks against this threat.

Trend Micro publishes a predictions report each year to help organizations understand what might occur, and while we did this for 2019, I would like to give you some ideas on where ransomware might go in the second half of 2019 as this threat seems to change very often. Let’s look at the different areas of the ransomware attack lifecycle and what we may see for the rest of the year.

Identifying a Victim

Ransomware actors are being much more targeted in their selection of victims they want to attack. This is due to the above 2 reasons behind why we saw ransomware drop in 2018. In response, actors are looking to target those organizations that are more likely to fall for an attack, but also those who are more likely to pay a higher ransomware. In the first half of 2019, you can see the industries we saw targeted most:

Government, manufacturing, and healthcare are the top 3 industries actors seem to be targeting more than any other. Ransomware actors will also do open source intelligence (OSINT) about each targeted victim to build a profile of them to identify the best way to successfully attack them. There are a number of reasons for this selection and OSINT process:

  • Understand the organization’s business model and how affecting their critical systems could cause them public reputational damage
  • If they have critical systems that can be isolated by ransomware then they are more likely to pay the ransom
  • Whether their security posture and processes are adequate or can be taken advantage of

In the second half of 2019, actors will look to diversify into more industries that have critical business systems that could be compromised. This might include the legal, energy and critical infrastructure, transportation, and distribution industries.

Once they decide on a victim, they will then identify the ways to initially infect the organizations. This is the area that most changes based on the actors behind this threat.

Initial Infection

A number of shifts have occurred in this area over time, and this will likely continue to change. Recently we’ve seen the actors using phishing, malvertising, malicious webpages, exploits and exploit kits to infect an organization. We will continue to see them look to initially infect and organization through their employees, as this still appears to be their best option. But, in the second half of 2019 I see the following scenario occurring:

  1. Ransomware actors will improve their ability to craft socially engineered attacks against employees through their OSINT gathering.
  2. We will see increased use of stolen credentials (i.e. RDP account credentials) that are sold in the underground.
  3. Manual lateral movement and the use of hacking tools will allow the actors to find the critical systems they need to compromise to make attacks successful.

Obfuscation Techniques

As mentioned above, ransomware has been detected more effectively recently due to advances in machine learning and behavior monitoring technologies deployed across the network. As such, the actors have to improve their obfuscation of the malware to ensure it cannot be detected by today’s security applications.

We’ve been seeing improved anti-sandbox, anti-machine learning, fileless, and other techniques used in the past, and moving forward we will see advances in all of these areas. The use of compromised legitimate software, including those from security vendors themselves, will also continue as a method to circumvent security measures. As we saw recently with a compromised MSP, one company’s direct access to multiple organization’s networks can also be leveraged for attacks. Stolen certificates will also be used to sign malware to make it look legitimate.

I expect ransomware actors will continue to target high value, high quality victims in 2H’19, and as such, all organizations need to be vigilant in protecting against this threat. Unless we can ensure no ransoms are paid, we will see this threat persist. Improving your organization’s ability to detect, respond, and recover from any ransomware will help us minimize this threat moving forward.  For more information on the latest trends in ransomware, you can watch my June 2019 Threat Webinar Series that covers the recent trends in ransomware.

Trend Micro will publish our 2020 predictions report later this year, but until then, stay rigorous in your defense against ransomware.

Read More HERE