Spear Ransomware: part 1
11th July 2017 by Mauro Verderosa
The original article could be found here.
Part 1: This is the first of three parts about the article. We will see together how target ransomware are developing on Internet, to understand how they are evolving and what we could expect next.
If you are reading this article from your corporate device and you are currently employed in a company, there is more than the 80% of possibilities that your company has been already hacked.
In 2016, the 47% of the attacks in companies was regarding a ransomware incident.
In the latest years many people, running a business or not, are getting familiar with this new word: “Ransomware”.
The ransomware is a malware who’s aiming to encrypt your data and to propose you a ransom to decrypt them.
Ransomware are getting every day more common and accessible to people who want to
get money to decrypt the resources of their victims. To have a better understanding
about this phenomenon, you could make yourself an idea on ransomware with these
numbers from 2016:
- 60% of the attacks ask less than $1.000
- 20% of the attacks ask between $1.000 and $10.000
- 10% of the attacks aim to get > $10.000
- 1% of the attacks aim to get > $150.000
What could you do when you have been attacked by a ransomware?
When it’s too late you actually don’t have many alternatives.
Normally you should choose between the following options:
- Pay the ransom (and hope that the decryption key will be sent)
- Break the encryption
- Wipe out all the data and start from scratch
But how do you get into these situations?
First of all you should understand that ransomware are not just appearing into your system, but they are carried via some channel as the emails (according to some analysis, in 2016 more than the 90% of malware detected into emails was ransomware) using some social engineering techniques.
Now, today we all know that it’s unrealistic to be informed by email that we won the lottery, that a beautiful Russian girl might ask us some money to come to visit us or that the king of Nigeria might want to ask us to provide the details of our bank accounts, but we also know that the IT social engineering attacks evolved since their appearance, 20 years ago.
As for the phishing, the most common channel to spread ransomware is using emails, trying to convince a completely unknown person to click on a link, in the hope that he or she will.
But as the phishing is evolved into spear phishing, also the ransomware evolved into something that we might probably call “spear ransomware”.
As for the spear phishing, we could imagine the “spear ransomware” to be the target attack against a specific group of people or against a company.
What you could expect tomorrow will be to receive an email directly from your boss, from a manager or a colleague asking you to check the attachment, that it will contain the ransom: as you might know, this could be easily done using some of the weaknesses of the SMTP protocol.
This doesn’t mean that such situation couldn’t happen to you or that this could only happen if a person is stupid. The carrier of these attacks are, and they will be more in the future, people extremely prepared, that will document per weeks, maybe per months, about your habits or about your behaviours, taking care about any small detail before launch a similar attack against your company, and putting all the needed efforts to be sure that the attack will be as more devastating as possible in the moment that it will be struck.
We will continue more in deep in the second part of this article.