Ransomware is one of the most damaging threats to our data. And while it used to be about attacks on single devices, we saw the threat evolve this year with the WannaCry and Petya/Not Petya attacks where threat actors found new ways to weaponise other vulnerabilities to deliver ransomware payloads that cost businesses hundreds of millions of dollars. And cloud services are fuelling both the attackers and defenders in their strategies.
We are now moving into the Ransomware as a Service era, said Chet Wisniewski, a Principal Research Scientist at security vendor Sophos.
"Just as regular businesses are moving everything to the cloud, criminals have done the same thing. Ransomware attacks are incredibly successful but the challenge for ransomware is that it's a very complicated thing to put together if you're a crook. You've got a payment system to accept bitcoins. You've got to have a website where people can learn what a bitcoin is and how to buy them. You need to write the malware and manage encryption keys," said Wisniewski.
That level of complexity has bred a new industry, using commercial services, for threat actors to rent out their expertise to less tech-savvy criminals. They simply take a cut of the pay-off. It also helps criminals evade law enforcement as, in many countries, only the person infecting the computer is deemed to have committed the crime. Providing services to criminals is either not illegal or much harder to prosecute. So, criminals can profit from a crime without being actively engaged in the illegal act, according to Wisniewski.
"The can say 'I was just providing a service. I didn't know they were going to commit crimes with it'," said Wisniewski.
Another evolution, said Wisniewski, is that low-tech criminals are able to take advantage of new, lucrative tools that are far less risky, in terms of danger or being apprehended, than sticking up a convenience store with a weapon. This is compounded by western law enforcement having to prioritise their efforts and seeing an overseas criminal attacking just a handful of Australians, in a jurisdiction that might not be cooperative, as a far more difficult, and resource intensive, arrest than other types of crime.
It's only when there number of victims or the impact of the crime is significant enough that law enforcement can justify the effort required to launch an international investigation.
Wisniewski says the last couple of years have seen an evolution in ransomware. Until around 2015, he said, most attacks used infected websites and advertising networks to distribute ransomware using vulnerabilities in web plug-ins and other software. But with Apple, Microsoft and Google doing a "really good job" of better securing browsers, those threat vectors have become less effective for criminals.
As a result, they have moved to email as their primary infection tool and using social engineering attacks.
"They don't need to rely on unpatched bugs anymore; they're tricking you into clicking the links or opening the documents," said Wisniewski.
Criminals change their email attacks seasonally. For example, they will create phishing emails pretending to be the ATO during tax time or package delivery notification emails around Christmas. The rest of the time, the bad guys try their luck with random banking-focussed and similar phishing attacks.
On the defence side, Wisniewski said if individuals and small businesses keep their systems up to date and are vigilant in not clicking links or opening attachments in email, then they will go a long way to avoiding most attacks. Enterprises, with their larger budgets, have access to their own mail servers, sandboxing and new end-point protection tools and lots of experts which are out of reach for smaller businesses.
One potential solution businesses can look to is the use of Virtual Desktop as a Service (VDaaS) - something Andrew Tucker, the CEO of ITonCloud, says can help counter the effects of a ransomware attack.
"There are two ways this helps. The first is that while businesses do backups, they haven't done them as religiously as they should or tested their ability to respire. Also, the time takes to restore take a long time to get done and then it's not done perfectly," said Tucker.
In contrast, Tucker says the recovery time when suing a VDaaS can be around 20 minutes at worst.
A cloud service provider, said Tucker, can also be monitoring for suspicious activity with tools that are often out of reach for smaller businesses. This can mitigate the risk of an attack so that damage to data is prevented.
"This can make a ransomware attack a non-event," added Tucker.
Tucker said they systems ITonCloud has in place look for unusual access to files, such as access to a root directory on a virtualised system, and unexpected drive activity. There are many small signs, that when they occur together, are indicators of an attack. By looking at many different elements, they can create a multi-factorial picture of what's happening to detect a potential attack.
The ability to pick up anomalous behaviour has allowed Tucker to protect their customers from attacks like WannaCry.