Illusive Blog September 1, 2016

Ransomware Attacks Evolving to ARTs & Getting Worse

By The Illusive Networks team


By now we’re all familiar with the current generation of ransomware threats. While we’re seeing higher-profile ransomware attacks in the news (especially in the healthcare industry), the reality is that the majority of ransomware incidents are mostly opportunistic.For years now, attackers have been launching generic ransomware attacks spread on as many users as possible. Rules can be set to target certain file types depending on the goals of a particular attack, but opportunistic ransomware generally aims to capture as much low-hanging fruit as possible with minimal effort and sophistication.

Opportunistic, untargeted ransomware may result in average revenue of hundreds of dollars to few thousand dollars per victim—but the future of ransomware may be far more lucrative for attackers.

What’s next for ransomware? The elevation of opportunistic threats to more strategic deployments of ransomware—what we’re calling Advanced Ransomware Threats (ARTs)—with the goal of targeting strategic assets and generating far more revenue than the current generation of attacks.

Strategic Ransomware Means Targeted Ransomware

Making ransomware attacks more strategic means targeting them at specific assets that represent critical value to the owners, who will pay far more than with current ransomware threats. Such strategic assets can be a company’s precious IP or trade secrets that, if in the wrong hands, may be life threatening to a company, or the source code of a key product, or a secret business deal that could be killed for early publication. The common thread through all of these scenarios is an unbearable toll or event that may end the business’ existence.

Attackers may be more specific in targeting ransomware victims. For example, attackers can target specific law firms that work with Fortune 1000 companies. Law firms may not have nearly the level of cybersecurity expertise that large enterprises do, making them an easier target to compromise with ransomware. Despite having weaker cybersecurity measures, law firms are entrusted with valuable enterprise assets, such as detailed documents regarding mergers and acquisitions. Attackers can write specific ransomware that searches for keywords in documents that would indicate M&A activity and target them for encryption.

When terms and conditions are met for the merger or acquisition, attackers can then encrypt the necessary documents (and their backups) and request a large ransom from the corporation and the law firm because of how valuable the assets are.

While this will become a very real scenario as ransomware evolves, attackers must change the way they actually launch ransomware attacks. Broadly-focused, widespread ransomware attacks won’t be sufficient when targeting truly valuable assets because these assets exist in protected servers rather than on network endpoints.

The Day Ransomware Meets Advance Persistent Threats

Think of the day that ransomware threats will integrate with advanced persistent threats (APTs) and become Advanced Ransomware Threats (ART). Rather than working to move laterally until they reach a money transferring server or point of sale images (like in the Target data breach), ransomware becomes the payload of an attacker’s APT.


The attack will start with a studying phase, in which attackers identify the target and a specific mission-critical asset within its network. The attacker will land on a user machine (for example, by phishing an employee) and will start lateral movement to the target asset. In every move, the attacker will collect information from the current machine to find all machines that are connected to it, and will harvest privileges to carry the move to the next machine. This process may repeat hundreds or thousands times, leaving no trace behind because all the attacker is doing is reading information from the operating system cache—it’s all there.

At the end of the process, the attacker will have control of the computer(s) with the asset and will activate the Ransomware payload—encrypt the content and its backups, move it to remote servers only controlled by him and delete local copy, etc., thus creating a far more effective (and lucrative) means of generating revenue for attackers.

And as sophisticated attackers shift from opportunistic ransomware to ARTs, we’ll start seeing ransoms go from today’s thousands of dollars to potentially millions of dollars per attack.

Protecting Businesses Against Advanced Ransomware Threats

Imagine if the Sony encryption attack from 2014 was actually an ART attack. Attackers were able to move laterally until they reached Sony’s media servers, but in an ART attack they may have been able to encrypt files and backups for upcoming movie releases. How much money could they have collected as ransom if they encrypted movies that cost upwards of $100 million to make?

While small-scale, opportunistic ransomware attacks aren’t going to disappear any time soon, ARTs may become a major concern to companies if they aren’t prepared.

Recommended Reading for You: