The rampant digital extortion facilitated by ransomware in 2017 will continue next year, with healthcare and industrial systems expected to be new prime targets
The tidal wave of ransomware attacks this year has ruthlessly cast the spotlight on gaps and lapses in cyber security, crippling some organisations and causing significant financial losses in others.
“Ransomware is not new, having first been identified in 2009, but it is growing at a high triple-digit growth rate,” said Sherrel Roche, senior market analyst for services research at IDC Asia-Pacific.
Ransomware poses one of the biggest cyber security threats today, as it encrypts data on a system or network until a ransom is paid. The top ransomware attacks this year were WannaCry, Petya, Bad Rabbit, Lokibot, CryptoWall, Jaff, Cerber and TorrentLocker.
These attacks peaked in May 2017, when the WannaCry ransomware derived from a digital weapon believed to have been developed by the US National Security Agency (NSA) infected hundreds of thousands of PCs at critical facilities, such as hospitals, schools and telecommunications.
“WannaCry’s three-stage attack – penetration, deployment and crypto – accounted for more than 45% of all ransomware intercepted by Sophos between April and October of 2017,” said Sumit Bansal, director of ASEAN and Korea at Sophos.
As the unprecedented attack had exploited the Microsoft Windows EternalBlue vulnerability, for which a patch was available two months ahead of the attack, some organisations that fell prey to the attack were criticised for not taking cyber security more seriously.
The onslaught of ransomware showed no signs of abating. Shortly after WannaCry, the following month saw an outbreak of the NotPetya ransomware that disrupted organisations such as Maersk. NotPetya seemed more dangerous and intrusive, encrypting entire hard disks instead of individual files and applications in the case of WannaCry.
But that was not all. In October 2017, the Bad Rabbit ransomware, which employs a similar modus operandi as WannaCry and Petya, surfaced, mainly infecting machines in Russia and Ukraine, as well as those in Germany, Turkey, Poland and South Korea.
Making its debut that same month was a new variant of the LokiBot banking trojan that morphs into ransomware and locks Android phones when it is removed by users.
The ASEAN region fared relatively well, experiencing fewer ransomware attacks compared with the US, according to Sophos’ Bansal. For example, while the US had a 17.2% ransomware circulation rate between April 1 and October 3, Singapore saw the highest activity with 6.5%, followed by Indonesia (5.3%), Malaysia (2.7%) and the Philippines (1.9%).
The global cost of ransomware attacks is predicted to exceed $5bn in 2017, up from $1bn in 2016 and $325m in 2015, according to the Herjavec Group. Besides financial damages, these attacks can destroy data, affect productivity and cause reputational harm.
The highly profitable nature of ransomware attacks has spawned rise of ransomware-as-a-service that puts ransomware into the hands of criminals with minimal technical knowledge.
Linda Chua, market analyst for software at IDC Malaysia, attributed the surge in ransomware attacks to the rise of ransomware-as-a-service, through which malware such as Cerber have emerged.
Bansal said Cerber is one of the most prolific ransomware around because it is constantly being improved. “With ransomware being such a well-paying business, its authors are developing more features, like robust encryption and antivirus evasion techniques.”
Prime targets in 2018
Against the backdrop of growing ransomware attacks, experts are now warning that healthcare and industrial systems could be the next big targets for cyber criminals in 2018.
Attacks targeted at the healthcare sector could involve data encryption as well as device blocking. Connected medical equipment is often expensive and sometimes life-critical, making them prime targets for cyber attacks and extortion.
“The WannaCry and ExPetr attacks taught both security experts and cyber criminals that operational technology (OT) systems can be even more vulnerable to such attacks than IT systems,” said Sylvia Ng, general manager at Kaspersky Lab in Southeast Asia.
“This is because ‘firefighting’ in the case of OT is much more difficult, and industrial companies have demonstrated how poorly organised and inefficient their staff can be when it comes to cyber attacks on their OT infrastructure.”
As with the WannaCry attack and its variants, cyber criminals will continue to demand ransoms in cryptocurrency, because of the unregulated and almost anonymous nature of the cryptocurrency market.
Although 2017 saw the biggest ransomware attacks affecting Windows users, 2018 may see an explosion of Android malware, as well as malware targeting Apple computers, said Bansal.
“Malware was found in apps on Google Play, and while Google diligently purges the bad apples, it’s all but impossible to keep pace with the bad guys,” he said, singling out the emergence of potentially unwanted software in the form of spyware and adware rather than straight-up malware.