Over the past few years, we have watched the rise of ransomware as it successfully targeted a variety of vertical markets, especially healthcare, education, and financial services. And like almost all malware, it has also begun to evolve. For example, the WannaCry ransomware engine has recently been modified to support Cryptojacking attacks.
However, we have also been watching ransomware morph into something far more insidious.
The most recent RedEye ransomware not only encrypts your data, but it also destroys your Master Boot Record if you fail to pay within a designated period of time. But this isn’t the first time we have seen this behavior.
Then, in the summer of 2016, the Mirai shadownet was responsible for the largest DDoS attack in history. It was built using millions of vulnerable IoT devices, and then used to bring down a large chunk of the Internet. This began a new ransomware trend where, rather than having to break in and encrypt devices without being detected, which could take weeks to accomplish, automated botnets comprised of hijacked IoT devices started a new trend in DDoS-based ransom attacks. Swarms of independent yet centrally controlled devices with no designated user, and often with no OS to patch or update, were especially difficult to combat.
However, the security research community also saw that there was a potential for this new attack vector to transform into something far more insidious. At the time, we predicted that Mirai was not an end in itself, but was primarily launched to test the capabilities of swarms of compromised IoT-based devices. And we were right.
The Hajime ransomworm was the successor to Mirai. While the impact of Mirai was unprecedented, it was still basically a blunt force instrument. Hajime, on the other hand, while built on the same principles, also included an impressive set of sophisticated cybertools. It was cross-platform, supported five different platform, and included a toolkit filled with automated tasks, remotely updatable password lists, and the ability to download other malicious code, such as brickerbot.
Brickerbot was the first in a new generation of destructive malware, designed to disable the ability of IoT devices to connect to the internet. Its goal was to deliver a killing blow to a network rather than simply disrupting it for financial gain. Hajime was also able to identify CPE devices and protocols and then remove the rules that allow a CPE device to talk to its service provider. The potential risk to service providers was millions of devices all going dark simultaneously, with no heartbeat to see, control, or manage them.
These new attacks were especially impressive because most malware is actually pretty dumb. While it might have evasion techniques built into it, and be good at hiding in the noise of a device or the network, it is really only programmed with a specific set of objectives. A hacker designs it and points it at a target, and it either accomplishes its task or it doesn’t. Cybercriminals compensate for the binary nature of such malware in two ways; either through the time-intensive management of multiple tools to guide an attack to a specific target, or through volume. Send out enough malware, or have it replicate itself enough times, and it will eventually find itself loaded onto a device that it can exploit. It’s like the broken clock that is right at least two times a day.
Reaper changed that. While it was built using some of Mirai’s original code, it had also been armed with exploits covering nine different known vulnerabilities spanning a variety of IoT vendors. More concerning, it was also built using a Lua engine, an embedded programming language that enabled it to be remotely updated to enhance attack options on the fly, rather than launching an attack with all attacks pre-loaded into the malware.
The recent discovery of the VPNFilter malware moved the needle even further towards launching destructive and highly contagious malware with far-reaching consequences. VPNFilter includes a kill command that disables a device by deleting all file systems and then rebooting the device, rendering completely inoperable. Affected devices actually have to be replaced. Even worse, its self-destruct mode can be triggered across all infected devices simultaneously with a single command. And as of the writing of this article, over a million devices have already been compromised by this malware. Triggering this sort of self-destruct mechanism could potentially result in widespread Internet outage or networks collapsing over a wide region, resulting in untold financial losses for affected organizations.
Of course, this is still just the tip of the iceberg. The introduction of automation will mean that attacks like these will not only come at us faster, but they will also reduce the time between breach and impact. Basic machine learning functionality will also enable them to learn how to bypass security tools and avoid detection.
Defending against a swarm of compromised IoT devices that not only can learn and adapt, but that are also programmed to ultimately destroy the devices they infect is extremely difficult. Part of the reason is because most of these devices, especially those deployed in residences and small businesses, are connected directly to the Internet without any security in place. Because so many of these devices have little to no security, they pose a serious risk to the digital economy. And due to their pervasive deployment, marshaling them together to engage in massive attacks would almost certainly bring a considerable segment of the digital economy to a grinding halt, disrupting business, affecting services, and potentially even impacting critical infrastructure. There are already millions of these unsecured devices online just waiting for someone to hijack them, with billions more expected to come online in just the next few years.
Fortunately, there are things that you can do right now to prepare to defend your organization from this gathering threat.
Threats are getting smarter, more destructive, and increasingly able to operate autonomously. We expect to soon see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and then make calculated decisions about what to do next. In many ways, it will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, intelligently evading detection, and then waiting to deliver a lethal punch.
This is not a matter of if, but when. Which is why it’s critical that every organization become aware of these emerging risks and begin to take appropriate countermeasures now. In the escalating cyberwar, enterprises need to be able to fight automation with automation. Which means you need to deploy integrated expert security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion, anywhere across the distributed network ecosystem to isolate an attack, quarantine compromised network segments and devices, and quickly recover without compromising the integrity of your network or reputation. More than ever, an eyes wide open approach to security is a fundamental component of competing and surviving in today’s digital economy.