Cybercriminals will continue to innovate through ransomware
The malware business is a business like any other: cyber threat groups compete and innovate, with the most successful growing and spreading rapidly. Given the success of ransomware in 2016, we will see a continuation of ransomware attacks – with new innovations emerging and propagating, according to whichever attracts most payment.
2016 saw real innovation in the ransomware market, with a particularly interesting recent variant called ‘Popcorn Time’ that allows the victim’s files to be decrypted for free if they can infect two other people.
Commoditized versions of ransomware will, however, be a less pervasive threat for large corporations, as they gradually improve the management of this threat and their ability to mitigate it. Rather, criminals will target high-value assets using more sophisticated and innovative ransomware variants, and will develop additional functionality to seek out more lucrative individual targets within organizations, to enhance the chance of victims paying ransoms. Criminals will extort victims not only by threatening to deny access to data, but also by threatening to publish sensitive data.
Website defacements will be old school – website ransoms will be the new tactic
One specific kind of attack we expect to grow is website ransomware, where the contents of websites are targeted. This trend started emerging in Asia last year:
• In November, several websites were found to be compromised and their web contents encrypted by a ransomware variant called JapanLocker. Control Risks’ research into this variant reveals that it was developed by a hacker known as Shor7cut, a member of the Indonesian Defacer Tersakiti group. This group is well known in the Indonesian hacking community and has more than 22,000 members.
• In October, several Pakistani government websites were compromised and their contents encrypted by the CTB-Locker ransomware. The hackers, believed to be from the Indian group known as Hell Shield Hackers, used this method to retaliate after Pakistani hackers breached nearly 7,000 Indian websites.
• In March, a ransomware variant known as KimcilWare was spotted targeting websites running the Magento eCommerce platform. This variant is thought to have been developed in Indonesia.
• Also in March, Kaspersky Lab detected more than 70 servers, located in ten countries, compromised by the CTB-Locker ransomware. Most of the victims were from the US; this shows how threat actors in Asia Pacific are taking successful tools from other regions, adapting them, and applying them in their own region.
Such attack techniques will continue to emerge and evolve in 2017. We foresee further ransomware variants of this kind being developed by threat actors in Asia Pacific, and used for cyber activist and cybercriminal activities in the region.