Adversaries will continue to evolve their tools to get higher infection rates, and returns. Since late 2018, targeted ransomware attacks on state and local governments are on the rise. They include
SamSam,
Ryuk,
RobbinHood and
LockerGoga. These new strains are stealthier and more sophisticated, and are unlike previous strains that primarily rely on e-mails or exploits to spread during the 2017 WannaCry and NotPetya attacks. Notably, the ransom paid in each of these incidents was far greater than the US$143,000 allegedly reaped from the WannaCry attacks, and certainly emboldened attackers into launching brazen campaigns targeting state and local governments in the United States. Although governments do not pay ransom as often as other targets, they generate immense media coverage due to the disruption these attacks have on the functioning of essential services, sowing chaos and lowering public trust on the governments.
In the Cyber Security Agency of Singapore’s (CSA) annual publication, “
Singapore Cyber Landscape 2018”, it noted that there were 21 cases of ransomware reported here last year. There could be more of such cases since many tend to be unreported. A
survey conducted by Osterman Research on 175 small and medium-sized enterprises (SMEs) in Singapore in 2017 reported that one in three experienced a ransomware attack last year, with one in five of those affected even having to shut down their company.
Governments and international initiatives are helping organisations deal with ransomware attacks. In the United States of America, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) developed a recovery guide called “Data Integrity: Recovering from Ransomware and other Destructive Events”. Locally, CSA and the Singapore Police Force are supporting partners to the international “
No More Ransom” project, which is a non-commercial initiative to assist victims of ransomware. For more information on how to prevent or recover from ransomware attacks, users can read related advisories by
SingCERT and
GoSafeOnline.
REPORTSRANSOMWARE TACTICS AND TECHNIQUESSPREADING RANSOMWARE VIA SOCIAL MEDIA PLATFORMS LIKE FACEBOOKTraditionally, ransomware spreads via e-mails, after the person clicks on the attachment received. Now, adversaries are taking advantage of the popularity of social media platforms such as Facebook to spread their malicious software or “malware”. A Facebook spam campaign was found targeting these users earlier this year. Malicious messages containing Locky ransomware were spread via Facebook messenger. Once clicked, the ransomware would be downloaded and installed, and will activate a program that will spam the victim’s Facebook friends with the same malicious messages without the victim’s knowledge.