We used to call the Internet the βinformation super-highwayβ back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the βhighwayβ has remained, like a bad smell, one that has come back to haunt us in 2017β¦ The highway robber!
The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat ββ βyour money or your lifeβ ββ reinforced of course with the trademark flintlock pistol and sabre.
Todayβs highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.
Of course, Iβm talking now about ransomware, the threat thatβs been in the news almost every day for the past couple of months. The tool of choice for the modern highway robber has become headline news around the world with variants such as WannaCry and the more recent Popcorn Time. Organizations around the world have been affected by this ransomware, from the UK National Health Service, through to the Russian Postal Service in the last few weeks.
Interestingly, WannaCry leverages a previously known vulnerability in the Windows operating system, which is alleged to have been hoarded by a national security agency of the USA. In this case a vulnerability which allowed the ransomware to be especially successful in both current and older versions of Windows, such as XP and Windows 7, by using a weakness in their inbuilt SMB networking functionality. Even when out of support, there are still organisations using Windows XP and putting themselves at risk.
Luckily however an enterprising security researcher managed to find a kill switch written into some variants of WannaCry, in the form of a phone-home domain which hadnβt been registered by the malwareβs author. Registering the domain seemed to give these variants of the malware the dead letter box it was looking for in order to shut down, thus halting the attack.
After intense examination of WannaCryβs tactics by the security community, we now know the infection spread within organizations by means of leveraging SMB connections. And, while patching the known vulnerability (as the patch had been out for over a month) helps sqelch WannaCryβs ability to spread, there are a broad range of ransomware sources through which you can get infected, such as:
- TrojansΒ β Perhaps the most common and the ransomware attack source we read the most about. Email attachments that contain malicious macro attachments are the chosen method here.
- Removable mediaΒ β Perhaps the most likely ransomware source of infection for the majority of malware in an enterprise, whether itβs ransomware or something more nefarious. Especially for those organisations that donβt lock down their USB ports. USB sticks and removable media are a very simple way to infect a PC as users generally trust those devices. AΒ studyΒ by Google and two US universities showed that dropping USB sticks in public places was a simple and effective way to trigger human curiosity, with a full 49% of the βbait USBsβ being plugged into a computer by people who found them. Imagine if thoseΒ hadΒ been malicious?
- MalvertisingΒ β Malver-what-now? A portmanteau of malicious advertising. Where attackers compromise the weak infrastructure of an online ad network that serves adverts to legitimate websites. Therefore, when users view those adds, usually on well-known news websites, they can be used to trick browsers into downloading malware through the page display ads. Exploit kits such as Angler and Neutrino are often used as the initial dropper of the malware, which often then allows cyber criminals complete control of the infected endpoint. Ransomware is just one of the common outcomes of these watering-hole or drive-by attacks.
- Social media and SMSΒ β The prevalence of shortened links used on social media platforms and in SMS text messages gives attackers a superb mechanism to deliver ransomware and malware. Users rarely, if ever, check the destination of shortened links in social media, SMS or even email and attackers know this. Security solutions that βlink-followβ are increasing in popularity, but not fast enough. Ransomware delivered through shortened links is also often JavaScript based and requires little action on the usersβ part, other than to click the link.
- Ransomware-as-a-ServiceΒ β RaaS? Yes, it does exist, as one of the many βCrime-as-a-Serviceβ networks. (Yes, those exist too). RaaS allows criminals of any variety to become instant cyber criminals, to the extent weβre seeing a drop off in classic crime like burglary, as RaaS is far a less risky ransomware source for them. RaaS and CraaS have given rise to vast affiliate networks too, where ransomware is easy to deploy and manage for almost anyone and where the earning potential is significant. I use this example to demonstrate the sophistication and motivation of the cybercriminals behind ransomware. Ignore them at your peril.
Of course, weβre used to thinking of ransomware as an email-specific or Trojan-based attack and thatβs certainly the most common route it takes, but we should note that once ransomware makes its way into your business, ransomware creators will attempt to take as many routes possible to ensure as widespread an infection as is possible.
What all of these attacks and the breadth of ransomware sources show us is that itβs a live and hostile environment on the information super-highway and that for all the good we do, there are still people intent on exploiting, stealing, violating and pillaging our assets. Donβt be under any illusion theyβre not motivated either; ransomware is a great money earner for them so donβt expect the attacks to die down anytime soon. Technologically not doing your best is not an option either. Sitting back hoping Windows XP or 7 will βstruggle on for a little longerβ or that those patches you didnβt deploy donβt matter is not a sensible strategy. Remember there are books written about hope not being a strategy, so donβt fall into that trap.
Patch your stuff, back up your valuables and keep an eye out for the highway robbers.
Stay safe out there.





















