Introduction
I dislike the term ransomware attack. Why, you ask? Its a matter of perception.
The word attack indicates specific intent against a particular individual or group. An attack means someone (or something) is targeted. But Im hesitant to use the terms attack and targeted when discussing ransomware. Calling a ransomware infection an attack focuses blame on an enemy. I consider this mindset dangerously close to fear mongering.
If we continue thinking of ransomware infections as attacks, well never seriously consider a wide variety of issues that allow ransomware infections to happen in the first place.
Ransomware distribution
Ransomware is distributed on a large scale. Criminal groups generally use two methods to distribute malware: malicious spam (malspam) and exploit kit (EK) campaigns. These are most often large-scale operations that attempt to reach as many potential victims as possible.
I view EK campaigns as laying a bunch of mousetraps throughout the web. An EK is not an active attack against a specific victim. People stumble across EKs through casual web browsing. Personally, Ive never found any convincing evidence that ransomware infections through EK traffic have been targeted.
But what about malspam, you ask? You might think someone receiving an email with ransomware was targeted. However, I find it hard to believe the massive waves of malspam I sometimes look into are targeted against specific individuals. Especially when its Locky ransomware, which is widely distributed [1, 2, 3]. When someones email address is discovered by a spammer, it gets on a list. That list is often shared, and the persons email address will be constantly bombarded by wave after mindless wave of botnet-based malspam.
Ultimately, I believe ransomware infections are the result of large-scale campaigns covering numerous potential victims, and a comparatively small number of people actually get infected.
Yes, those relatively few infections often have major consequences, but theyre not the result of narrowly-defined attacks. Theyre the result of large-scale campaigns. The important part isnt necessarily who is infected." />
Shown above: Roberto probably said, Its got my name in it, so it must be targeted!
Assigning criminal intent based on statistics
During my day-to-day research, I usually see ransomware. I also see the malspam and EK vectors this malware comes through. But we should not make any assumptions of criminal intent based on the data we collect. Why? Because no matter how wide we cast our net, well never know the full truth.
I still read such reports. The latest one I looked at was based on a July 2016 Osterman Research survey about ransomware [4]. Its typical of what Ive been seeing lately. The report states that healthcare and financial services are the industries most vulnerable to ransomware attacks. According to the report, These industries are among the most dependent on access to their business-critical information, which makes them prime targets for ransomware-producing cyber criminals." />
Shown above: One of the charts from the Osterman report.
I enjoyed reading the report. It has some good insights. But whenever I see these statements, I always wonder if those industries are really targeted more than other industries. Or did they have more infections because theyre inherently more vulnerable? If theyre indeed the most vulnerable, wouldnt it follow theyre more likely to get infected during massive campaigns indiscriminately targeting everyone?
Like the large-scale EK or malspam campaigns spreading ransomware I see every day?
I dont know how to describe this. Were saying certain industries are targeted more because theyre getting infected more. That just feels wrong. Ransomware doesnt need to be targeted if its widely distributed.
Yet everyone and their mother are calling these ransomware attacks.
Final words
We tell ourselves we must know our enemy so we can better protect our network. However, I think we put too much focus on the enemy and not enough focus on ourselves.
Is everyone in your organization following best security practices? Is security a truly essential part of your corporate culture? Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures? Most organizations have problems in these areas. We convince ourselves there are certain weaknesses we must live with.
And management really wants to know who was behind that ransomware infection and why your organization was apparently targeted.
But odds are the ransomware was directed at any number of people who either stumbled across it or were unlucky enough to find it in their inbox.
Sure, call it a ransomware incident. Just dont call it a ransomware attack.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
References:
[1] https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html
[2] https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware
[3] http://researchcenter.paloaltonetworks.com/2016/07/unit42-afraidgate-major-exploit-kit-campaign-switches-from-cryptxxx-ransomware-back-to-locky/
[4] https://go.malwarebytes.com/OstermanRansomwareSurvey.html