Ransomware: Part of a Much Bigger Picture.

Integrity attacks are among the fastest growing attack vectors we have seen in the past year. As opposed to confidentiality and availability attacks which tend to be obvious and generally use brute force, integrity attacks are stealthy, focused and can be far more devastating.

Instead of wreaking havoc or stealing sensitive data, they simply change data elements in files or render the data inaccessible. State-sponsored attacks of the recent past like Stuxnet, stealthily targeted specific hardware devices and made minor configuration changes resulting in massive impacts to a national nuclear programs. Destroying a computer or harvesting data was not the intent.

Last year we saw similar tactics focused on banks using the Carbanak malware to make tiny modifications on selected transactions at about 100 banks affecting only a handful of accounts, yet managing to run off with almost a billion dollars in cash.

The attack on a new Jeep Cherokee last summer enabled security researchers to demonstrate how easy it was to remotely hack the car while in operation by modifying and taking over the control system. They weren’t focused on shutting down the car or harvesting data, but rather showcasing a major vulnerability that could have a potentially terrifying outcome.

In the coming months, we forecast a huge increase in integrity attacks within the financial services sector. They will be very difficult to detect and will use similar malware to Carbanak and result in hundreds of millions of dollars stolen and redirected to anonymized accounts. And these stealthy integrity attacks will simply appear to auditors to be operational or system problems, employee sabotage, accounting round-up errors, or just stupid mistakes.

Ransomware: a suddenly popular member of the Integrity Attack family

One of the most popular integrity attack vectors at the moment is ransomware. We have just witnessed three experimental probes on hospitals in Germany, Texas and most recently in Hollywood, California. As most people understand by now, ransomware is like the junk-yard dog of DoS (denial-of-service) attacks, leaving all of the systems and files in place but rendering all of it useless unless the demands of a ransom offer are met.

CryptoWall 3, CTB-Locker, and CryptoLocker are the currently popular families of ransomware, but because of the success of the “ransomware-as-a-service” business model, we expect to see many more variants and new families surface with new stealth functionalities. Do-it-yourself malware toolkits have been available on the black market for a long time, and now there are several ransomware variations available for creating your own extortion campaigns – and they’re free.

One new variant we have seen quietly encrypts data so that when these files are backed up, both the system and the backup files will be useless, thus eliminating the effectiveness of one of the key ransomware mitigations of using off-site storage. We have seen another variant that compromises kernel components in the file systems enabling encryption on the fly as they are accessed by legitimate users. Why bother encrypting when you can get your victim to do the dirty work for you?

To compound matters, the software currently available and in use is mostly blind to integrity attacks, the crypto-currency demanded by the ransom offer is mostly impervious to tracking, the ultimate attribution is nearly impossible, and the environment is target rich.

In addition to identity records such as birth/death, taxes, university diplomas and insurance IDs, banking accounts and ATM transactions, other sectors that present ripe targets are brokerage accounts, the equity, currency and commodity markets, healthcare records, billing, and prescription drug management, and transportation control of cars, trains, and planes are on the near horizon.

If a hospital in Hollywood is willing to cough up $17,000 in a matter of hours following a ransomware demand, what do you think a ransomware attack might be worth to a Chicago commodity trader or the Exchange itself?

Increased ransomware activity in industry sectors like banking, equities and government, which will be begging to quickly pay ransoms in order to restore their critical operations, might act as a wake up call to the handful of government agencies that could actually be useful in times like these.

Unfortunately, we will have to see what happens.