Stealthy Ransomware: Extortion Evolves

March 29, 2017
Kevin Kennedy
Senior Vice President of Products
Stealthy Ransomware: Extortion Evolves

It seems like a new variant or victim of ransomware is in the news every day. It’s newsworthy because it works so well and causes widespread destruction.

So when the recent wave of stories hit about PetrWrap, a variation of the widely known Petya ransomware strain, it was easy to miss the significance. The “no-honor-among-thieves” narrative crowded out its true importance.

Now a big business, ransomware is estimated to have taken in north of $1 billion in 2016. Business model innovation drove growth, including a concerted focus on hospitals—with critical patient data and IT dependency—as the highest value targets.

Although the delivery campaigns were targeted, until now ransomware attacks had essentially the same behavior:

  • They were automated and opportunistic.
  • They were delivered via phishing campaigns or exploit-kit distribution methods, and spread quickly.
  • They encrypted indiscriminately, whether data or boot records. Sometimes important data was encrypted, sometimes is was worthless data.

But the real news is PetrWrap is not automated. Ransomware has historically succeeded at scale in opportunistic attack campaigns without requiring an attacker to be highly skilled.

Instead, PetrWrap is used in targeted attack campaigns and operated by skilled actors. Imagine advanced attackers moving stealthily through your network and finding only the most critical assets—systems and data—to hold hostage. How much would you pay to avoid that level of disruption to your business?

And that’s why PetrWrap matters. The core tool to hold systems and data hostage is the same. But the application and business model are entirely different.

PetrWrap is an indication that more advanced actors are getting into the extortion game, portending another dangerous innovation in the ransomware business model. It’s no longer just the theft of your trade secrets and critical customer data. It’s a crippling kick to your ability to operate the IT infrastructure and business.

Unless we figure out how to stop 100% of attackers from getting in, we must get a lot better at detecting their internal network behaviors before they do damage.

Every business should have a strategy to mitigate the risks of ransomware, including canary-in-coal-mine fake shares and good backups. And it’s even more critical now to have a security solution that finds hidden attackers while they’re searching for your key assets, well before you’re taken hostage.

Vectra detects the behaviors of ransomware attacks inside your network and provides security teams with multiple early-warning opportunities by exposing nefarious actions—including command-and-control traffic, network scanning and the spread of additional malware—that precede the encryption of enterprise data and boot records.

To learn more, check out this white paper to understand how your organization can build an effective strategy to manage against ransomware attacks.