Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

Stealthy ransomware: Extortion evolves

By:
Kevin Kennedy
March 29, 2017

It seems like a new variant or victim of ransomware is in the news every day. It’s newsworthy because it works so well and causes widespread destruction.

So when the recent wave of stories hit about PetrWrap, a variation of the widely known Petya ransomware strain, it was easy to miss the significance. The “no-honor-among-thieves” narrative crowded out its true importance.

Now a big business, ransomware is estimated to have taken in north of $1billion in 2016. Business model innovation drove growth, including a concerted focus on hospitals – with critical patient data and IT dependency – as the highest value targets.

Although the delivery campaigns were targeted, until now ransomware attacks had essentially the same behavior:

  • They were automated and opportunistic.
  • They were delivered via phishing campaigns or exploit-kit distribution methods, and spread quickly.
  • They encrypted indiscriminately, whether data or boot records. Sometimes important data was encrypted, sometimes is was worthless data.

But the real news is PetrWrap is not automated. Ransomware has historically succeeded at scale in opportunistic attack campaigns without requiring an attacker to be highly skilled.

Instead, PetrWrap is used in targeted attack campaigns and operated by skilled actors. Imagine advanced attackers moving stealthily through your network and finding only the most critical assets – systems and data – to hold hostage. How much would you pay to avoid that level of disruption to your business?

And that’s why PetrWrap matters. The core tool to hold systems and data hostage is the same. But the application and business model are entirely different.

PetrWrap is an indication that more advanced actors are getting into the extortion game, portending another dangerous innovation in the ransomware business model. It’s no longer just the theft of your trade secrets and critical customer data. It’s a crippling kick to your ability to operate the IT infrastructure and business.

Unless we figure out how to stop 100% of attackers from getting in, we must get a lot better at detecting their internal network behaviors before they do damage.

Every business should have a strategy to mitigate the risks of ransomware, including canary-in-coal-mine fake shares and good backups. And it’s even more critical now to have a security solution that finds hidden attackers while they’re searching for your key assets, well before you’re taken hostage.

Vectra detects the behaviors of ransomware attacks inside your network and provides security teams with multiple early-warning opportunities by exposing nefarious actions – including command-and-control traffic, network scanning and the spread of additional malware— that precede the encryption of enterprise data and boot records.

To learn more, check out this white paper to understand how your organization can build an effective strategy to manage against ransomware attacks.

About the author

Kevin Kennedy

Kevin Kennedy is vice president of product management at Vectra. Before Vectra, he was vice president of product management at Agari Data, which builds data-driven security solutions that eliminate email as a channel for cyberattacks. Prior to Agari, Kevin was senior director of security product management at Juniper, where he spearheaded the company’s continued innovation in data center security. Kevin was also director of product management at Cisco IronPort Systems, where he led the highest-growth business in the Cisco security portfolio, growing bookings by 400 percent in three years. Kevin earned his BSE in computer engineering at the University of Michigan.

Author profile and blog posts

Most recent blog posts from the same author

Cybersecurity

Une intégration étroite entre la sécurité des terminaux et celle du réseau permet de neutraliser les attaques

October 4, 2017
Read blog post
Cybersecurity

Accelerating action: New technology partnerships help customers bridge the cybersecurity gap

August 4, 2016
Read blog post
Infrastructure

Gemeinsam stärker: Angriffe stoppen mit Integration von Endpoint- und Netzwerksicherheit

October 9, 2017
Read blog post