Facebook Tracking
June 28, 2019

Predicting Attack Behavior - Ransomware Patterns Strategic Leaders Need to be Aware of

Category: Blog

This is a new series of blogs where I’m going to be writing about “Predicting Attack Behavior”, discussing the anatomy of specific attack categories like ransomware and discussing past and current behavior of such attack categories for the purpose of predicting future behavior and building defensive strategies. 



Ransomware continues to be a successful attack vector for cybercriminals and be a major concern for organizations and their digital assets. Ransomware is a type of malware that extorts its victim, holding their digital assets hostage and ask for money in return for gaining back access to their data or devices. While ransomware has been around for decades, it has been rapidly growing as an attack vector year-after-year since 2013 with older variants continuing to be successful and new variants and strains emerging. Cybersecurity Ventures predicts that ransomware damage costs will rise to $11.5 billion in 2019. (Cybersecurity Ventures 2017).


To withstand a ransomware attack, the most resilient defensive strategy is to include a proactive disaster recovery plan, but taking the time now to strategically discuss your current security posture, known ransomware attack behaviors will best prepare your organizational planning for future ransomware attacks ultimately improve your preventative and detection capabilities.


Notable Variants and Breaches 

2013-2016 - Throughout 2013-2015 we saw variants like CryptoLocker (at its height in late 2013 and early 2014, over 500,000 machines were infected), CryptoWall, CryptoBit, TorrententLocker and CTB-Locker emerge. According to a Symantec, 98 new ransomware families were found in 2016, more than triple the figure for the previous year (Symantec: Internet Security Threat Report 2017). In 2016 ransomware variants like Petya, Locky, Dharma and Jigsaw emerged. There were also reinvention strains of Locky like Oden, then had morphed from Zepto and originated from Locky source code. Originally, claiming to be a variant of CryptoLocker, TeslaCrypt which targeted video game files by the end of 2016 made up 48 percent of ransomware attacks


2017-2018 - Perhaps the most infamous ransomware is the WannaCry cryptoworm, which hit the headlines in May 2017, and affected more than 200,000 computers in 150 countries, including the UK National Health Service (National Audit Office 2017). Throughout 2017 and 2018, we also saw ransomware families like Bad Rabbit, NonPetya, Cerber, Reyptson, leallocker, Wysiwye, GandCrab, Katyusha, Ryuk and SamSam. 


2019 - Due to WannaCry and NonPetya, ransomware was deemed one of the biggest malware threats of 2018, and it continues to disrupt the operations of businesses all over the world in 2019. According to a recent Malarebytes report, ransomware attacks on business have seen an increase in the first quarter of 2019, up by 195 percent since the fourth quarter of 2018. Notable variants that have emerged in 2019 are LockerGoga and PeCrypt, but variants and strains of previous years, continue to be found in the wild. Baltimore and two cities in Florida have fallen victim to ransomware in recent weeks, In Florida, Riviera Beach paid $600,000 and Lake City almost $500,000 to get their data unlocked. Baltimore. Baltimore who refused to pay for the ransom to unlock their data has estimated that it will cost them $18M in damages. 


Interesting statistics that are worth mentioning to understand how large a problem ransomware is today:

  • 50% of a surveyed 582 cybersecurity professionals do not believe their organization is prepared to repel a ransomware attack. (Source: Pwnie Express)

  • Ransomware costs businesses more than $75 billion per year. (Source: Datto)

  • The average cost of a ransomware attack on businesses was $133,000. (Source: Sophos)

  • A new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021. (Source: Cyber Security Ventures)

  • Ransomware attacks have increased over 97 percent in the past two years. (Source: Phishme)

  • 34% of businesses hit with malware took a week or more to regain access to their data. (Source: Kaspersky)

  • In 2019 ransomware from phishing emails increased 109 percent over 2017. (Source: PhishMe)

These stats are alarming and emphasize the importance that your security organization be prepared to defend against the likely infection of ransomware and minimize the impact to your business by predicting the ransomware behavior in order to improve your security defensive strategy. 


Predicting and Defending Ransomware Behavior

In order to best defend against a particular threat, it’s important to understand the attack behavior. Looking at past tactics, techniques and procedures help better predict likely attack paths and plan and build a more resilient security detection, prevention, and response program.


For predicting ransomware behavior, I highly recommended reading a paer entitled “Ransomware deployment methods and analysis: views from a predictive model and human responses“ which reviews the predictive nature of ransomware and details 8 common stages:


  • Fingerprint creating signatures of the OS’s features and determining suitability for payload deployment.

  • Propagate exploring the possibility of lateral movement within a network or connected devices.

  • Communicate sending and receiving data from the attacker’s C&C server.

  • Map reading the contents of suitable files in the victim’s environment.

  • Encrypt encrypting potentially valuable data on the victim’s computer.

  • Lock reducing or disabling the availability of the OS to the victim.

  • Delete overwriting or unlinking the contents of the victim’s data.

  • Threaten presenting a threatening message to force the victim to pay up.

(Source: Ransomware deployment methods and analysis: views from a predictive model and human responses)


As your team looks at your security strategy, it’s important to look at each of the above 8 attack path stages and determine how your defensive kill chain and any of the behavior tactics, techniques and procedures (TTPs) could be prevented, detected, alerted and ultimately stopped. 


A few example: Because phishing is such a popular initial attack vector, validating your email phishing controls and understanding your user education to phishing and ransomware emails is key, knowing that most ransomware communicates to a Command and Control infrastructure in the encryption stages, can help determine the types of security controls that would detect and prevent such communication, knowing that most ransomware has propagation mechanisms, be it via RDP or email, allows your organization to discuss and understand the various capabilities or gaps in attacker use of propagation methods and any detection capabilities to prevent such activity. 

Although the most resilient defense for a ransomware attack includes a proactive disaster recovery plan, because of the very nature of ransomware attacks being so popular through email phishing campaigns and mechanisms of propagation, there are several stages of a ransomware attack whereas a defender you can thwart an attack earlier in its lifecycle and ultimately shrink the dwell time of the attack path, saving your company time, money and resources. Understanding past behavior and attack stages help you predict future behavior and provide better planning for your overall security strategy.

About the Author

Co-Founder and CTO of AttackIQ

Stephan Chenette is a 20 year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant, solutions architect and head of research and development. He has presented at numerous conferences including RSA, Blackhat, ToorCon, BSides, CanSecWest, RECon, AusCERT, SecTor, SOURCE and PacSec.