Trust attacks and the evolution of ransomware

Dave Palmer, Director of Technology | Wednesday April 5, 2017

Ransomware attacks are both indiscriminate and effective. They target everyone from Wall Street corporations to small-town hospitals; from CEOs to union leaders. In 2016 alone, ransomware attacks spiked by 6,000 percent, raking in over $1 billion from unsuspecting victims. For attackers, ransomware is as tried-and-true as they come.

But as the threat landscape continues to grow and evolve, so too does ransomware. Attackers have started to realize that targeting trust can be just as lucrative as targeting data. Reputation has become one of a company’s most valuable assets and is now under assault.

Traditional ransomware can often be dealt with behind the scenes. Whether the organization mitigates the ransomware on their own, recovers the files through a backup system, or even if they pay the ransom, the situation can be resolved without involving customers or press.

But the newest strain of ransomware – dubbed ‘Doxware’ – is not so discrete. Doxware packages a company’s data and threatens to release it to the public. This might include confidential documents like patient records and proprietary blueprints, or personal information like passwords and credit card numbers – the more sensitive the better.

85 percent of industry leaders now consider reputational damage the most significant impact of a cyber-attack. The rise of Doxware shows that cyber-criminals are good at adapting to new market opportunities, and they have a multitude of weapons at their disposal to inflict that damage. Meanwhile, legacy security tools still try to defend networks at the border or concentrate on finding ‘known bad’. Unless these novel attacks are stopped at an early stage, they’re bound to undermine organizational reputation.

As ‘trust attacks’ are becoming increasingly mainstream, safeguarding reputation has become an essential component of cyber security. To protect their brand and trustworthiness, organizations have to be able to evolve in step with the rapidly changing threat landscape, proactively protecting their assets from subtle, stealthy cyber-attacks.

When it comes to ransomware, paying the ransom isn’t a failsafe option, because there’s no guarantee the attacker will decrypt the data. Likewise, bracing for a public data dump via Doxware is equally inadvisable. The best alternative is to detect the threat while it’s still emerging.

At Darktrace, we see ransomware on a daily basis. The reason we can catch it comes down to the detection approach. We’re not looking for a specific signature or a pre-identified ransomware strain. Instead, the technology is constantly learning and re-learning what normal looks like, so when a new type of malware is launched, we don’t have to play catch-up. We detect it straight away.

Here’s an example of a ransomware attack that got through the perimeter at a California non-profit and how it was detected within minutes, allowing the security team to stop it before it spread to a second computer.

Blog Archive

Thursday January 10, 2019
Monday December 3, 2018
Thursday November 22, 2018
Thursday October 25, 2018
Thursday October 4, 2018
Monday August 20, 2018
Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.