Trust attacks and the evolution of ransomware

Dave Palmer, Director of Technology | Wednesday April 5, 2017

Ransomware attacks are both indiscriminate and effective. They target everyone from Wall Street corporations to small-town hospitals; from CEOs to union leaders. In 2016 alone, ransomware attacks spiked by 6,000 percent, raking in over $1 billion from unsuspecting victims. For attackers, ransomware is as tried-and-true as they come.

But as the threat landscape continues to grow and evolve, so too does ransomware. Attackers have started to realize that targeting trust can be just as lucrative as targeting data. Reputation has become one of a company’s most valuable assets and is now under assault.

Traditional ransomware can often be dealt with behind the scenes. Whether the organization mitigates the ransomware on their own, recovers the files through a backup system, or even if they pay the ransom, the situation can be resolved without involving customers or press.

But the newest strain of ransomware – dubbed ‘Doxware’ – is not so discrete. Doxware packages a company’s data and threatens to release it to the public. This might include confidential documents like patient records and proprietary blueprints, or personal information like passwords and credit card numbers – the more sensitive the better.

85 percent of industry leaders now consider reputational damage the most significant impact of a cyber-attack. The rise of Doxware shows that cyber-criminals are good at adapting to new market opportunities, and they have a multitude of weapons at their disposal to inflict that damage. Meanwhile, legacy security tools still try to defend networks at the border or concentrate on finding ‘known bad’. Unless these novel attacks are stopped at an early stage, they’re bound to undermine organizational reputation.

As ‘trust attacks’ are becoming increasingly mainstream, safeguarding reputation has become an essential component of cyber security. To protect their brand and trustworthiness, organizations have to be able to evolve in step with the rapidly changing threat landscape, proactively protecting their assets from subtle, stealthy cyber-attacks.

When it comes to ransomware, paying the ransom isn’t a failsafe option, because there’s no guarantee the attacker will decrypt the data. Likewise, bracing for a public data dump via Doxware is equally inadvisable. The best alternative is to detect the threat while it’s still emerging.

At Darktrace, we see ransomware on a daily basis. The reason we can catch it comes down to the detection approach. We’re not looking for a specific signature or a pre-identified ransomware strain. Instead, the technology is constantly learning and re-learning what normal looks like, so when a new type of malware is launched, we don’t have to play catch-up. We detect it straight away.

Dave Palmer

Dave is the Chief Product Officer at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over 13 years’ experience at the forefront of government intelligence operations, Dave has worked across UK intelligence agencies GCHQ and MI5, where he was responsible for delivering mission-critical infrastructure services, including replacing and securing entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He acts as an advisor to cyber security start-ups and growth-stage companies from the UK Government’s Cyber Security Accelerator and CyLon. His insights on AI and the future of cyber security are also regularly featured in the UK media. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.