Worms + Ransomware = Disaster for the rest of us

Apr 13, 2016 09:58 GMT  ·  By

Experts from Cisco's Talos security division are claiming that the next natural step of evolution for ransomware operators is to integrate self-propagation features seen in old-school worms, viruses that wreaked havoc during the '90s and early 2000s.

Their think-tank experiment sees attackers using penetration frameworks to create much more versatile ransomware families, which, besides using encryption to lock the user's files, will also incorporate different modules, among which they think a self-propagation component is bound to be included.

SamSam ransomware is pioneering this concept

Cisco's staff has already observed such features, even if in a limited and simplistic manner in the SamSam ransomware, also known as Samas.

With SamSam making a splash and some high-profile victims in the healthcare sector, Cisco expects other ransomware authors to leverage its model and focus more on breaching networks and leaving the ransomware to search and infect other computers on its own.

This type of behavior maximizes a campaign's infection pool and takes out most of the human factor out of the equation. Instead of having to trick each and every ransomware victim to download and execute malicious files, these new types of ransomware will only need one or two individuals to fall victim.

Self-propagating ransomware won't need humans anymore

Infections with these types of threats can go viral, affecting tens, hundreds, or even thousands of PCs, especially in larger corporate or government networks, where most of these workstations are linked with each other.

While corporations and government agencies put strong defenses at the door, you rarely find internal networks that are also segmented on the inside, as normal security procedures dictate.

Cisco calls this new type of ransomware concept a "cryptoworm," and for good reasons. Crooks would only have to fling ransomware in all directions and let it do its work.

As of now, no such ransomware even gets close to the concept that Cisco laid out inspired by SamSam's detection, but tools such as Rapid7's Metasploit, Strategic Cyber's Cobalt Strike, or Raphael Mudge's Armitage can prove very useful in creating one.