So what happened? Up until the WannaCry ransomware attack, the goals seemed pretty clear. Ransomware had evolved like many products, from one-off pieces of software into tools that could be sold and monetized. Research by a group at Google found the most popular strains, Locky and Cerber, have taken in $7.8 and $6.9 million, respectively, since storming on the scene in 2016. As cybercriminals became craftier with these types of attacks, it seemed clear that ransomware had established itself as a lucrative, quick-hit operation for perpetrators.
But then came WannaCry and, shortly on its heels, NotPetya. Though the two strains, superficially, have little to do with one another, they seemingly shared the same new goal: to disrupt rather than to profit. They also both utilized a more sophisticated distribution code, displaying worm-like capabilities that allowed infections to take root without relying explicitly on phishing attacks or on users to run an executable. Compared to variants like Locky, Cerber, or SamSam, there was little effort put into being able to tie the infected computer to a payment and generate an unlock key. In fact, NotPetya earned next to nothing for its developers; reports in late July indicated that though the malware had spread to more than 60 countries, the attackers netted only about $10,000 in Bitcoin payments.
Is this new ransomware model a fad, or have actors with other aspirations found a new tool for their arsenals? My opinion is that it’s far more likely to be the latter. Both in life and in cybersecurity, we find that people are continually motivated to try to find more effective ways to accomplish their goals. For those looking to disrupt, ransomware — or wipeware, as these binaries are being dubbed — represents a powerful opportunity. When ransomware is properly executed, a locked drive is practically non-recoverable. For those who care more about crippling a business and/or impacting service delivery than they do about a monetary gain, this type of attack fits the bill very nicely.
The challenge for companies is that “traditional” ransomware and wipeware behave in much the same way at the outset; as such, infosec teams waste both money and time in figuring out which they’re up against when an infection occurs. This only makes the attacks more appetizing to those perpetrating them.
While the sample size is currently small, we should expect to see more of these types of attacks — and likely more variety in the use of the underlying ransomware binaries — as actors with different goals seek to leverage the power of denying us access to our data.