back to article Ransomware attackers have gone from 'spray and pray' to 'slayin' prey'

Ransomware infections may be down, but only because attackers are getting better at targeting them. This is according to a report from Malwarebytes, whose team said that when it comes to crimeware figures, numbers can be deceiving. Speaking to El Reg ahead of the 2019 Black Hat conference, Malwarebytes Labs director Adam …

  1. ElReg!comments!Pierre Silver badge

    There is also a lot more legacy apps on corporate machines. iexplorer springs to mind... and of course large corps often have a very slow update cycle. Two of our very large clients (top-500 companies) are on Windows7.

    1. ElReg!comments!Pierre Silver badge

      And don't get me started on the public sector. I've seen hospitals, Unis and research institutes that are still mostly on Vista, with some XP boxen !

      1. 0laf Silver badge

        Yep you can't just point your enterprise kit at Windows Update like you can at home.

        1. Hans 1 Silver badge
          Windows

          Well, you should not run outdated insecure old crap on your network and if you do, you will get all you deserve.

          Just throwing up your arms and saying "Well, we cannot!" is not gonna save your butt when ransomware runs havoc on your network.

          1. Anonymous Coward
            Anonymous Coward

            "Well, you should not run outdated insecure old crap on your network and if you do, you will get all you deserve."

            But sometimes you MUST, as the OS is specific to the service contract specified by the manufacturer, and they may refuse to update the OS unless you change out the entire piece of machinery, often a six- to seven-figure budget buster. And the manufacturer can counter any claims of security by citing legal standards compliance which pits law against law.

            1. Twanky

              Outdated crap

              'and they may refuse to update the OS unless you change out the entire piece of machinery, often a six- to seven-figure budget buster.'

              In which case it would be worth putting the vulnerable machine on a separate network and wrapping it with firewall and proxy tuned to it's requirements and special backup routines. You could probably do that with something quite inexpensive.

    2. Mayday Silver badge
      Windows

      Let's not forget

      In house/proprietry/legacy apps running on Flash, needing some ancient version of Java/ActiveX/.net etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's not forget

        Very true. The current trend to move on from that seems to be "everything on the Mighty Cloud", which -as most buzzword-led trends- is creating more problems than it solves; and it's only the beginning. Truth is, no matter what external consultants and "solutions" vendors say, security/safety does come at a price, and must be part of the design process from the very start of any new "thing" (dev, arch, app, you name it). That includes keeping the employees happy, btw.

        That usually doesn't go down very well with the kind of managers who think saying "DevOps" and "Scrum" in every sentence and showing 40% margin MSPowerpoint slides makes them Hip, but these are usually shortlived. Unfortunately, their ill-conceived projects take forever to clean up for those of us who are in for the long run (especially frustrating when you warned everyone about the risks, it went forward anyway, and the proponent left for greener pastures when it became to go south, which seems to be the standard OP in today's IT management).

  2. InsaneGeek

    Kind of obvious really... consumers can move on from a ransomware account without that much pain other than the emotional aspect of losing family pictures, etc. and often don't have lots of disposable cash to gamble with the chance of it not getting back. Whereas a business infected with ransomware could go completely out of business, and they are going to be more willing to gamble on giving them money to get it back because if they don't get the encryption keys they are going out of business anyway.

    1. Anonymous Coward
      Anonymous Coward

      Weird Behaviour

      The cultural challenge is to get people to behave at work as they do at home - cautious when opening unknown emails, clicking random links etc. Aim your awareness campaign at their personal life and behaviors and watch the results in the work space.

      1. Pirate Dave Silver badge
        Pirate

        Re: Weird Behaviour

        "The cultural challenge is to get people to behave at work as they do at home - cautious when opening unknown emails, clicking random links etc."

        If you can figure out how to do that, you'll make $BEEEELLIONS$...

        1. CrysTalK

          Re: Weird Behaviour

          Ransomwares can be stopped by simply creating an application whitelist. There's no need for typical employee to download a new binary/application to do his job. If you block all new binary/exe's those windows boxes won't get ransomwares. Heck, even Windows XP Pro have this feature and tried to enable it on my home machine. It won't run any new applications inserted by my daughter.

          1. doke

            Re: Weird Behaviour

            That kind of whitelist won't protect from macros running inside approved applications, javascript or web assembly running inside approved browsers, nor code injected into approved applications. In a corporate setting, it causes complaints, and gets turned off after some director can't run the xyz app that his nephew recommended.

  3. Doctor Syntax Silver badge

    "it seems like a lot of organisations never learned."

    I'm sure they did. The hard way.

    1. Carpet Deal 'em Bronze badge
      Facepalm

      Okay, pressing that button nearly gave me a seizure and set my hair on fire. Surely pushing it again won't cause any problems.

      -Many, many people

  4. Rich 11 Silver badge

    While most home users know better than to open attachments in unsolicited emails or download files from untrusted sources, employees on work PCs can at times be far more reckless in their behaviour

    And based on personal experience I have to wonder how close a correlation there is between the salary of the employee and the reckless behaviour.

    1. a_yank_lurker Silver badge

      Also, how likely is one in some positions to get unsolicited emails from someone else? To make matters worse, many of these emails are important. At home, one probably has a far more limited set of people who email you with very few being unsolicited. And of the unsolicited, only a very small number would even be worth skimming.

  5. Zebo-the-Fat

    Backup

    It may be different for a large organisation, but if I get attacked it's just a case of re format, re install and restore from an off line backup. I can be up and running in a couple of hours.

  6. fidodogbreath Silver badge

    Security is too expensive...

    ...until it isn't. But by the time that realization kicks in, it's too late.

  7. Conundrum1885 Bronze badge

    Re. Security is too expensive...

    Cost of antivirus, antimalware and a basic IT security policy - maybe $3000/year

    Cost of average ransomware attack - $30,000 or more, dwarfed by GDPR exposure.

    Incidentally with attacks like "Warshipping" on the rise maybe its time to upgrade to WPA 3.1

  8. I'm Dugly

    What's the commission?

    I have worked with people who would willingly and happily click on an infected email knowing that it would cause maximum disruption to their employer. Unionized drones in the public sector, for example (with apologies to the good public-sector employees). I wouldn't be at all surprised to read that an employee was in cahoots with the scammers for a cut of the action.

    1. I'm Dugly

      Re: What's the commission?

      And done:

      www.cbsnews.com/news/att-insiders-bribed-to-hack-and-plant-malware-on-the-companys-network-doj-alleges

  9. hoola Bronze badge

    Reality

    For home users they generally just accept Windows and other application updates as they arrive. There is no picking and choosing with much hand-wringing about KB12345 risking SMB1 for some obscure system or waiting to see if any other organisation has a problem.

    For larger enterprises with thousands or tens of thousands of PC's you cannot just upgrade them all to the latest version of Windows. It takes time with huge amounts of planning. Hardware replacement cycles are even worse with the logistics and costs. Business can do more to protect themselves but the numbers game means that at some point a user is going to do something dumb that then slips past defences. A business is always going to be a more valuable target than an individual so it is no surprise that attacks are becoming targets.

    It does not help that there appears to be a generation that think they know everything about "computing" with demands for access to resources and equally useless managers that just cave in because they are too scared to say "No!".

    When I first started out in the public sector many years ago Internet access was a privilege that you had to have a business case for. A login was needed to get through the proxy and it was heavily filtered. Skip forward 20 years and every device has Internet access whether is needs it or not. Filtering is extremely light only taking out the real dregs. Users have streamed audio and video on most of the day, regularly doing personal tasks (banking, purchases browsing) throughout the working day. Hell, even The Register would have been verboten as there is no business case.

    The consumerisation (is that even a word) of business IT with BYOD, unfettered access and so much of the actual business tools being online (i.e. in the Cloud" gets you to where we are now.

    1. Is It Me Bronze badge

      Re: Reality

      I have made the business case for The Register, it alerts you to security issues (including which Windows patches to avoid installing).

      I have also made the case for the access to the discussions as well as the articles as there is often extra information from experienced people in there. I used the example where I discover a rootkit removal tool from having read about in the discussion on an article related to a virus. If I hadn't read that I would have had to wipe the HR directors laptop without any extra backups of it, as it was I was confidant enough that the infection and rootkit had been removed to allow the laptop back on the network to do some backups of data that had been worked on while the director was travelling.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019