AutoCAD Users may have a ransomware problem – here's what they can do
A new malware family is currently using the same file types as the professional design software AutoCAD
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
You are now subscribed
Your newsletter sign-up was successful
Ransomware is a widespread problem that’s plagued businesses for years, with particularly damaging financial and operational consequences. Attackers continually develop new strains of ransomware, for new ways to bypass cybersecurity defenses and user vigilance.
In recent months, cybersecurity analysts have confirmed that attackers are disguising ransomware as file types for the industry standard computer-aided design (CAD) software AutoCAD, which is produced by Autodesk.
Veeam’s cybersecurity teams recently identified ransomware using AutoCAD file types. It’s just the latest ransomware danger that businesses have to watch out for, as the threat landscape expands and becomes more complicated.
Ransomware typically operates by tricking users into running a script, which downloads malware into their system and then executes the code. The malware will then encrypt all files on the system and demand a ransom is paid to release the key to decrypt the files. The attackers may also threaten to release sensitive information. Ransomware has proved so successful that some hacking groups are offering malware as a service.
Ransomware disguised as AutoCAD
According to the revenue intelligence platform 6Sense, it has been estimated that AutoCAD has a nearly 40% of the market share of CAD software. Given its ubiquitous nature in a wide variety of disciplines, including engineering and architecture, many of the larger engineering firms will often have thousands of AutoCAD packages installed throughout their network.
“It was in 2023 that ransomwares started reusing AutoCAD file extensions, and that makes it really confusing when you have a file extension of something that you know is okay, and then it's also associated with a threat actor,” says Rick Vanover, vice president of product strategy at Veeam.
“That puts detection tools in the middle, because you can't just look at names, you have to then look at content. Organizations have to balance a broad air cover of detection versus a detailed confirmation.”
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
It is difficult to know for certain if using an AutoCAD file type was deliberate or not (unless those responsible come forward) but using the same file type as a widely deployed engineering package would be a logical way to overcome basic malware checks. While CAD users may well know to be suspicious of, for example, executable files, they are likely to be more trusting of AutoCAD files.
Organizations that use AutoCAD – and AutoDesk products – need to be vigilant. There may be a temptation to allow exceptions relating to this software, but that would leave the system exposed to ransomware attacks using the AutoCAD file types.
As malware has proliferated, cybersecurity developers have created tools to detect it. These tools are constantly iterating and evolving their defences, as they are updated with new versions of ransomware that are detected.
Other than informing users of ransomware disguising itself as an AutoCAD file, there seems very little that AutoDesk could do.
The cost of ransomware attacks
Ransomware attacks are incredibly damaging to organisations. Rebuilding from scratch is costly and time-consuming. There are additional costs of downtime and reputational damage, both from unscheduled suspension of services and the potential for data leaks. The UK’s National Cyber Security Centre (NCSC) has advised against paying a ransom.
Some organizations choose to pay the ransom, but there are additional risks with trusting criminals. Furthermore, the victim will have revealed that they are willing to pay ransoms and will therefore increase their chances of being targeted again in the future.
“I honestly would not trust a cleaning of a file. Would you really trust that data after it's been touched twice by the threat actor?” asks Vanover. “I'm not much of a fire extinguisher, guy. I'm much more of a rebuild the building type, in a data way.”
If organizations choose to rebuild after a ransomware attack, they can be confident their data has not been compromised by any malicious actors, leaving a metaphorical time bomb in their system.
Preparations can be undertaken to mitigate the time and resources spent in restoring systems by utilizing a robust backup policy that incorporates multiple restore points in various locations, as well as redundancy systems that can be activated when necessary. Although such measures naturally require time and resources to be properly deployed, they will mitigate the much larger costs of rebuilding, as well as minimising the associated reputational harm.
The future of ransomware
Ransomware will continue to proliferate, especially as it is so lucrative for organized crime groups. If we assume that the utilization of AutoCAD file types is deliberate, then we should also expect hackers to adopt other popular industry standard software file types, to avoid detection.
A consequence of the constant cybersecurity arms race is that there is now a colossal catalogue of malware that needs to be tracked and guarded against. Furthermore, as malware detection tools have become increasingly sensitive to potential attacks, more detections will be made, thus increasing the number of false positives.
The growing number of false positives could potentially overwhelm administrators and thereby inadvertently allow mistakes to happen, due to there being too much information for them to properly process.
AI solutions may be beneficial here, as an AI tool can quickly sift through a large number of notifications, to prioritise those that require the administrator’s attention.
Unfortunately, the lucrative nature of ransomware means that it is here to stay. We will continue to see new versions being developed, and we will likely see more that mimic previously trusted file types. It is therefore essential for enterprises to have malware detection systems in place, alongside up-to-date user training, a robust backup system, sandbox testing, system restore policies and failover measures.
“Data sovereignty is more important than ever. Organisations need to ensure that they have their data and the control of it, says Vanover.
AutoDesk were approached for comment, but did not respond at time of publication.
