Ransomware: Caught between a rock and a hard place

2016 has seen unprecedented levels of ransomware circulating, with victims having to make the hard decision of losing their data or paying the cybercriminal’s demands. The problem is so rampant that the FBI recently warned hospitals, schools, government agencies, police departments, businesses, and individuals of the increase in attacks. In the UK, the story is mirrored with British businesses increasingly paying online extortionists rather than reporting attacks to police, as authorities struggle to respond to the growing threat.

So why this sudden surge in ransomware and why is it so successful?

Why now?

Even though it has increased dramatically recently, ransomware itself isn’t at all new. In fact, it’s been around for years. The difference between today’s versions and older attempts, and the reason why we’re hearing so much about it now, has a lot to do with technique and sophistication.

Historically, a piece of ransomware locked a victim’s computer displaying a 'Your Computer’s Infected' warning with a phone number to call. On the other end of the phone would be a call centre (of sorts) where the cybercriminals would finish up the deal by using threats, intimidation, and other social engineering techniques to trick their prey into paying a 'fine' over the phone.

This wasn’t the most practical approach for the cybercriminals as it required humans to be available at all times to answer these phone calls. However, later versions allowed victims to pay online, which negated the need for a physical presence in a call centre.

The issues for the criminals were that, more often than not, the malware could easily be circumvented by booting the computer into Safe Mode, finding the infection, and removing it. Also, the sites where payment was collected were quickly discovered and shutdown which led to a high rate of ineffectiveness.

Jump forward to late 2013 when one of the largest, long-lasting, and highly active botnets anyone had seen to date, the Zeus botnet, began delivering a new version of Ransomware by the name of CryptoLocker en masse.

CryptoLocker: The mother of all ransomware

CryptoLocker was not a novice piece of software. It was written by someone with an agenda and a plan.

When a computer was served CryptoLocker, the owner wasn’t just handed a block page that kept them from getting into their computer temporarily; their documents, photos, and other important files were secretly encrypted and made to be completely inaccessible before they were even notified that they were in fact infected.

Due to how widespread these attacks were, and how irreversible these infections were without complying to the cybercriminals’ demands, CryptoLocker became instantly famous and news spread as quickly as the infections did as CryptoLocker unapologetically infected not only home PCs, but entire business systems too.

It didn’t take long before we started seeing copycat ransomware such as CryptoWall and CryptoDefense, as well as newer versions of the original. Ransomware had become a highly effective and highly profitable attack tool. It could also be mostly automated which lowered the overhead for criminals far below what was previously required, making it a much more efficient money maker as compared to the older attempts. It also raised its sophistication level by not only utilising strong encryption algorithms to render victims’ files useless, it also began utilising Deep Web ransom collection sites and cryptocurrency such as Bitcoin to do their business making the cybercriminals, all but completely invisible to authorities.

The future of ransomware

Ransomware developers weren’t satisfied infecting local machines, so the encryption has been weaponised to spread to neighboring network devices. Now, if one person clicks on a malicious crypto link in an email, it’s not just the host machine that is affected, but the entire network. This can obviously be a very serious problem, hence the headlines we’re seeing today.

Since CryptoLocker first made its debut, we have seen various different versions of Crypto-Ransomware from numerous sources who all want a piece of the ransom pie. Torrentlocker, Locky, and the new kid on the block Jigsaw, that isn’t just happy to encrypt files but begins deleting them one by one the longer it takes for victims to pay up.

The longevity of Ransomware can be attributed to two major factors:

  • People are paying these ransoms
  • People are not keeping proper backups - which just so happens to be this attack’s Achilles Heel

Just as there are two factors affecting the longevity of ransomware, there are two solutions:

  • Proper functioning backups allow systems to be restored to a point before the infection occurred, thus removing the ransomware, and the need to meet the cybercrminal’s demands
  • If the cybercriminals aren’t paid, their business model collapses, and they have to find another way to finance their activities

In the meantime, it’s vitally important everyone understand the current threats in the digital landscape, including phishing campaigns that are the primary delivery mechanism for ransomware. It’s also important to implement layered security in order to ensure that defences are in place on all fronts, including emails, web-based threats and so on. A final element is to keep software and systems patched and updated – skipping these updates may mean skipping security fixes that ransomware relies on to infect machines.

If you’re unlucky enough to fall victim to the modern day highwaymen, and thinking of paying the demands, remember that these thieves are often associated with larger criminal organisations, which use your money to fund their illegal activities.

Instead, before you do anything else, take the time today to back up your files, update your software and hardware, and make sure you have layered security, then you won’t find yourself caught between a rock and a hard place.

Fred Touchette, Manager of Security Research, AppRiver