Towards the end of last year, when the major security firms were compiling their customary run-downs of the biggest threats expected to emerge in 2013, ransomware figured prominently as an ominous ‘one to watch’. This breed of malicious software owes its name to the way in which it attacks a computer, quite literally holding it ransom by paralysing the device and demanding payment for it to be unlocked.
By February this year, the experts’ prophecies began to be realised as a sophisticated and sprawling ransomware plot came to light, with Europol detaining a multi-national criminal gang in Spain’s Costa del Sol. The fraud had successfully extorted money from victims across more than 30 different countries, and authorities estimated that the crooks' cash haul ran into "millions of euros."
So as the growing talk of a ransomware revival became substantiated by a cybercrime of such scale and profitability, we wanted to find out more on the trend and spoke to Team Cymru’s security researcher Marcel den Berg, who's been tracking this guise of malware closely. The very name ransomware, the way it strikes a machine before harassing its victims, and the murky stories behind its deployment make it all seem a bit ‘cops and robbers’ – and according to van den Berg, such a characterisation isn’t far from the truth.
Ransomware attackers show “a real world criminal mindset,” he said. Those behind the scams are not mischievous young computer nerds honing their hacking skills and perhaps making some small change on the side, they are fully certified fraudsters marrying organised crime with the Internet.
More than intricate malware writing, van den Berg says ransomware operations “are about being able to use data that comes in, like card details, and transferring that to real money. These aren’t necessarily technical people, just people with a criminal mindset who are able to monetise this effectively.
“Even if you are a technical person who can set up such an attack, you need the skills to receive all these details that transfer virtual funds to real money funds, and doing it anonymously so it can’t be tracked,” he continues. “The technical part is just a small piece of this. It’s a whole criminal framework you need to make it successful.”
Ransomware has been around for some time and found success in the earlier days of the Internet when web naivety saw many panic into paying the sums demanded after their computer was infected. The charades were, and still can be, convincing, with the user typically accused of visiting illicit sites or infringing on copyright, and the threat of legal action frequently rattles victims into paying the ‘fine’, even if they are not guilty. But the initial wave of ransomware came prior to the boom in online payment methods, and cyber criminals found it difficult to effectively monetise their schemes. The method thus gave way to more lucrative scams like the distribution of fake antivirus, which remains one of the most popular criminals ploys online.
Now, however, we surrender more personal and financial details to the web than ever before and the methods of online payment have multiplied exponentially, opening new avenues for cyber criminals to exploit, and resurrecting the widespread use of ransomware. “It definitely seems that ransomware is gaining popularity in the underground economy,” says van den Berg, who stressed that this form of malware was just one of a host of threats that bypass different routes of attack to instantly mine for financial details.
What’s more, unlike bygone years when user behaviour had a distinct correlation to the threats one would attract, van den Berg says modern ransomware attacks can strike on any user, regardless of whether they are visiting pirated file sharing sites or other illegal domains. “You don’t have to go to an obscure website, just your regular browsing habits could expose you to ransomware,” he warns.
So what can a user do when the attack does strike and their computer is locked? “The first thing should be do not panic, the damage has already been done,” says van den Berg. “I would highly recommend not paying the fine too. If someone has stolen your purse and you send them money to have it returned, why would they even bother? There’s no motivation for the criminal.” He also points out that after the malware has struck there is a strong chance the attacker has access to other data on your machine, so users should act swiftly in dealing with the issue.
“One of the things that people could do is try and reboot the machine in safe mode, then try to get the virus removed with the antivirus tools that are out there.” If the machine cannot be rebooted or operated in safe mode, the user has little option but to seek technical assistance from their device or software vendor.
Though ransomware attacks are far-reaching and indiscriminate, following fundamental IT security principles significantly reduces the chance of being attacked. Van den Berg points users towards Team Cymru’s top 10 tips for staying safe online, which emphasises the overriding importance of updating systems and using modern software.
As the rise in ransomware demonstrates, cyber criminals move quickly with developing trends to maximise their business. If the everyday user fails to follow suit and keep their computer in good health with the latest security updates and products, they may well find themselves becoming the next money pot for the fraudsters.
Article researched in collaboration with Team Cymru - a specialised Internet security research firm formed by a dedicated group of technologists passionate about making the Internet more secure.