Vulnerabilities / Threats
11/21/2012
10:58 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

A More Courteous Kidnapper? Ransomware Changes Tactics

With an eye to the short term, cybercriminals turn to ransomware, forcing users to pay up or face long clean-up times -- but forgo the full encryption of data that made past attacks so vicious

Five years ago, ransomware threats were rare and took the brutal tactic of encrypting data on the hard drive. In most cases, the cybercriminals made technical mistakes, allowing antivirus firms the chance to decrypt the information and restore their customers' data. Yet well-built ransomware could turn a company's entire digital business into a scrambled mess, with only backups on which to rely.

While some businesses continue to run into encrypting ransomware, today's digital kidnappers have largely taken a different tack, changing startup files to block a user from doing anything, but leaving most of the data intact. The move from an uncompromising tactic to one that is recoverable by the technically savvy is only one way that ransomware has evolved, combining tactics from older threats with the more recent strategies of fake antivirus scams.

"Like fake AV, ransomware basically botches up your machine and then says, 'We have determined that your machine is infected, pay us to clean it up,'" says Adam Wosotowsky, a malware researcher with security firm McAfee, a subsidiary of Intel. "Ransomware is a continued evolution of that scheme to get money. If you want control of your machine back, then you need to pay some money."

It's a tactic that is become quite popular as well, with a number of quarterly reports from security firms highlighting the increased incidence of the threat. McAfee documented a three-fold increase in ransomware samples, to more than 200,000, in the third quarter of 2012 compared to the same quarter a year ago. Symantec recently estimated that a single ransomware scheme could profit criminals $5 million in a single year if left unchecked.

[The latest brand of ransomware attacks has been on the rise over the past year across in Western Europe, the U.S., and Canada. See Ransomware Scams Net $5 Million Per Year.]

The latest variant of ransomware seizes control of a victim's computer and displays a notice seemingly from the police in whichever country the victim resides, accusing the user of accessing illegal pornography. Then comes the threat: Pay $200 or law enforcement will arrive within 72 hours. The scam started hitting victims in Germany first, moving onto other Western European countries and, recently, started focusing on North American computer users as well as those in Australia.

A Short-Term Payoff...
The current ransomware trend is fueled by economics. While large botnets can make much more money on click fraud or other low-profile schemes, burning a botnet to install ransomware is an attractive option for smaller bot operators.

If only 3 percent of victims pay the ransom, and bot operators get two-thirds of each $200 fee -- both the current trends -- a relatively small botnet can make a good amount of money, says Vikram Thakur, principal security response manager for Symantec.

"The botmasters realized that they can make a lot more with a 3 percent conversion rate than running their bots for a year," he says.

Moving from past tactics that encrypted a victim's data unless they paid also benefits the criminals. Companies and other bastions of technical prowess can recover important data from machines. If criminals had stuck with encrypting data, then they would have added large companies -- and their technical resources -- to the list of groups trying to hunt them down.

Because of ransomware's obvious infection tactics, however, victims cannot help but realize their systems are infected, and those efforts will shorten the useful life of any botnet that installs ransomware.

But A Loss In The Long Term?
The in-your-face approach is not the only part of the ransomware strategy that will pressure the cybercriminals behind it to eventually curtail their efforts.

Using notices that appear to come from law enforcement are a critical mistake and will likely lead to an aggressive push for arrests in many of the cases, says Symantec's Thakur. The notices have created an image problem for law enforcement, and the organizations are not happy about it, he says.

"The in-your-face methodology that ransomware uses puts those criminal in the spotlight for a lot of law-enforcement investigations across the globe," Thakur says. "In the last year, the ransomware actors have really pushed the buttons of law enforcement, not just for doing ransomware, but for doing it under the pretext of different law enforcement agencies."

With ransomware spotlighting the botnets that employ it and law enforcement hunting down the criminals responsible, the rise of ransomware may just as quickly turn into a decline.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web