Vulnerabilities / Threats
11/21/2012
10:58 AM
Connect Directly
RSS
E-Mail
50%
50%

A More Courteous Kidnapper? Ransomware Changes Tactics

With an eye to the short term, cybercriminals turn to ransomware, forcing users to pay up or face long clean-up times -- but forgo the full encryption of data that made past attacks so vicious

Five years ago, ransomware threats were rare and took the brutal tactic of encrypting data on the hard drive. In most cases, the cybercriminals made technical mistakes, allowing antivirus firms the chance to decrypt the information and restore their customers' data. Yet well-built ransomware could turn a company's entire digital business into a scrambled mess, with only backups on which to rely.

While some businesses continue to run into encrypting ransomware, today's digital kidnappers have largely taken a different tack, changing startup files to block a user from doing anything, but leaving most of the data intact. The move from an uncompromising tactic to one that is recoverable by the technically savvy is only one way that ransomware has evolved, combining tactics from older threats with the more recent strategies of fake antivirus scams.

"Like fake AV, ransomware basically botches up your machine and then says, 'We have determined that your machine is infected, pay us to clean it up,'" says Adam Wosotowsky, a malware researcher with security firm McAfee, a subsidiary of Intel. "Ransomware is a continued evolution of that scheme to get money. If you want control of your machine back, then you need to pay some money."

It's a tactic that is become quite popular as well, with a number of quarterly reports from security firms highlighting the increased incidence of the threat. McAfee documented a three-fold increase in ransomware samples, to more than 200,000, in the third quarter of 2012 compared to the same quarter a year ago. Symantec recently estimated that a single ransomware scheme could profit criminals $5 million in a single year if left unchecked.

[The latest brand of ransomware attacks has been on the rise over the past year across in Western Europe, the U.S., and Canada. See Ransomware Scams Net $5 Million Per Year.]

The latest variant of ransomware seizes control of a victim's computer and displays a notice seemingly from the police in whichever country the victim resides, accusing the user of accessing illegal pornography. Then comes the threat: Pay $200 or law enforcement will arrive within 72 hours. The scam started hitting victims in Germany first, moving onto other Western European countries and, recently, started focusing on North American computer users as well as those in Australia.

A Short-Term Payoff...
The current ransomware trend is fueled by economics. While large botnets can make much more money on click fraud or other low-profile schemes, burning a botnet to install ransomware is an attractive option for smaller bot operators.

If only 3 percent of victims pay the ransom, and bot operators get two-thirds of each $200 fee -- both the current trends -- a relatively small botnet can make a good amount of money, says Vikram Thakur, principal security response manager for Symantec.

"The botmasters realized that they can make a lot more with a 3 percent conversion rate than running their bots for a year," he says.

Moving from past tactics that encrypted a victim's data unless they paid also benefits the criminals. Companies and other bastions of technical prowess can recover important data from machines. If criminals had stuck with encrypting data, then they would have added large companies -- and their technical resources -- to the list of groups trying to hunt them down.

Because of ransomware's obvious infection tactics, however, victims cannot help but realize their systems are infected, and those efforts will shorten the useful life of any botnet that installs ransomware.

But A Loss In The Long Term?
The in-your-face approach is not the only part of the ransomware strategy that will pressure the cybercriminals behind it to eventually curtail their efforts.

Using notices that appear to come from law enforcement are a critical mistake and will likely lead to an aggressive push for arrests in many of the cases, says Symantec's Thakur. The notices have created an image problem for law enforcement, and the organizations are not happy about it, he says.

"The in-your-face methodology that ransomware uses puts those criminal in the spotlight for a lot of law-enforcement investigations across the globe," Thakur says. "In the last year, the ransomware actors have really pushed the buttons of law enforcement, not just for doing ransomware, but for doing it under the pretext of different law enforcement agencies."

With ransomware spotlighting the botnets that employ it and law enforcement hunting down the criminals responsible, the rise of ransomware may just as quickly turn into a decline.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.