Vulnerabilities / Threats
11/21/2012
10:58 AM
Connect Directly
RSS
E-Mail
50%
50%

A More Courteous Kidnapper? Ransomware Changes Tactics

With an eye to the short term, cybercriminals turn to ransomware, forcing users to pay up or face long clean-up times -- but forgo the full encryption of data that made past attacks so vicious

Five years ago, ransomware threats were rare and took the brutal tactic of encrypting data on the hard drive. In most cases, the cybercriminals made technical mistakes, allowing antivirus firms the chance to decrypt the information and restore their customers' data. Yet well-built ransomware could turn a company's entire digital business into a scrambled mess, with only backups on which to rely.

While some businesses continue to run into encrypting ransomware, today's digital kidnappers have largely taken a different tack, changing startup files to block a user from doing anything, but leaving most of the data intact. The move from an uncompromising tactic to one that is recoverable by the technically savvy is only one way that ransomware has evolved, combining tactics from older threats with the more recent strategies of fake antivirus scams.

"Like fake AV, ransomware basically botches up your machine and then says, 'We have determined that your machine is infected, pay us to clean it up,'" says Adam Wosotowsky, a malware researcher with security firm McAfee, a subsidiary of Intel. "Ransomware is a continued evolution of that scheme to get money. If you want control of your machine back, then you need to pay some money."

It's a tactic that is become quite popular as well, with a number of quarterly reports from security firms highlighting the increased incidence of the threat. McAfee documented a three-fold increase in ransomware samples, to more than 200,000, in the third quarter of 2012 compared to the same quarter a year ago. Symantec recently estimated that a single ransomware scheme could profit criminals $5 million in a single year if left unchecked.

[The latest brand of ransomware attacks has been on the rise over the past year across in Western Europe, the U.S., and Canada. See Ransomware Scams Net $5 Million Per Year.]

The latest variant of ransomware seizes control of a victim's computer and displays a notice seemingly from the police in whichever country the victim resides, accusing the user of accessing illegal pornography. Then comes the threat: Pay $200 or law enforcement will arrive within 72 hours. The scam started hitting victims in Germany first, moving onto other Western European countries and, recently, started focusing on North American computer users as well as those in Australia.

A Short-Term Payoff...
The current ransomware trend is fueled by economics. While large botnets can make much more money on click fraud or other low-profile schemes, burning a botnet to install ransomware is an attractive option for smaller bot operators.

If only 3 percent of victims pay the ransom, and bot operators get two-thirds of each $200 fee -- both the current trends -- a relatively small botnet can make a good amount of money, says Vikram Thakur, principal security response manager for Symantec.

"The botmasters realized that they can make a lot more with a 3 percent conversion rate than running their bots for a year," he says.

Moving from past tactics that encrypted a victim's data unless they paid also benefits the criminals. Companies and other bastions of technical prowess can recover important data from machines. If criminals had stuck with encrypting data, then they would have added large companies -- and their technical resources -- to the list of groups trying to hunt them down.

Because of ransomware's obvious infection tactics, however, victims cannot help but realize their systems are infected, and those efforts will shorten the useful life of any botnet that installs ransomware.

But A Loss In The Long Term?
The in-your-face approach is not the only part of the ransomware strategy that will pressure the cybercriminals behind it to eventually curtail their efforts.

Using notices that appear to come from law enforcement are a critical mistake and will likely lead to an aggressive push for arrests in many of the cases, says Symantec's Thakur. The notices have created an image problem for law enforcement, and the organizations are not happy about it, he says.

"The in-your-face methodology that ransomware uses puts those criminal in the spotlight for a lot of law-enforcement investigations across the globe," Thakur says. "In the last year, the ransomware actors have really pushed the buttons of law enforcement, not just for doing ransomware, but for doing it under the pretext of different law enforcement agencies."

With ransomware spotlighting the botnets that employ it and law enforcement hunting down the criminals responsible, the rise of ransomware may just as quickly turn into a decline.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

CVE-2014-3543
Published: 2014-07-29
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity referenc...

CVE-2014-3544
Published: 2014-07-29
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVE-2014-3545
Published: 2014-07-29
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.