Vulnerabilities / Threats
10:58 AM
Connect Directly

A More Courteous Kidnapper? Ransomware Changes Tactics

With an eye to the short term, cybercriminals turn to ransomware, forcing users to pay up or face long clean-up times -- but forgo the full encryption of data that made past attacks so vicious

Five years ago, ransomware threats were rare and took the brutal tactic of encrypting data on the hard drive. In most cases, the cybercriminals made technical mistakes, allowing antivirus firms the chance to decrypt the information and restore their customers' data. Yet well-built ransomware could turn a company's entire digital business into a scrambled mess, with only backups on which to rely.

While some businesses continue to run into encrypting ransomware, today's digital kidnappers have largely taken a different tack, changing startup files to block a user from doing anything, but leaving most of the data intact. The move from an uncompromising tactic to one that is recoverable by the technically savvy is only one way that ransomware has evolved, combining tactics from older threats with the more recent strategies of fake antivirus scams.

"Like fake AV, ransomware basically botches up your machine and then says, 'We have determined that your machine is infected, pay us to clean it up,'" says Adam Wosotowsky, a malware researcher with security firm McAfee, a subsidiary of Intel. "Ransomware is a continued evolution of that scheme to get money. If you want control of your machine back, then you need to pay some money."

It's a tactic that is become quite popular as well, with a number of quarterly reports from security firms highlighting the increased incidence of the threat. McAfee documented a three-fold increase in ransomware samples, to more than 200,000, in the third quarter of 2012 compared to the same quarter a year ago. Symantec recently estimated that a single ransomware scheme could profit criminals $5 million in a single year if left unchecked.

[The latest brand of ransomware attacks has been on the rise over the past year across in Western Europe, the U.S., and Canada. See Ransomware Scams Net $5 Million Per Year.]

The latest variant of ransomware seizes control of a victim's computer and displays a notice seemingly from the police in whichever country the victim resides, accusing the user of accessing illegal pornography. Then comes the threat: Pay $200 or law enforcement will arrive within 72 hours. The scam started hitting victims in Germany first, moving onto other Western European countries and, recently, started focusing on North American computer users as well as those in Australia.

A Short-Term Payoff...
The current ransomware trend is fueled by economics. While large botnets can make much more money on click fraud or other low-profile schemes, burning a botnet to install ransomware is an attractive option for smaller bot operators.

If only 3 percent of victims pay the ransom, and bot operators get two-thirds of each $200 fee -- both the current trends -- a relatively small botnet can make a good amount of money, says Vikram Thakur, principal security response manager for Symantec.

"The botmasters realized that they can make a lot more with a 3 percent conversion rate than running their bots for a year," he says.

Moving from past tactics that encrypted a victim's data unless they paid also benefits the criminals. Companies and other bastions of technical prowess can recover important data from machines. If criminals had stuck with encrypting data, then they would have added large companies -- and their technical resources -- to the list of groups trying to hunt them down.

Because of ransomware's obvious infection tactics, however, victims cannot help but realize their systems are infected, and those efforts will shorten the useful life of any botnet that installs ransomware.

But A Loss In The Long Term?
The in-your-face approach is not the only part of the ransomware strategy that will pressure the cybercriminals behind it to eventually curtail their efforts.

Using notices that appear to come from law enforcement are a critical mistake and will likely lead to an aggressive push for arrests in many of the cases, says Symantec's Thakur. The notices have created an image problem for law enforcement, and the organizations are not happy about it, he says.

"The in-your-face methodology that ransomware uses puts those criminal in the spotlight for a lot of law-enforcement investigations across the globe," Thakur says. "In the last year, the ransomware actors have really pushed the buttons of law enforcement, not just for doing ransomware, but for doing it under the pretext of different law enforcement agencies."

With ransomware spotlighting the botnets that employ it and law enforcement hunting down the criminals responsible, the rise of ransomware may just as quickly turn into a decline.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.