The enormous success which hackers have had extracting millions of dollars from individuals and businesses using ransomware appears to be driving more sophisticated tools and tactics from them.
This week researchers sounded the alert on two recent ransomware families that break ground in different ways.
One of them dubbed Virlock is noteworthy because it not only locks the screen of compromised systems like other ransomware, but also infects files on the device. First noticed by security firm ESET in December, Virlock is also polymorphic, meaning the code changes every time it runs making it hard to detect using standard malware detection tools.
In an alert on Friday, security firm Trend Micro described Virlock as the first ransomware that includes file infection in its routine. Unlike most ransomware, which are distributed via botnets and phishing emails, Virlock spreads via infected files, the security firm said.
“Virlock variants may arrive bundled with other malware in infected computers,” Trend Micro security researchers Jaaziel Carlos, Jonh Chua, and Rodwin Fuentes said in their blog.
Once on a system, the malware creates and modifies registry entries to obfuscate itself and then locks the screen and disables several critical functions on the compromised system. Virlock checks for specific file types on the infected system, including executable files and document types such as “.doc”, “.xls” and “.pdf”. It also looks for archive files like “.zip” audio and video files with extensions like “.mp3” and image files such as “.jpg” and “.gif.”
After Virlock locates such files it encrypt them and then embeds them in the body of the malware itself, the researchers said. Infected systems can be hard to clean and even a single infected file that remains undetected in a system can cause the malware to respawn the infection all over again.
“Once Virlock gets into a system network, it will be all over the place; it can infect a whole network system without notice,” the researchers said.
The other ransomware family that has attracted the attention of security researchers because it is different is, TeslaCrypt, a tool that is, for the first time, being used to go after video gamers, specifically. Operationally, the malware is similar to other ransomware, in that it encrypts data on the victim’s computer and then demands a ransom to unlock it.
But by targeting gamers, hackers are increasing what is already a huge target base for ransomware campaigns, Vadim Kotov, a security researcher at Bromium said in a blog post Thursday.
Bromium’s research has shown that data files for more than 20 games are affected by the threat, including Call of Duty, Star Craft 2, Diablo, Minecraft, and online games like World of Warcraft.
“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminals target new niches,” Kotov wrote.
Richard Blech, CEO of Secure Channels, says threats like these showcase the growing sophistication of the ransomware tools and tactics used by hackers to go after potential targets.
“What’s going on is that this is the new mainstream,” Blech says. “This isn’t some script kiddie in the basement,” targeting people with malware tools. Increasingly, it is the highly sophisticated criminal groups using sophisticated tools that are behind major ransomware campaigns.
Perimeter defense tools like antivirus and anti spam products can help alleviate the threat somewhat by detecting and blocking ransomware where possible. But ultimately a lot of onus for dealing with the threat falls on the user. In most cases, ransomware tools end up getting installed on a system as the direct result of a user action, like clicking on a link in a phishing email.
“Someone has to do something,” to trigger ransomware in most cases. “There is a human factor,” Blech said.
Keeping files backed up is the best way to mitigate the threat posed by ransomware, Blech said. That way, even if data gets locked up or encrypted, it is easy to retrieve a backup copy.
“Be also careful with your DropBox (or other cloud services). If you have folders synchronized with an online storage – malware will get to them too.” Kotov said in his blog post.
Andrew Brandt, senior threat researcher at Blue Coat Systems said ransomware has become a growing threat not just because of how it is distributed but also because it’s ability to destroy data has evolved dramatically.
Small businesses and governments in particular have reason to be concerned about the trend, Brandt said in emailed comments to Dark Reading. “Small business and local government agencies are most likely, out of the panoply of potential commercial or enterprise victims, to lack any kind of integrated IT security infrastructure,” he said.
Dealing with ransomware requires the same kind of rigor as dealing with any malware he said. Machines or instance, need to be kept up to date, and software needs to be properly patched and updated.
“Networks on which these computers operate can be proxied through devices that prohibit communications with known-bad network addresses,” he said. “And the end users themselves need to be a little less credulous and treat email with greater care and a degree of mistrust.”