No End In Sight For Ransomware

The Department of Justice’s Operation Tovar in June 2014 may have led to the takedown of the notorious botnet GameOverZeus and one of its moneymaking payloads, CryptoLocker, but make no mistake about it: We haven’t seen the end of ransomware. It seems that threat actors are getting more brazen about their exploits in an effort to make easy money. Ransomware, particularly Kovter, is on the rise.

Ransomware, which restricts access to a computer system and demands that the user pay to regain control, has been around for decades. The first known ransomware was the 1989 AIDS Trojan written by Joseph Popp. More recently, CryptoLocker rose to fame thanks to its delivery mechanism, GameOverZeus (GoZ).

The increase in ransomware we have seen over the past 18 months is in both newer ransomware variants and copycats, such as Cryptolocker and Cryptowall, as well as an increase in the prevalence of ransomware infections in general, including old standbys such as Urasy and Reveton.  

Kovter in particular has shown sharp growth this year. Kovter is a screenlocker or systemlocker, rather than a file encrypter like Cryptowall. It masquerades as being from law enforcement authorities and threatens police action. Kovter specifically targets users whose systems include adult websites in the browsing history or images in cache -- but no one is safe.

If Kovter fails to find "evidence" that the user has accessed adult content, the malware manufactures fake proof by redirecting the browser to a randomized adult website where it logs the history and retrieves content. The content is then presented on a splash screen, along with a message. Users are warned of having broken the law and must pay a fine to regain use of the system. If they don’t pay up, the message says, they will be subject to higher fines and possibly jail time.

Ransomware uses payment methods that give threat actors easy access to untraceable funds. For example, in the US, Kovter uses the prepaid card MoneyPak, and Ukash and paysafecard outside the US. However, paying the ransom does not remove the malware from an infected system, nor does it restore computer functionality.

During the height of Kovter activity in June, Damballa’s Threat Research team saw infections reached 43,713 on a single day. While we are still collecting comprehensive data for Q3, so far we have seen the peak daily infection count reach 59,589 unique infected victims in a single day, putting it 36% ahead of the peak count we saw in Q2.   

Given the ease with which threat actors can extort their victims, it’s safe to say that we haven’t seen the end of ransomware. If you or your users become a victim, use trusted sources and tools to remediate infections. Report computer-related crime to your local, state, federal or other authorities. Complaints can also be filed with the Internet Crime Complaint Center (IC3). A partnership between the FBI and the National White Collar Crime Center, IC3 can help determine which law enforcement agencies should be involved in the criminal investigation.