2015 Ransomware Wrap-Up
Here's a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt4809b88b35a35095/64f0dcd119d32772b6672545/ransomnote.jpg?width=700&auto=webp&quality=80&disable=upscale)
It's been a banner year for ransomware operators...and a nerve-wracking one for anybody responsible for securing endpoints.
Although some of the malware may issue empty threats, some of it has proven just as nasty as it claims. Researchers found that 30 percent of organizations admitted they'd pay ransom requests, and even multiple police departments have succumbed to them, when nobody was able to recover their encrypted files or their back-ups.
In 2015 ransomware operators were innovative not only with their code but with their business models - and estimates of their returns on investment indicate that business is booming.
Here's a quick rundown of the new ransomware that hit the scene in 2015.
In possibly the most highly targeted ransomware attack, the Pacman ransomware only went after Danish chiropractors.
Pacman used phishing messages claiming to come from someone who just moved into the area and is looking for a chiropractor. The message contains links to Dropbox files, which the sender says are medical image files, but are actually ransomware.
The malware was also very difficult to remove, because it was equipped with kill process capabilities that shut down Windows functions like task manager.
Tox was the first to take the ransomware business model in a new direction. The toolkit for building and operating the Tox ransomware is free to set up and use, but the site hosting the ransomware takes a 20 percent cut of the profits.
The malware itself isn't particularly sophisticated, yet its ease of use is innovative. Users register with the Tox site -- which runs on the Tor network -- enter the amount in Bitcoins they'd like to demand of victims, send out the standard ransom message provided by the service, and provide a Bitcoin address to receive payments.
Chimera first appeared in September and has recently been building a ransomware-as-a-service business, taking a 50 percent cut of the profits. What's particularly intriguing is that Chimera is recruiting its new ransomware operators from an unlikely population: their victims.
The bottom of the Chimera ransom message includes the invitation, "Take advantage of our affiliate program!" Secure contact information is tucked into the malware's source code.
Chimera is also the first ransomware to add a doxing threat to the mix. Although it might not actually have the technical capability to do so, Chimera states that it will publish a victim's files if they don't pay up.
Then of course, there's CryptoWall, the big daddy. 2015 kicked off with a new variant of CryptoWall 2.0 that was full of new tricks. It used TOR on command-and-control traffic and could execute 64-bit code from its 32-bit dropper.
When CryptoWall 3.0 arrived on the scene, it was more streamlined and then spread mostly through exploit kits. CryptoWall 3.0 made $325 million in extortion payments in just the first 10 months, according to reports.
Then this fall, Cryptowall 4.0 appeared, using a very different style of ransom note. It was less of a classic "give me all your money" stick-up, and more like a combination of a welcome and threat from a particularly vicious homeowner's association -- urging community members to buy a $700 "software package" to decrypt their files...then urging more strongly.
The ransom note cheerily begins "Congratulations! You have become part of large community CryptoWall!" Yet, it ends with quite a different tone: "In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned."
CryptoWall 4.0 also upped the creepiness factor by encrypting the filenames in addition to the files.
What do ransomware operators have in store for us in 2016? Only time will tell, but the impressive return on investment and the increasing popularity of cyber-extortion in general
does not bode well for end users or the organizations with an ever-expanding number of endpoints to secure.
Then of course, there's CryptoWall, the big daddy. 2015 kicked off with a new variant of CryptoWall 2.0 that was full of new tricks. It used TOR on command-and-control traffic and could execute 64-bit code from its 32-bit dropper.
When CryptoWall 3.0 arrived on the scene, it was more streamlined and then spread mostly through exploit kits. CryptoWall 3.0 made $325 million in extortion payments in just the first 10 months, according to reports.
Then this fall, Cryptowall 4.0 appeared, using a very different style of ransom note. It was less of a classic "give me all your money" stick-up, and more like a combination of a welcome and threat from a particularly vicious homeowner's association -- urging community members to buy a $700 "software package" to decrypt their files...then urging more strongly.
The ransom note cheerily begins "Congratulations! You have become part of large community CryptoWall!" Yet, it ends with quite a different tone: "In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned."
CryptoWall 4.0 also upped the creepiness factor by encrypting the filenames in addition to the files.
What do ransomware operators have in store for us in 2016? Only time will tell, but the impressive return on investment and the increasing popularity of cyber-extortion in general
does not bode well for end users or the organizations with an ever-expanding number of endpoints to secure.
It's been a banner year for ransomware operators...and a nerve-wracking one for anybody responsible for securing endpoints.
Although some of the malware may issue empty threats, some of it has proven just as nasty as it claims. Researchers found that 30 percent of organizations admitted they'd pay ransom requests, and even multiple police departments have succumbed to them, when nobody was able to recover their encrypted files or their back-ups.
In 2015 ransomware operators were innovative not only with their code but with their business models - and estimates of their returns on investment indicate that business is booming.
Here's a quick rundown of the new ransomware that hit the scene in 2015.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024