Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

Most Ransomware's Not So Bad

Although some ransomware is getting smarter and scarier, most of it is pretty dumb, as one researcher will show at Black Hat.

While some researchers point out how ransomware is quickly growing more sophisticated, Engin Kirda says the lion's share of ransomware seen in the wild isn't so clever.

"People are making it sound like it's so bad it can't be detected," says Kirda, chief architect and co-founder of Lastline and a computer science professor at Northeastern University. "I just want to set it in perspective."

At Black Hat Las Vegas next month, in his session "Most Ransomware Isn't As Complex As You Might Think," Kirda will present his findings from looking at a broader selection of ransomware samples. He'll show what they can and can't do, and how they could be detected.

Certainly, Kirda acknowledges, there are cases when truly clever cryptoransomware confounds security forensics companies. In April, the Tewksbury, Mass. police department paid a $500 ransom to CryptoLocker operators after private information security firms, the Department of Homeland Security, and the FBI all failed to decrypt locked files (which included backups) after five days of trying.

Similarly, Kirda says that cases like the WIPALL wiper malware -- which locked the client machines at Sony Pictures Entertainment, made mysterious requests, then later wiped all the machines -- have led some people to the perception that malware is frequently used in targeted attacks.

Yet, targeted attacks aren't really the ransomware M.O.  -- unlike kidnappers, ransomware operators go for volume, asking many targets for modest sums. 

"Who do you make money from? You make money from normal people," Kirda says, and most ransomware is simply "good enough for normal people."

Kirda says that although ransomware technology could be used for very nasty attacks, in the majority of cases, the payloads aren't actually very sophisticated. Even CryptoWall, which the FBI called "the most current and significant ransomware threat targeting U.S. individuals and businesses," has different families, some of which are equipped with the most nefarious capabilities and others that aren't.

In a lot of cases, Kirda says, they don't run in kernel level; just the regular application layer. They might use encryption, but they'll use weak algorithms and poorly implement them.

"They do encryption, but they do a terrible job of it," he says.

Other ransomware doesn't even have the capabilities it claims to have; it's just bluffing, says Kirda. It might threaten that it's going to delete data that it doesn't actually have the ability to delete.

"It's more like scareware [than ransomware]," says Kirda, "but the [regular] user doesn't know that."

Kirda thinks there are better ways to stop ransomware -- ways he plans to outline in his Black Hat session.

Among these methods is behavior-based detection and watching for how files change. Of course, that requires a move up from simply signature-based anti-virus -- something that has been a tough sell even in the business world, much less the consumer world.

"Some of the technology we have right now, it's not targeted to normal users," says Kirda. He hopes behavior-based detection will make the jump to the consumer market soon, because it could make a big difference against ransomware.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.