Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

Most Ransomware's Not So Bad

Although some ransomware is getting smarter and scarier, most of it is pretty dumb, as one researcher will show at Black Hat.

While some researchers point out how ransomware is quickly growing more sophisticated, Engin Kirda says the lion's share of ransomware seen in the wild isn't so clever.

"People are making it sound like it's so bad it can't be detected," says Kirda, chief architect and co-founder of Lastline and a computer science professor at Northeastern University. "I just want to set it in perspective."

At Black Hat Las Vegas next month, in his session "Most Ransomware Isn't As Complex As You Might Think," Kirda will present his findings from looking at a broader selection of ransomware samples. He'll show what they can and can't do, and how they could be detected.

Certainly, Kirda acknowledges, there are cases when truly clever cryptoransomware confounds security forensics companies. In April, the Tewksbury, Mass. police department paid a $500 ransom to CryptoLocker operators after private information security firms, the Department of Homeland Security, and the FBI all failed to decrypt locked files (which included backups) after five days of trying.

Similarly, Kirda says that cases like the WIPALL wiper malware -- which locked the client machines at Sony Pictures Entertainment, made mysterious requests, then later wiped all the machines -- have led some people to the perception that malware is frequently used in targeted attacks.

Yet, targeted attacks aren't really the ransomware M.O.  -- unlike kidnappers, ransomware operators go for volume, asking many targets for modest sums. 

"Who do you make money from? You make money from normal people," Kirda says, and most ransomware is simply "good enough for normal people."

Kirda says that although ransomware technology could be used for very nasty attacks, in the majority of cases, the payloads aren't actually very sophisticated. Even CryptoWall, which the FBI called "the most current and significant ransomware threat targeting U.S. individuals and businesses," has different families, some of which are equipped with the most nefarious capabilities and others that aren't.

In a lot of cases, Kirda says, they don't run in kernel level; just the regular application layer. They might use encryption, but they'll use weak algorithms and poorly implement them.

"They do encryption, but they do a terrible job of it," he says.

Other ransomware doesn't even have the capabilities it claims to have; it's just bluffing, says Kirda. It might threaten that it's going to delete data that it doesn't actually have the ability to delete.

"It's more like scareware [than ransomware]," says Kirda, "but the [regular] user doesn't know that."

Kirda thinks there are better ways to stop ransomware -- ways he plans to outline in his Black Hat session.

Among these methods is behavior-based detection and watching for how files change. Of course, that requires a move up from simply signature-based anti-virus -- something that has been a tough sell even in the business world, much less the consumer world.

"Some of the technology we have right now, it's not targeted to normal users," says Kirda. He hopes behavior-based detection will make the jump to the consumer market soon, because it could make a big difference against ransomware.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.