While ransomware has been around since 2005, recent variants released over the past three years represent a resurgence resulting in the fairly widespread extortion we see today. Due to its ease and speed of converting successful infiltrations into cash, ransomware is the current weapon-of-choice for online criminal gangs. Criminal syndicates are extorting millions of dollars. CryptoLocker generated $30m in 100 days. CryptoWall made $18m from only 1000 victims. Angler ransomware earns $5m per month for its operators. That’s a lot of loot, and it is spurring online gangs on. This past week, the US House of Representatives started blocking YahooMail due to the large number of ransomware attacks coming through the network.
Ransomware is an attack on the availability of data – in the CIA triad (Confidentiality, Integrity, Availability). Typically it does this by either encrypting data files (Crypto ransomware) or by locking the system (Locker ransomware), preventing the user from accessing their data. There are currently 68 different ransomware variants in the wild. Lately, Crypto ransomware has become more popular than the Locker variety – it is relatively easy to implement and practically impossible to circumvent. The ransom demands money (usually $300 to $500) in return for the decryption key or system unlocking key. DDoS attacks have also been associated with ransom demands where the attacker conducts a small DDoS attack and demands payment in return for not escalating the attack.
A key component of the ransom is a payment method whereby the criminal cannot be traced. Bitcoin payment is often used, however gift cards are becoming increasingly popular. TrueCrypter demands payment in Amazon Gift Cards, whereas Cyber.Police ransomware asks for Apple iTunes gift cards.
ID Ransomware is a service where anyone can upload a copy of their ransomware note or a sample encrypted file in order to find out which ransomware variant produced it and whether there are any known methods of accessing the data without paying the ransom. There are sometimes ways of circumventing a locked system, but Crypto ransomware tends to use Windows CryptoAPI with RSA or AES encryption making it impossible or impractical to decrypt files. Occasionally errors in the file encryption process utilised by the malware makes decryption without paying the ransom possible.
Should victims pay the ransom? Conventional advice (such as this from the FBI) is that one should never do a deal with untrustworthy criminals, and paying a ransom only funds future unlawful activity. However, payment of the ransom generally produces the correct key enabling the data to be decrypted. Although as a rule it is not a good idea to give in to extortion, on an individual level however, the value of the encrypted data enters the equation. A BitDefender study concluded that about half of individual victims would be prepared to pay up to $500 ransom.
Ransomware highlights the need to keep regular backups of data files, however this is not failsafe as an automatic file backup process may corrupt the backups as well when the original file is altered by encryption.
What is the future for ransomware? Attracted by much higher ransom demands, ransomware operators will increasingly target organisational networks. Criminals gangs will utilise their existing APT skills and experience, and once an initial intrusion has been made (often through a spear phishing attack), the malware will spread laterally within the network to multiple end points and data servers, and on activation encrypt everything, possibly even backups. Effects on organisations will be crippling, threatening its very existence. Earlier this year, a Hollywood hospital paid a $17K ransom after data on several end points and a shared server were encrypted. A TeslaCrypt ransomware attack on an online casino’s shared data storage server is documented here. It is only a matter of time when we will hear news of crippling effects of major organisational ransomware attacks.
Ransomware will become a real threat to IoT environments where individuals could be locked out of their house, car, TV or other devices. In an IIoT environment, ransomware implications are far more serious still, operators could be locked out of a nuclear power plant system, or the building maintenance system, or the air traffic control system.
Like with Somali sea pirates, ransom demands from online gangs will increase to the millions and tens of millions of dollars as this form of extortion expands.