2016 saw a rapid rise to prominence of ransomware, with estimates of $1 billion in proceeds going to ransomware threat actors making it a major crime activity. I’ve written before about ransomware (here, here and here) – this post looks at interesting recent developments.
Approximately 40% of spam emails now contain ransomware attacks. Ransomware infections rely on exposing their presence in order to coerce the victim into paying the ransom, whereas other malware infections such as Remote Access Trojans (RATs), key loggers and botnets, operate with stealth.
A few weeks ago, the San Francisco transport system was taken offline by ransomware, causing widespread disruption of ticketing services.
Ransomware targets both consumers/individuals as well as enterprises, with consumers accounting for 57% of victims. Parents are more likely to pay ransom demands due to the potential loss of children photographs.
Many ransomware variants utilise dynamic pricing models, varying the ransom amount according to the geographical location of the infection, and whether the victim is an individual or an enterprise. Extortion amounts are higher for enterprises and for victims in richer countries. Ransom demands often increase once deadlines have passed. However F-Secure found that victims who negotiate with their attacker can generally haggle a lower ransom price.
Ransomware developers have also created a method of embedding their malware in image files which are uploaded on social networking sites such as Facebook and LinkedIn. Known as ImageGate, the method exploits a misconfiguration on the social media infrastructure forcing a download of the image. If the user clicks on the file, the ransomware is activated.
Popcorn Time ransomware takes a novel approach to expanding their infection base. The malware informs the victim that they have two options: either pay the ransom, or infect two additional people and get a free decryption key. This is an attempt to create a criminal pyramid scheme network using multi-level marketing techniques. The method is unlikely to be effective – deliberately infecting others is a criminal offence and the average user is likely to leave transparent tracks allowing easy identification by law enforcement.
The No More Ransom project is a repository for victim advice and decryption tools – a kind of “self-help support group” where ransomware victims can hang out. It is a useful initiative by Intel, Kaspersky, the Dutch Police, Europol, Amazon and Barracuda, and others.
Ransomware will continue to dominate throughout 2017 due to the ease with which attackers can monetise an infection. We expect to see increased efforts to evade detection, an increase in the specific targeting of victims with more attacks directed at enterprises and critical infrastructure, and more sophistication of ransomware attacks.