First the good news. In November 2015, Kaspersky announced the ransomware variants Coinvault and Bitcryptor were dead. The alleged authors were arrested and all 14,000 decryption keys were released. But as we mentioned in our blog “Cyber Security Predictions for 2016”, ransomware is an increasing menace. That is because it is a big moneymaker for cybercriminals. The malware uses strong encryption to prevent users from recovering files unless they pay a ransom. Be warned: even if you pay, the attackers may or may not deliver a valid key to unlock your files!
There are many types of ransomware, including (among others) CryptoWall, CryptoLocker, TorrentLocker, Chimera, TeslaCrypt, and CTB-Locker. A new entrant is Ransom32, touted as the first JavaScript ransomware.
They’ll post my data online?
A recent trend is a threat to post user data and photos online unless the ransom is paid. This has been seen most often with Chimera ransomware. Most security analysts think this is simply a scare tactic. Here’s why:
- Why would a victim pay the ransom if he could retrieve the data online for free? This undermines the purpose of the attack.
- Exfiltrating user files makes it much easier to trace the source of the attack. A ransomware attacker, like any criminal, does not want to get caught.
- Attackers want to make a quick buck. He would have to peruse a lot of kitten photos looking for personal information that is marketable.
Ransomware is not just for Windows anymore
In the past ransomware largely affected Windows-based devices. But Linux devices are a tempting target because a large number of servers use Linux. Not only can servers be victims; they can be used to further distribute the malware to other devices. As of November 2015, Malwarebytes reported a new variant of Linux ransomware, bringing the total to four. The new ransomware demands up to $999 for any victim who is not a citizen of Russia and the Commonwealth of Independent States.
Ransom32 makes multiplatform attacks easier
This is the first ransomware utilizing Javascript, making it easy to concurrently develop versions for Windows, Linux and MacOS X. Setting up a campaign with Ransom32 is easy. Use the web interface and click on the “Download client.scr” button. The client.scr download file is a 22-MB WinRAR self-extracting archive. (Normally ransomware download files are no larger than 1 MB.) Inside the archive is a packaged NW.js JavaScript application.
CryptoLocker – which one?
This malware first appeared in 2013. In May 2014, a combination of law enforcement agencies and security companies seized a worldwide network of hijacked home computers that was being used to spread Cryptolocker. While the cybercriminals were transmitting their key database for backup, the authorities intercepted it. As a result, all 500,000 victims of Cryptolocker can now recover CryptoLocker-encrypted files without paying a ransom.
Original CryptoLocker continues to claim new victims
An interesting aside: The original CryptoLocker continues to claim new victims. Early in 2015, American Electric Power , the largest power grid operator in the US, was infected when a supervisor opened a personal email on a company laptop. In addition, since November 2015, there is also CryptoLocker Service. This scheme has lowered the expense of a ransomware campaign by charging $50 plus a ten percent commission on each ransom paid plus a fee for payload customization. Although the developer also calls the software CryptoLocker, he says it is completely different from the older software.
TorrentLocker
Based on several IT forum conversations many small and medium-sized businesses experienced mainly CryptoWall and TorrentLocker ransomware attacks in the fall of 2015. TorrentLocker is known for spear phishing from purported delivery services and utilities. In Australia, spear phishes referred to bogus speeding fines sent by the Australian Federal Police. TorrentLocker targets individuals as well as businesses.
CTB Locker
Curve-Tor-Bitcoin (CTB) Locker is spread via a bulk spam campaign instead of spear phishing. Unlike most other ransomware, it does not require an active internet connection before it starts encrypting files. A unique feature is a reliance on Elliptic Curve Cryptography (ECC), requiring a significantly smaller key size compared with RSA encryption. Attackers use the ransomware to recruit CTB Locker “affiliates” from their victims, accelerating dissemination of the malware.
TeslaCrypt
TeslaCrypt appears to be a derivative of the original Cryptolocker ransomware. It is reported to have had the largest number of infections seen widely across all countries, second only to CryptoWall. Most infections are spread by phishing / spam emails. TeslaCrypt, like many ransomware types, obscures code to evade detection.
Stay tuned......In Part 2 of this series to be published on Wednesday, we examine the relative newcomer Chimera and the big daddy of ransomware, CryptoWall. Then we tackle the important question of how to protect yourself from ransomware.