The evolution of crime continues to push itself into the cyber world. Physical criminal operations are now learning to walk again as our generation continues to get its feet wet in the digital age. The low risk, high reward incentive involved with cybercrime opens the flood gates for criminal pioneers to evolve their financially motivated heists. In this blog I will discuss the evolution of ransomware, which is essentially just kidnapping information and extorting money from the vulnerable, technology-dependent citizens of society.
Growth of Crypto-Ransomware
As the wealth of information increases so does the dependency on it, which is why hackers are willing to exploit that dependency for their own economic benefit. Crypto-ransomware is known as the piece of malicious malware that encrypts a victim’s most important files and holds them hostage until a payment is made to the hacker. Over the past decade we’ve seen ransomware attack methods advance in techniques and increase in profit. Earlier variants of this malware were more contained, less costly, and easier to detect. Over time capabilities have progressed from just locking a victims’ computer screen, to encrypting files, to encrypting the keys that decrypt the files, and so on. Professional hacking organizations are now starting to leverage the nearly invincible malware variants, such as TorrentLocker and CryptoWall (which I will discuss in more detail later), and grow their disjointed criminal activity into coordinated business operations. Case studies have shown actual support teams within these syndicates that are on-call 24/7 and have live chatting forums set up to help guide victims through the payment process. After all, the criminals don’t get paid unless the victims cooperate. To add to the professionalism of their mission, web pages are organized to look more legitimate and new features allow users to test out the decryption tools for free to ensure authenticity.
Similar to any other “business,” as the tools used in their operations become more advanced, the revenue generated per attack also increases. In the early days of ransomware, it wasn’t uncommon to charge the average victim around a 12 dollar fee. But as the malware evolved and spread globally, the money started to flow in greater quantities. For example, in a Trend Micro study done on TorrentLocker attacks in Australia, the base price for a decryption key was set at just under 600 US dollars. On top of that, the price doubles if it’s not paid within 96 hours. You’re probably reading that number and thinking that people must be crazy to pay such a large quantity just to regain word documents written three years ago and their John Mayer “Continuum” album from 2006. But when hackers start to go after larger targets, like companies, with more sensitive information, the demand goes up along with the price. Meanwhile, victims are stuck “waiting on the world to change” while professional cyber criminals continue to improve the stealth and effectiveness of their operations.
TorrentLocker- CAPTCHA Code Infection Chain
The social engineering behind recent attacks has increased infection rates substantially. TorrentLocker, for instance, has been successful in the ANZ region due to several targeted campaigns that mimicked Australian government/postal websites in order to lure victims to malicious sites. The infection chain involves a 3 step process:
In the 1st phase attackers compromise web servers and inject them with a redirect rule which constantly changes the URL addresses to avoid detection. Eventually victims are led to a legit landing page that hackers gain control of by filing official addresses, phone numbers, and other information necessary to register a domain under the organization name that they were posing to be at that time. In doing so, the hackers also further disconnect themselves from the crime. Once on the “government” site, victims are required to complete an easy-to-read CAPTCHA verification test in order to download files with “urgent” information. After entering the code, the TorrentLocker malware is extracted and executes its commands to encrypt files containing extensions like .DOCX, .PDF, and .ZIP. TorrentLocker is gaining popularity with its unique use of CAPTCHA codes and updated blacklists helping to encrypt more files as we’ve seen this propagate to many European countries too. Security experts at Trend Micro advise their users to be very cautious when receiving any CAPTCHA codes from email links or attachments.
CryptoWall- AES/RSA Encryption
The more ubiquitous variation of crypto-ransomware labeled “CryptoWall” has been used to exploit unwary businesses in North America. A recent Trend Micro report of CryptoWall covered a campaign in which hackers emailed phony resume documents to businesses, posing as recent college graduates. The strategic timing and design of this socially engineered attack made it difficult for recipients to realize that they were being attacked. Unsuspecting employers were tricked into clicking on what they thought were resumes, but actually turned out to be crypto-ransomware-carrying attachments. Once downloaded, you know how the rest goes. What made this attack interesting, however, were the lengths the malware went to in order to cover its tracks. The most current version “CryptoWall 3.0” uses AES algorithms to encrypt files and then an RSA to encrypt the key, making it even more difficult for a victim to locate the decryption key. Previously, targets of crypto-ransomware attacks at least had an opportunity to locate only one key and reverse the encryption without paying. But with the decryption key in the hands of the hackers, it’s very unlikely and most likely impossible to figure out a method for decrypting.
What to Expect
Along with social engineering, two-tier encryption methods, and evolving malware, bad guys are improving their stealth with each operation. They continue to lurk in the shadows by using .Tor based sites when communicating with their victim and for processing the ransom payment, hundreds or thousands of compromised websites, deleting the shadow copies of every encrypted file, and in some cases with TorrentLocker, using the name “CryptoLocker” in order to confuse users when they analyzing the traffic logs after attacks. Expect to see an increase in mobile ransomware attacks due to the migration of business affairs being conducted through portable devices. The market for underground buying and selling ransomware is huge and we must acknowledge that cyber criminals and nation-state attackers have been adopting the latest variants, like CryptoWall and TorrentLocker, into their operations to carryout wide spread attacks. “Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared,” says Tom Kellermann, chief cybersecurity officer at Trend Micro.
“Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared,” says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro. “The most troubling evolution is the migration to mobile ransomware.”
Crypto-ransomware criminals continue to make money off victims with their scare tactics and advanced malware. The fast-moving, well-executed campaigns we’ve seen in regions like EMEA, ANZ, and North America, particularly, prove that we need to adopt a new approach to defending our information. There’s no one solution available to provide complete protection. We need to be able to identify how, where, when, and why a threat operates. It’s essential that businesses partner with cyber security companies, like Trend Micro, that have the breadth and knowledge to defend against crypto-ransomware threats. We have a team of over 2,000 threat researchers globally that combine automated big data analytics with human expertise to provide actionable intelligence to security procedures. It takes a combination of both to collect, analyze, and respond to the most urgent threats of today. The price of these attacks will only go up as hackers seize the opportunity for serious financial gain. In order to remediate this problem, we must combine defense technology with human interaction to create a smarter method of protection and keep our information safe from cyber kidnappers.