Ransomware has quickly become the scourge of cyber security experts every where. Hospitals, financial institutions, schools, law enforcement agencies and a wide array of other organizations have been crippled time and again by this prolific extortion tactic. In fact, one hospital in Southern California was forced to pay a ransom of $17,000 in bitcoin earlier this year to unlock its forcefully encrypted files. In March, a South Carolina school district forked over nearly $10,000 to regain access to network data. Combined, that's an alarming total of nearly $27,000 dollars.
And yet, it hardly compares to the staggering total that cyber criminals managed to shake out of victims in only the first few months of 2016. According to CNN, the FBI estimated that as of the beginning of April, cyber attackers had collected $209 million using ransomware. The report added that at this pace, ransomware-related cyber crime would become an illegal, billion-dollar industry by the end of the year.
To make matters worse, the ransomware landscape seems to be getting more and more threatening by the day. New strains are constantly being released, as hackers go head-to-head in a race to infect and extort as many victims as possible. In particular, the rock stars of ransomware world, such as Locky, CryptXXX and SamSam, have wreaked havoc all over the world.
However, it's not just the big-name threats that are at play anymore. Much like any competition for market share, the ransomware economy has a dark horse in the running. It's called Crysis, and what a crisis it has become.
TeslaCrypt tanks; Crysis rises
In early May, the authors of a notorious form of ransomware known as TeslaCrypt publicly released the encryption key, essentially rendering the malware useless to hackers. Any organization that is henceforth infected TeslaCrypt need only do a quick internet search to solve the problem.
In the wake of TeslaCrypt's bow, Trend Micro researchers noted that something interesting happened: Hackers that were previously using TeslaCrypt for their dark bidding started gravitating toward a different program called CryptXXX. This makes sense in a way. It's not unlike how when support for one operating system ends, users will migrate to a different operating system. However, we're not talking about legitimate software meant to serve businesses and consumers here. We're talking about nefarious malware meant to harm them.
But the battle for TeslaCrypt's malicious market share was only just beginning. In a more recent blog post, Trend Micro noted that despite enhancements being made to CryptXXX as well as Locky and Cerber – other nasty ransomware threats – to lay claim to TeslaCrypt's old customers, Crysis appears to be coming out ahead.
This is important for several reasons, the first being that Crysis had initially been categorized as a "low-profile" threat. As such, the malware has been able to surreptitiously spread, and as noted by Trend Micro, has "already shown signs of being more prevalent than Locky."
The second cause for concern is how Crysis works. Much like many of its counterparts, it is usually disseminated via spam emails, disguised as a non-executable file. It can also be spread in the form of compromised websites that users may accidentally meander into. However, upon infection, Crysis encrypts an estimated 185 file types, and can even encrypt files without extensions. In essence, this means that there's pretty much nothing that it can't, or won't, encrypt. This is fairly uncommon in the ransomware world, in which most threats target specific file extensions.
Trend Micro also noted that Crysis is an advanced persistent threat, as it lodges itself into the Windows Registry. The malware also "deletes the system's shadow copies, which serve as back-up copies of the computer's files or volumes."
Needless to say, Crysis is a serious problem.
Symptomatic of an even greater concern
Crysis is scary, but what's more frightening than what it can do to a computer is the manner in which it has risen to the top. The dark web has always been a type of free-market economy in which hackers can buy and sell ransomware and other cyber threats. However, ransomware is essentially a market unto itself, which has been clearly illustrated by the apparent competition to capitalize on the demise of TeslaCrypt.
If the tenets of capitalism stay true to themselves in this dark market, we can only expect authors of ransomware to continue to up their game in an effort to stand out from the other vendors. As already mentioned, Locky, CryptXXX and Cerber all got upgraded right around the time that TeslaCrypt was retired – and this is no coincidence.
"Variants of CryptXXX, Locky and Cerber even went through major overhauls and had multiple, successive updates to expand their territories among infected users and organizations," Trend Micro noted. "They do so by introducing new capabilities such as network scanning, DDoS and information theft, adding more distribution methods and attack vectors, as well as selling the malware in the Deep Web as customizable toolkits for budding cybercriminals."
In other words, competition among cyber criminals to improve what has already been an extraordinarily lucrative cyber threat will only become fiercer over time. In the long run, this could mean that ransomware will only continue to become more difficult to stop.
As this happens, organizations must continue to step up their cyber security game. The best way to do this is by going directly for the source of proliferation for ransomware, which is email. A layered email security solution is the most effective way to identify malicious attachments and links before a message is opened. The cyber threat can then be run in a sandbox, so that the security solution can know how it will impact a system. In this way, email protection accomplishes two things. First, it drastically decreases the likelihood that ransomware will ever get on the system. Second, it can help put organizations a little more at ease as they go about their day. This isn't to suggest that employees can let their guard down, but it certainly helps to know that a smart, layered cybersecurity solution has your back.
Remember, no strain of ransomware should be underestimated. They're all vicious, and they all must be stopped with layered email protection. Don't wait until it's too late.