The ransomware industry’s rapid evolution

May 2016

Patrick Vibert, Senior Consultant, Cyber Threat Intelligence, Control Risks

Introduction

The ransomware industry is exploding. For cybercriminals, it’s profitable, low-risk, and easily accessible. For CEOs, it’s a nightmare that conjures images of down networks, lost productivity, bad press, and angry calls from board members. Each day there seems to be a story of a new ransomware victim or variant, and hardly a week goes by without hearing about a new attack from an affected client, or from someone in our personal lives who has become infected by this weapon of mass extortion.

Control Risks, Dell, Symantec, and Forcepoint all rank ransomware among their top cyber threats for 2016.1 2 3 4 This month, the US Computer Emergency Readiness Team (US-CERT) and the Canadian Cyber Incident Response Centre (CIRCC) released a joint warning on the increasing danger of ransomware to businesses and individuals.5 In Q1 of 2015, McAfee Labs saw a 165% increase in ransomware. Due to its prevalence and profitability, ransomware is becoming unavoidable.

As the title of this piece indicates, ransomware is an industry. Like any industry, there are profits, customers, and competitors. As a result, ransomware operators seek to maximise their return on investment (ROI), successfully engage their customers, and win market share. This paper will examine the rise of the ransomware industry through a business lens. It will also provide mitigation strategies, summarise major developments, and look at where the threat might be going.

Background

Ransomware is a type of malware that blocks a user’s access to their data or programs until a ransom payment is made to cybercriminals. Devices usually become infected when a user unknowingly visits an infected website, or opens a malicious email attachment. Payment is usually demanded in Bitcoin,i with typical ransoms in the USD 300-500 range for individuals, and much higher amounts for businesses and other organizations.ii 

There are two main types of ransomware: locking and encrypting. Locking ransomware simply blocks access to files and applications, while encrypting ransomware applies a cipher algorithm to scramble the data, making it unusable without the decryption key.

Once a device is infected, a message appears instructing the user to make a payment for the release of their data. At this point, the panicked user enters the following painful decision-making process:

ransomwarediagram02
 

Sometimes a victim will have a data backup system, only to find that it hasn’t been updated in over a year or, worse, is also corrupted with ransomware As a result, the key to mitigating this threat is to have current, secure backups that are updated regularly, but are not persistently attached to the network where they could become infected.

Many of today’s ransomware operators are likely the same people behind the pharma spam epidemic of the early 2000s, when spammers clogged email inboxes with pharmaceutical offers.6  These (mostly former Soviet) cybercriminals were experts at spamming and social engineering, which are two important skills for the large phishingiii  campaigns that are critical to successful ransomware operations.

To combat the pharma spam menace, law enforcement officials targeted so-called bulletproof hosting services,iv  dodgy pharmaceutical suppliers, and worldwide payment processing systems. But the rise of Bitcoin and Torv  makes that almost impossible. There is now no choke point to stop the flow of money, and it’s very difficult to identify where illicit services are hosted to shut them down.

Notable cases

Ransomware’s recent proliferation has led to some strange cases and important lessons. In 2013, after his computer became infected with the Reveton ransomware variant, an American paedophile turned himself in to authorities after a message appeared on his PC warning him that the FBI was aware of his activities and that he needed to pay a fine.7

In 2014, the ransomware story took a tragic turn when a Romanian man took his life and the life of his four-year-old son after his computer was infected with the IcePol ransomware variant. His laptop began displaying a banner showing a fake Romanian police logo, demanding he pay a fine of USD 21,000 or face 11 years in prison.8

Also in 2014, cybercriminals attempted to extort the city of Detroit for USD 800,000. City officials deemed the files non-critical and refused to pay.9

Police departments appear to be attractive targets for ransomware operations, with police in Illinois, Maine, Massachusetts and Tennessee all falling victim over the last two years.10  In 2015, local police departments in Illinois and Massachusetts were forced to pay ransoms when their data was taken over by CrytpoLocker and Cryptoware respectively (the police department in Massachusetts had assistance from the FBI, Department of Homeland Security, and two separate cyber security consulting companies).11  In both cases, the backups were corrupted as well.12

This year, a South Carolina school district paid USD 10,000 in Bitcoin to regain access to their servers after they were infected with ransomware.13  Meanwhile, an exemplary school district in New Jersey declined to pay their cyber extortionists after becoming infected with ransomware, as they were able to restore their servers from backups.14  The two cases illustrate the criticality of maintaining secure, offline backups.

Also this year, we saw three high-profile ransomware attacks on medical centres.15  No loss of life was reported as a result of the attacks, but the targeting of such a critical industry resonated with the public: the stories were widely reported in the press, and politicians began speaking out against the attacks. However, with the rise of ransomware as a service (RaaS)vi  allowing many more people to engage in ransomware operations, it seems only a matter of time before serious real-world consequences occur from a ransomware infection.

The ransomware industry

As Control Risks has pointed out in the past, the cybercrime sector evolves in a similar manner to legitimate industries. It is a business driven by economics; operators are profit-driven and face stiff competition. As such, we’ve seen cybercriminals diversify their operations, segment their target markets, and improve their customer service to win more business.

Payment is usually demanded in Bitcoin, which most people have never used. As a result, cyber extortionists provide explicit step-by-step instructions to guide victims through the process, with one operation even offering a live-chat option.16  Cyber extortionists tend to view their victims almost as customers, so the better customer service provided, the more likely their victims are to pay the ransoms.

Ransomware operations are highly profitable. A 2015 report by IT security company Trustwave estimated a 1,425% return on investment (ROI) for ransomware operations.17  With the average ransom demand hovering around USD 300 to 500, it doesn’t take much to break even. Profitability relies on the number of people willing to pay ransoms. And pay they do, particularly in wealthier western countries, where victims are far more likely to send criminals money to regain access to their data.

A recent survey by Romanian security company Bitdefender found 33% of German ransomware victims paid attackers to recover their data, compared with 44% in the UK and 50% in the US.18  McAfee puts the worldwide figure much lower, with about 7% of victims paying.19  The true rate of payment is likely somewhere in the middle; in any case, it’s easy to understand why ransomware operations are so attractive to cybercriminals.

The rapid evolution of ransomware operations indicates an increasing level of innovation by cybercriminals keen to find new ways to profit from these attacks. To this end, the ransomware-as-a-Service (RaaS) market began to emerge in 2015, with multiple variants issued for sale in cybercriminal forums. The decreasing cost of deploying ransomware attacks will likely lead to an expanding selection of targets, as cybercriminals diversify their operations to increase their likelihood of success.

As the ransomware market matures, it will likely continue to segment. So, along with widespread ‘spray and pray’ attacks aimed at infecting as many devices as possible, we should see an increase in more focused attacks. To achieve this goal, attackers will need to research individual victims to identify vulnerable targets with higher potential ROI.

Major variants

Although the frequency of attacks has exploded over the last three years, ransomware has been around for over a decade, mostly targeting developed nations where businesses and individuals are more likely to pay higher ransoms. The following cases highlight significant developments in the evolution of ransomware variants since Cryptolocker emerged in 2013.

Emergence

Description

September 2013

The arrival of Cryptolocker heralds the modern era of ransomware.

July 2014

Critroni is the first ransomware variant to use the Tor infrastructure to mask its command and control infrastructure, to protect it from being taken down by law enforcement agencies.

August 2014

Reveton locks victims out of their machines, and displays phony law enforcement banners, claiming that the victim had been involved in illegal online activities and needed to pay a fine.

November 2014

CoinVault is a file-encrypting type of ransomware that uses powerful AES encryption to lock victims’ files, and demands payment via Bitcoin in an amount which increases every 24 hours until the ransom is paid.

February 2015

CTB Locker is used by cybercriminals to encrypt data on websites that use the WordPress framework.

January 2016

Lockdroid emerges, targeting Android mobile devices.

March 2016

KeRanger is the first ransomware variant to target the Mac operating system.

April 2016

Samsam is a new ransomware variant with worm-like properties, which is distributed in a targeted fashion by cybercriminals who have gained access to unpatched servers.

 

While targeting has changed and the level of sophistication has increased, the biggest recent development is the emergence of ransomware-as-a-service (RaaS), as seen with the release of Tox in 2015.20  Sold on dark web cybercriminal forums, RaaS attacks are customisable, offering the capability to select targets and set ransom terms. This enables cybercriminals who do not have the requisite skills to develop their own ransomware operations tailored to their needs.

Mitigation

While ransomware attacks are increasing in sophistication, that does not mean victims are powerless. This section describes steps that people and organisations can take to mitigate the threat, starting with securely backing up your critical data.

If the data is not securely backed up, ransomware victims are generally given two choices: pay the ransom, or lose your data. However, there are rare cases where the ransomware’s encryption keys have been broken. In 2014, the encryption of the infamous Cryptolocker malware was broken by security researchers, who provided decryption keys to many relieved victims.21  More recently, the Petya ransomware, which encrypts a computer’s boot record (rendering the device useless), was broken by a security researcher who developed applications that could crack the malware password and retrieve the decryption keys.22

Still, with the recent advances in ransomware attacks, assuming a solution will be available in the event of an infection is a very risky bet. So aside from not getting infected in the first place, your best course of action remains having your data securely backed up. In addition, companies are advised to use application whitelisting,vii  update all software patches and antivirus definitions, and restrict users’ network access and ability to install unwanted (potentially malicious) programs.

These are the best methods to protect against ransomware in its current state, while section 7 examines where the ransomware industry might be heading.

Outlook

The ransomware industry has evolved rapidly over the last three years. The combination of high profitability, low risk, and low barriers to entry will likely cause a growing number of players to enter the market. This dynamic will lead to increased competition among cyber extortionists for targets, and encourage cybercriminals to adapt their operations (improved customer service, harder-to-detect malware) and targeting (more focused attacks asking for more money, expansion into new sectors) accordingly.

It’s also helpful to understand ransomware in the context of its enabling technologies. Just as YouTube’s explosive growth would not have been possible without the advent of widespread broadband internet (dial-up was too slow for streaming video), the rise of ransomware would arguably not be possible without Bitcoin making it difficult to trace the funds, and Tor making it nearly impossible to identify the perpetrators.

In terms of targeting, PCs were the original primary victims of ransomware. Later, we started seeing infected phones and servers. In 2015, cyber extortionists started locking people out of websites by encrypting page files, images and directories until a ransom was paid.23  Projecting further into the future, the rapid expansion of the Internet of Things (IoT) could quite likely lead to instances of cyber extortionists locking people out of their cars, homes, or refrigerators. In addition, we should also begin seeing cyber activists using ransomware operations to further political agendas.

While much has been written about the cost to the victims of ransomware attacks, understanding the cost to the attackers is the key to addressing this threat. Although there have been a handful of high-profile arrests in the Netherlands, Spain, the UK and the US, thus far cyber extortionists have proven to be highly effective at eluding capture and prosecution.24 25 26

Due to the low-cost/high-reward/low-risk nature of establishing a successful ransomware scheme, the laws of economics dictate that criminals will increasingly engage in this activity, as profitable ransomware operations invite copycats. Finally, with the rise of RaaS, the barriers to entry into this market are lower than ever.

New dimensions of the ransomware industry are discovered each week, and the situation continues to evolve rapidly. As if to illustrate, a new ransomware marketplace recently surfaced that helps facilitate Bitcoin payments between attackers and victims.27    Like any profitable market with low barriers to entry, the competitive ransomware industry is driving innovation.  As long as the above trends persist, the ransomware industry will continue to be a major cyber security challenge.

 

i. Bitcoin is an anonymous online payment system and virtual currency that facilitates peer-to-peer payments. Bitcoin's legitimacy is often disputed because it is regularly used for illegal activities, such as in dark web black markets. Nevertheless, Bitcoins are increasingly popular as its fees are considerably lower than those with credit card processors, and because all transactions are recorded in a public ledger.

ii. The amounts demanded from non-individuals have been much higher (Hollywood Presbyterian Medical Center paid a ransom of USD 17000), but it’s in a cybercriminal’s interested to keep demands at a level the victim is likely to pay.

iii. Phishing is an attempt via email to elicit an action from the recipient, such as clicking on a link or attachment, or entering in confidential information to a phony form. While phishing targets as many people as possible, spearphishing targets a particular person or group of people.

iv. Bulletproof domain or web hosting services employ lenient or loosely defined terms of service that allow their customers to upload and host a variety of illegal web content, including websites used for spamming and other cybercriminal activities.

v. Tor (The Onion Router) is an anonymous and encrypted network accessible through a free software widely used by the public and military establishments, but also popularised by cybercriminals. The Tor browser allows users to obscure their location and browsing habits from anyone conducting network surveillance.

vi. Ransomware as a service (RaaS) is designed to be customised and deployed by cybercriminal groups that would otherwise lack the capability to launch their own campaigns. The group will typically download the malware or purchase access to a distribution network via a cybercriminal forum or dedicated site, paying either a flat fee or a percentage of the ransom revenue they are able to extract from their victims.

vii. Application whitelisting solutions restrict malicious applications from being downloaded to corporate devices by detecting when a new program is being launched, then determining whether it should be allowed using a predefined list of software variants.

Works cited

1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf

2. https://www.forcepoint.com/content/2015-ws-threat-report

3. https://powermore.dell.com/technology/top-5-security-threats-2016/

4. https://www.controlrisks.com/webcasts/studio/2015-GENERAL/Riskmap-2016/RM-2016-report-PDFs/2015-11-27-RM-REPORT-2016-LR.pdf

5. https://www.us-cert.gov/ncas/alerts/TA16-091A

6. Krebs, B. (2014). Spam nation: The inside story of organized cybercrime – from global epidemic to your front door. Naperville, Illinois: Sourcebooks.

7. http://www.dailymail.co.uk/news/article-2379153/Jay-Matthew-Riley-turns-child-porn-FBI-warning-message-turned-virus-tells-to.html

8. http://www.theregister.co.uk/2014/03/18/romania_ransomware_murder_suicide/

9. http://www.detroitnews.com/story/news/politics/michigan/2014/11/17/north-american-international-cyber-summit/19162001/

10. http://www.govtech.com/security/Ransomware-Poses-Tremendous-Threat-to-Police-Departments.html

11. http://www.networkworld.com/article/2906983/security0/massachusetts-police-department-pays-500-cryptolocker-ransom.html

12. http://www.darkreading.com/attacks-breaches/police-pay-off-ransomware-operators-again/d/d-id/1319918

13. http://money.cnn.com/2016/04/04/technology/ransomware-cybercrime/

14. http://www.networkworld.com/article/2901527/microsoft-subnet/crypto-ransomware-attack-hit-new-jersey-school-district-locked-up-entire-network.html

15. http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/

16. http://www.webroot.com/blog/2016/02/18/new-ransomware-padcrypt-first-live-chat-support/

17. https://www.trustwave.com/Resources/Trustwave-Blog/What-You-Can-Learn-from-the-Ridiculous-Money-That-Cybercriminals-Make/

18. http://www.bitdefender.com/media/materials/white-papers/en/Bitdefender_Ransomware_A_Victim_Perspective.pdf

19. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf

20. https://www.theguardian.com/technology/2015/jun/02/ransomware-as-service-discovered-on-darknet

21. http://www.theregister.co.uk/2014/08/06/decryptolocker/

22. https://threatpost.com/password-generator-tool-breaks-petya-ransomware-encryption/117315/

23. http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/

24. http://www.kaspersky.com/about/news/virus/2015/Collaboration-between-the-Dutch-police-and-Kaspersky-Lab-leads-to-the-arrest-of-suspects-behind-the-CoinVault-ransomware-attacks

25. http://thehackernews.com/2013/02/group-behind-largest-ransomware.html

26. https://threatpost.com/dutch-police-arrest-alleged-coinvault-ransomware-authors/114707/

27. http://www.darkreading.com/endpoint/crowdsourcing-the-dark-web-a-one-stop-ran$om-shop/a/d-id/1325265