Trends are complicated things. Consider, for example, the threat often called Ransomware. In our annual Internet Security Threat Report, all signs were that it was following a steady growth path which would continue into 2014. However, more up to date intelligence (as documented in our May 2014 Intelligence Report) suggests otherwise. It remains to be seen if the threat is cyclic, so we shall continue to watch with interest.
So, what gives? To understand Ransomware, we need first to understand how and why it emerged. Before Ransomware another form of extortion was prevalent, called Fake Antivirus (Fake-AV, or rogue security software). This would find its way onto a victim’s computer through email, website drive-by or other means, and then tell the hapless user they had malware – but to remove that malware they would have to unlock the product so it could clean-up the system. Unlocking required a payment of between 20 and 50 US$ on average.
Of course it was fraudulent – the product wasn’t real and the malware was probably put there by the Fake Antivirus – if it existed at all. However, over time as people became more aware of these threats, they began to fear them less. When everyone knows it’s a fake, the scam fails and the bad guys have to find something else to fill the gap. That something else is Ransomware.
Ransomware, instead of pretending to be a security product trying to be helpful, usually masquerades as a virtual “wheel clamp” for the victim’s computer. For example, pretending to be from the local law enforcement, it might suggest the victim had been using the computer for something illicit and that to unlock it they would have to pay a fine – this time between 100-500 US$. The increased availability of online payment methods made paying the ransom safe, simple for the bad guys. Ransomware really took off in 2013, with a 500% (6-fold) increase in attack numbers between the start and end of the year.
If we dig into the figures, we find that 1 in 500 Ransomware attacks in 2013 were a form called ransomcrypt, in which the victim’s personal files are encoded using strong (RSA 2048-bit) public key encryption to encrypt – and only the attacker has the private key with which the files can be unlocked. Often the files will include important documents, photographs and other potentially priceless data. There if no pretence of a fine – you simply pay the ransom to get your files back. This threat can cause even more damage to businesses where not only the victim’s files are encrypted, but also files on shared or attached network drives.
Holding encrypted files for ransom is not entirely new, but getting paid has previously been difficult for the crooks. With the appearance of new online payment methods the trend is poised for growth in 2014. The most notable example is Cryptolocker, but many imitators are emerging. For example Security Response is reporting on one Cryptolocker imitator, CryptoDefense, that was estimated to be making 34k US$ a month.
What can people do? A first step has to be through policy and education, as “people clicking on links” remains the number one way for this threat to breach defences. Security software such as Norton and Symantec Endpoint Protection can identify ransomware threats and remove them from the computer, but the only real defence against ransomcrypt attacks is to have your data backed-up regularly and securely, with backups stored off-network so they are not subject to the same threat.
With ransomware, the history of malware almost feels like it is going full circle, as the bad guys seek to deliberately damage information, or at least threaten to do so. Unlike a couple of decades ago, when this was done just for fun, there now exists a clear financial incentive to do so: extortion. Perhaps, with such hard numbers now attached, more organisations and individuals will increase their levels of vigilance. It goes without saying that we shall continue to watch the development of encryption-based ransomware, as well as how well protected are their attack targets.