Friday, March 28, 2014

Ransomware Challenges Posed by Cyber Criminals

Ransomware dates back to 1989 with the AIDS Trojan, which would modify the autoexec.bat file and once a computer booted 90 times the malware would begin to hide directories and encrypt the names of all files. It would then prompt the user to renew their license and contact PC Cyborg Corporation for $189.00 payment. This had to be sent to a P.O. Box in Panama (Smith, 2002). Today the number of unique new samples of ransomware malware is almost 250,000 in the first three months of 2013. This has doubled from the first quarter of 2012. Even more troubling is the reported number of infections. The visibility on infection data is limited because client machines share detection only with McAfee. There are two main reasons for the increased popularity of Ransomware: (1) Cybercriminals have easy access to anonymous payment systems, such as bitcoin; (2) There is a thriving underground market that helps with pay-per-install services on pre-infected computers, such as Citadel. Cyber criminals can also easily purchase ransomware kits, such as Lyposit, from the underground markets (McAfee Labs, 2013a, p. 12).

There are two main categories of ransomware today: Non-encrypting and Encrypting. The Reveton Trojan is one of the better known non-encrypting ransomware viruses. The FBI sent an alert on August 9, 2012 discussing this new drive-by ransomware virus (The FBI, 2012). Reveton works by infecting and subsequently hijacking host machines. Once hijacked, it displays a threatening message that appears to be coming from law enforcement, such as the FBI, to the user. Reveton also blocks the user from doing anything else on their computer until they pay the fine or find a way to remove the virus. Reveton is being distributed by Citadel and also using BlackHole to directly infect vulnerable systems. Screenshots from one malware gang showed payments received from MoneyPak ranging from $34,500.00 to $54,000.00 per day. This virus is extremely difficult to remove and is a good example of why people need to have up-to-date antivirus software installed and backup their data. If infected the only way to reliably clean the computer with such sophisticated infections is to do a complete rebuild (Krebs, 2012).

The second category, encrypted ransomware, is more advanced and is the latest ransomware being used by cyber criminals to infect traditional host computers: Laptops and Desktops. The most recent encryption ransomware is CryptoLocker. The FBI sent an alert on November 8, 2013 (The FBI, 2013). US-CERT released Alert (TA13-309A) on November 5, 2013 and list two ways CryptoLocker infects victim’s computers. The first is through phishing emails that appear to come from legitimate businesses or FedEx/UPS providing tracking numbers. The second is through botnets on previously infected computers. Even more menacing is that CryptoLocker quickly evolved from a virus to a worm and can now self-propagate. The malware can search for and encrypt files located within shared drives, sanitization-resistant media (e.g. USB drives), external HDDs, network file shares and cloud storage. Victim files are encrypted using RSA-2048 public-key cryptography (US-CERT, 2013). ZDNet traced 4 different Bitcoin addresses reported by infected users of CryptoLocker which showed earnings of $27,000,000 from October 15 to December 18, 2013 at the current USD exchange rate (Blue, 2013). There is no known way to decrypt once the files are encrypted and the FBI recommends having the machine scrubbed and rebuilt from backups (The FBI, 2013). Given the worm capabilities of CryptoLocker it would be a better practice to restore from offline backups.

The outlook for 2014 will provide even a greater challenge. According to McAfee Labs 2014 Threats Prediction report, the proliferation of Ransomware attacks will begin in earnest on mobile devices (McAfee Labs, 2013b, p. 3). There are 6.8 billion mobile subscriptions worldwide in 2012, up from 6.0 billion in 2011, and 5.4 billion in 2010. This almost out numbers the ITU estimated 7.1 billion people in the world (MobiThinking, 2013). With Ransomware on mobile devices in 2014, the number of host devices that can be targeted is enormous and a target rich environment for cyber criminals. Virtual currencies are also a reason 2014 ransomware attacks look to increase significantly with new variants, as well as the targets spreading to enterprise networks to encrypt corporate assets (McAfee Labs, 2013b, p. 3).

There are ways to defend against Ransomware. Keeping host level Unified Threat Management (UTM) software up-to-date is still a good countermeasure. This is because ransomware payload is unique, but the distribution methods are not. Some examples of distribution methods are: (1) drive-by downloads via phishing emails; (2) spam; and (3) infected applications (McAfee Labs, 2013b, p. 3). In addition to standard anti-malware and offline backups to restore infected computers there are new technologies out there. Bromium has developed an innovative end-point protection system that uses micro-virtualization (Innovation: Micro-virtualization, n.d.) and task introspection (Innovation: Task Introspection, n.d.) done in real time. While this technology is more for enterprises, there will be a time in the future when ISPs adopt similar technologies. Until then, home users and companies with smaller budgets will need to rely on the more traditional security controls mentioned which is still very effective when implemented properly and kept up-to-date.

Ransomware has been around for about 25 years, but the number of variants is now doubling year over year, with the latest report showing 250,000 variants in just the first 3 months of 2013. This shows that there is great interest by cyber criminals and there are 10’s of millions of dollars in profit to be made. The sophistication of ransomware is now at the level where it uses unbreakable asymmetric encryption with self-propagation capability. This poses a severe risk to end point computers and emphasizes the need for all users and organizations to have proper security controls implemented and incident response capabilities. For end users this could be traditional UTM antivirus software such as Norton 360 and restore from offline backups. Given the advanced capabilities of ransomware to encrypt and propagate, having backup drives connected or in the cloud opens the risk that even the backups will be encrypted by the worm attack and thus offline backups are necessary. Organizations can have a higher level security with multi-layer, defense in depth, and more advanced detection technology such as micro-virtualization and task introspection offered by Bromium.


Blue, Violet (2013, December 22). CryptoLocker's crimewave: A trail of millions in laundered Bitcoin, ZDNet. Retrieved March 8, 2014, from

Innovation: Micro-virtualization (n.d.). Retrieved March 10, 2014, from

Innovation: Task Introspection (n.d.). Retrieved March 10, 2014, from

Krebs, Brian (2012, August 12). Inside a ‘Reveton’ Ransomware Operation. Retrieved March 11, 2014, from

McAfee Labs (2013a, May). McAfee Threats Report: First Quarter 2013, McAfee. Retrieved March 6, 2014, from

McAfee Labs (2013b, December). McAfee Labs 2014 Threats Prediction, McAfee. Retrieved March 10, 2014, from

MobiThinking (2013, December). Mobile subscribers worldwide, dotMobi.Retrieved March 7, 2014, from

Smith, George (2002, August 12). The Original Anti-Piracy Hack, SecurityFocus. Retrieved March 8, 2014, from

The FBI (2012, August 9). New Internet Scam‘Ransomware’ Locks Computers, Demands Payment. Retrieved March 10, 2014, from

The FBI (2013, November 8). CryptoLocker Ransomware Encrypts Users' Files. Retrieved March 12, 2014, from

US-CERT (2013, November 5). Alert (TA13-309A) CryptoLocker Ransomware Infections. Retrieved March 6, 2014, from

No comments:

Post a Comment