- Security TWENTY
- Women in Security Awards
The ransomware phenomenon has gone through nosedives and eyebrow-raising spikes since it went pro in 2013. Despite all the dramatic fluctuations over the years, it continues to be the most prolific and impactful strain of predatory code on the global threat map. To top it off, it is dynamically evolving, and the security industry has yet to catch up with this wicked progress, writes the computer security researcher David Balaban, pictured.
Nowadays, a combo of classic ransomware and a data breach strategy unleashed against organisations is the new black in the cybercrime ecosystem. The crooks leverage this two-pronged attack logic to pressure non-paying victims into succumbing to their demands. It’s simple: if you don’t submit the ransom, your files will be leaked for everyone to see. Predictably enough, the average size of the ransom is aligned with the ever-growing complexity of these attacks, reaching millions of dollars per company in some cases.
There had been a good deal of trial and error before the extortion epidemic got to the point of sophistication we are witnessing these days. This article is going to shed light on the game-changing milestones that paved ransomware’s way towards maturity.
The emergence of screen lockers became the wakeup call. These were primitive programs that prevented victims from accessing their computers or web browsers and demanded a fee for regaining access. The progenitor of this trend was a Trojan called Reveton. Discovered in 2012, it was doing the rounds mainly via Blackhole, an exploit kit that harnessed vulnerabilities in a would-be victim’s system to execute malicious payloads surreptitiously.
These culprits were also referred to as “police lockers” because they typically displayed fake alerts impersonating local law enforcement agencies. A few mainstream examples at the time were the FBI MoneyPak and Metropolitan Police ransomware. They showed scary screens stating that the user had broken the law by downloading copyrighted materials or distributing child pornography. To avoid serving a prison term, the victim was instructed to pay a fine amounting to $100 or an approximate equivalent in the person’s local currency.
Screen locker campaigns were crude in a few ways. The ransoms could only be submitted via prepaid card services such as Ukash, Paysafecard, and MoneyPak. Furthermore, the adverse effects were easy to overcome. One of the effective ways was to simply restore Windows to its earlier state. To unlock a contaminated web browser, all it took was resetting it to its defaults.
Encryption and cryptocurrency
The ransomware called CryptoLocker took digital extortion to the next level. Having splashed onto the scene in September 2013, it quickly gained notoriety for pioneering in the use of cryptography to render victims’ files inaccessible. In particular, this strain relied on the 2048-bit RSA cipher and kept the public-private key pair on a remote server rather than on an infected computer.
CryptoLocker made a difference in one more way. It was the first ransomware to accept payments in cryptocurrency, although it also allowed prepaid cards. The involvement of Bitcoin made it nearly impossible to attribute the attacks to a specific adversary because the money trail would get lost in an intricate series of anonymous transactions. The original size of the ransom was $100. Back in the day, this amount was worth about 2 BTC. As time went by, the crooks’ appetites grew and they were demanding much more ($600) at the end of 2013.
In 2016, the first viable Mac ransomware called KeRanger made its debut. Just like CryptoLocker, it used the asymmetric RSA cryptosystem to lock down victims’ data. It dropped a ransom note asking for roughly $500 in Bitcoin for decryption. KeRanger developers had decent operations security (OPSEC). Aside from taking the hard-to-trace cryptocurrency route, they instructed users to visit a payment site hosted on the Tor anonymity network.
Now in 2020, Bitcoin continues to be the primary payment channel in ransomware incidents. However, some samples of file-encrypting Trojans have deviated from this practice. The Kirk ransomware discovered in 2017 was one of these exceptions. It used another type of cryptocurrency called Monero (XMR), which boasts an overarching focus on anonymity. The ransom was 50 XMR, worth about $2,000 at the time. A more recent example is the high-profile Sodinokibi ransomware targeting the enterprise. Its operators switched from Bitcoin to Monero as a payment method in April 2020 to better protect their identities against exposure. Security analysts argue that more extortionist groups may jump on the XMR hype train soon.
When it comes to the ransom amounts, ransomware authors distinguish between individuals and businesses. The latter are juicier targets that can afford to pay more. The first big payouts were reported in 2016. The University of Calgary had to cough up $20,000 to recover its IT systems from an attack. Madison County, Indiana, paid a Bitcoin equivalent of $21,000 in November of the same year to get their data back. In January 2017, the Los Angeles Valley College submitted $28,000 to redeem files encrypted by ransomware.
Nayana, a South Korean web hosting provider, paid a whopping $1 million in June 2017 to revert to normal operation after the Erebus ransomware hit more than 150 of its Linux servers. In 2019, the officials of Riviera Beach city, Florida, chose to pay $600,000 to restore their computer networks crippled by ransomware. There have probably been quite a few bigger payouts, but some organisations aren’t willing to disclose such incidents as they fear reputational damages.
In the first quarter of 2020, the developers of two major ransomware species, Ryuk and the above-mentioned Sodinokibi, reportedly raised the size of the ransom by 33 per cent. The average amount is now $111,605 per plagued company.
Whereas negotiating the recovery terms isn’t uncommon, there have been a few really offbeat offers on extortionists’ end. The malefactors in charge of the Spora ransomware, which surfaced in early 2017, claimed to reduce the size of the ransom and extend the payment deadline if a victim left some positive feedback about the decryption service, no matter how odd it may sound.
Another strain dubbed Popcorn Time took it up a notch. Its operators promised to lower or even cancel the ransom if a victim agreed to dupe their friends into executing the dangerous payload. Essentially, the threat actors encouraged the infected users to be in cahoots with them.
Latest quirk: malicious encryption, data theft
In late 2019, a ransomware called Maze started a new unnerving trend. As if the encryption of an organisation’s valuable files weren’t disruptive enough, the criminals have been additionally amassing and stealing these records. The goal is to add extra leverage to ransom negotiations, threatening to leak the data unless the victims cooperate with the attackers.
Later on, the felons behind other extortion campaigns such as Sodinokibi, DoppelPaymer, Nefilim, Nemty, Clop, and Netwalker followed suit. Most of them have even set up special websites where they publish data exfiltrated from the victims’ networks in case of non-payment. A relatively new player in this arena, the Ako ransomware, took this tactic further by demanding two payments: one for removing the files, and the other for deleting the pilfered data. Its authors have recently leaked the records of one victim that paid $350,000 for decryption but refused to send another portion of Bitcoin for obliterating the data from the malefactors’ server.
Ransomware is continuously extending its reach and its makers are adding new tricks to their repertoire. Having kicked off as simplistic screen lockers, it has become a sophisticated threat that weaponises cryptography, amasses the victims’ data, and uses untraceable payment methods. Also, extortionists are increasingly shifting towards a Ransomware-as-a-Service (RaaS) strategy where “affiliates” execute the distribution part of the campaigns and the authors get their cut.
To stay safe, both individuals and organisations need to have a plan B that will help them recover from a ransomware attack. Maintaining data backups is half the battle. Furthermore, the use of reliable security software will prevent most file-encrypting threats from gaining a foothold in a system or computer network. Importantly, users should exert greater caution with suspicious email attachments that set most ransomware attacks in motion.
About the author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a malware troubleshooting background, with the recent focus on ransomware countermeasures. Visit https://www.linkedin.com/in/david-balaban/.