(Image Courtesy: ComputerWorld.com, Screenshot of CTB-Locker)

Innovation has always been something that puts the weight on the side practicing it. The idea seems to be well understood within the cybercriminal community and can be seen in the form of a new type of malicious software termed as ‘ransomware’. This malware has become the latest weapon in a hackers’ arsenal today and is starting to trouble security professionals around the world.

INTRODUCTION

Dubbed ‘ransomware’, this malicious software is aptly named because it take your data hostage. It encrypts all the data present in the system and prevents access to it. This type of malware, which falls under ‘scareware’ since it intimidates user by instilling fear using threats, seeks monetary compensation in the form of electronic money (commonly Bitcoins) averaging o several hundred dollars to obtain a decryption key for the system. The threat has become so severe that even Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office has advised people to ‘just pay the ransom’. He was quoted as saying “The ransomware is just that good. To be honest, we often advise people to just pay the ransom” ^[1]. According to the FBI, the ransomware earns an estimated $150 million in a year which has proved the malicious software has been successful in its attempts ^[2]. In fact, the success rate for ransomware is estimated to be around 40% which in the security industry compares to figures of success rate by scams like phishing and its variants (spear/water-holing etc.) estimated around 45% by survey studies by Google ^[3]. What is alarming is not the success rate, but the pace with which the ransomware has provided immediate economic benefit to cybercriminals in a very short span of time and is seen to be growing rapidly across businesses and consumer segments alike. It has become a direct revenue generation stream for attackers. Reports have suggested that ransomware attacks have nearly tripled over the past nine months.

MODUS OPERANDI

The ransomware is hosted on a criminal botnet which seeks to infect computers on the Internet. The botnet is responsible for distribution of the malware and is under the control of the cybercriminal. The botnets then infect computers via traditional attack vectors like email based attachment viruses (typically Word files) or using fraudulent websites using malicious links that allow that attackers to install ‘drive-by’ ransomware. Users can get infected simply by a single click ^[2]. The ransomware then freezes the screen and uses embarrassing scare tactics like displaying pornography on the screen. It is programmed to show a pop-up screen that claims that the system has been frozen by the FBI and the system will remain locked until the user pays a fine.

Technically speaking, the software has to have system level privileges for its execution and thus attackers use exploits to escalate them. Once they have that kind of access, they can run the code and abuse the noble intentions of cryptography. As per the system of public key cryptography, a public key is uses to encrypt the data, which proves to be useless even if extracted. The malware will then scan the computer and search for specific file extensions that have to be encrypted. Notable file extensions include .jpg, .jpeg, , .pdf. .doc etc. The data can only be decrypted by a private key (held by the attacker) which is exchanged for money. Public-key cryptography underpins some of the Internet’s most widely used security protocols including SSL/TLS and GPG and one can understand the pain that one has to undergo to undergo a complete system decryption. The amounts can vary depending on the target under consideration and can range from $10 to $5,000. The inclination of the user to pay the amount will depend on the kind of data that was encrypted and the willingness to pay the sum.

Scepticism is present, since there is no guarantee that the attacker will actually provide the key or will not do the same ever again. It is funny that the ransomware industry strongly believes in customer relationship and even provides a sample decryption for file to show that they have the legitimate key. Some of the strains like CryptoLocker and TeslaCrypt have even setup customer service centres to allow the victims to contact them ^{[4] [5]}. The software works in a time bound manner with the amount increasing if the ransom is not paid within the deadline following which their data will be deleted. The focus on the aspect stems from a simple fact – if the attackers don’t live up to their end of the bargain, ransomware will lose its credibility (which has contributed significantly to its success) and a lesser number of people will pay the ransom. The economics of it work as extortion works in the real world – pay up and secure your asset.

This particular malware variant has gained attention because of the method of the way in collection of ransom. The payment collection method involves sending the money in the form of anonymous virtual currency like Bitcoin. Traditional methods of payment collection included transfer of money using Western Union, payment cards like MoneyPak or online cash systems using voucher sites like Ukash ^[7]. The development of decentralized anonymous currencies have led to the attackers gaining anonymity in another facet of criminal activity – collecting money from victims.

CURRENT TRENDS IN RANSOMWARE

Ransomware has been evolving since it was first spotted. The first modern ransomware was called Trojan.Gpcoder and was discovered in 2005. Since then ransomware has undergone rapid changes in attack methods and software designs. Ransomwares are designed in two ways – one type locks down the access to system without encrypting files (locker ransomware) and one variant in which the ransomware which encrypts the entire system (crypto ransomware) ^[6].

Crypto ransomwares in particular have gained a lot of attention nowadays. They have gone from encrypting a few files on the hard drives to locking down entire systems using sophisticated encryption algorithms like RSA. Encryption levels vary from 660 bit to 2048 bits [7] which would require some serious computing power to decrypt. MIT professor Ron Rivest, co-inventor of RSA with Shamir and Leonard Adleman, noted that while cryptography is used mostly for good, as most technologies, it can also be used for bad.

Despite knowing this, the abuse of the RSA algorithm by many ransomware programs, makes him feel “sort of like a mother whose son was brainwashed and left to become a jihadist in Syria,” he said ^[8]. Crypto ransomwares use both symmetric and asymmetric cryptography in their designs. Symmetric cryptographic ransomwares will have the advantage of speed but will fail in cases where the user will be able to extract the key from the system and decrypt the data which causes the attacker to lose out on the money. Asymmetric cryptographic ransomwares on the other hand address the flaw previously stated by incorporating the use of a public key, it tends to be very tedious in terms on encrypting data which drastically reduce execution time for large sets of data. They have been known to use advanced implementations of cryptographic algorithms like AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) with varying key sizes that has guaranteed that these systems become extremely difficult to crack.

Modern ransomware have evolved significantly and has been increasing in sophistication. As with most malicious software, ransomware seems to be learning its mistakes. Ransomwares can vary based on the type of operating system they infect. Newer kinds of ransomware have now started targeting platform independent technologies like JavaScript to deliver payloads thru sophisticated methods of drive by downloads. Trends in the modern ransomware industry include:

• More file types or extensions are being targeted, in order to cast a wider net of victims. .
• Ransomwares have started infecting the Master Boot Record (MBR) of a vulnerable system. By targeting the MBR, they the operating system from loading. To do this, the malware copies the original MBR and overwrites it with its own malicious code.
• Volume shadow copies are now being deleted to prevent file restoration. Shadow Copy is a Windows feature that takes manual and automatic copies of computer files and volumes. Deleting shadow copies places the victims at the mercy of the cybercriminals.
• Crypto-ransomware has gone “freemium.” Decrypting a few files for free might convince victims that they can still recover their encrypted files. They use “try-before-you-buy’ type of service available in which the users can decrypt a sample file and then pay the ransom.
• Ransomware is now being offered as a service on the underground web. People can buy ransomwares off the digital black market. Typically these services charge some percentage of the earnings that are earned thru the ransomware.
• Newer variants of ransomware are now built in with information stealing software that will allow an attacker to extract personal information from the victim.
• Ransomwares have now started having multilingual ransom notes which suggests that the distributors of the malware are looking to expand the area of infection and across national boundaries.
• They have started using hybrid encryption techniques that use a combination of symmetric and asymmetric cryptography to reduce time to encryption while maintaining strength. For e.g. using a combination of AES-256 along with RSA-2048. This leverages the benefits of both type of algorithms and helps optimize performance.
• Ransomwares have started creeping into mobile devices as well and have started taking them hostage. F-Secure published a report outlining an Android ransomware (Android.Trojan.SLocker)^[11] which locks the SD card content of the mobile user.
• 

Crypto ransomware available for sale in the underground market (Image Courtesy: Symantec Inc. The Evolution of Ransomware, August 2015)

Notable ransomwares like CryptoWall, CryptoLocker, BrowLocker, TorrentLocker and CTBLocker. They vary in design and functionality. Techniques like locking the screen and disabling the accessibility functions of the system (e.g. disable mouse and keyboard) are common among ransomware variants. Ransomwares use a technique call ‘API hooking’ ^[9] to control the flow of execution and perform malicious activities.

Comparison between variants of ransomware (Courtesy: Crypto-ransomware sightings and trends for Q1 2005, Trend Micro Security Intelligence Blog 2015)

COUNTERMEASURES

Security expert’s advice that one can prevent ransomware attacks by staying vigilant and understanding what you are downloading. They recommend the following measures:

1. Educating users about the problem which will help in increasing awareness and enable employees or consumers to prevent such attacks.
2. Since the base of the ransomware involves gaining root access to the system using and exploit, applying regular patches to the system is very important. Frequently used software like Firefox, Windows OS etc. that are commonly targeted in exploit kits.
3. Backup your data regularly to reduce the impact of the ransomware.
4. Using pop up blockers and disabling the use of JavaScript can help prevent attacks that occur via these vectors.
5. Use defence methods like firewalls and antiviruses in your system and network.
6. Disconnect from the Internet to prevent the malware from sending out your personal information to the attackers. With a regular backup, the system can be restored by reinstallation of software.
7. Try not to pay the ransom. It will only provide further encouragement to cybercriminals to create and distribute ransomware.
8. Try restoring your system using shadow files (e.g. recovery points in Windows) or file recovery software like PhotoRec or Recuva.
9. Stay alert. Stay vigilant.

CONCLUSION

With the increase in the number of breaches occurring thru ransomware, it has become crucial to guard ourselves against new age threats, Ransomwares are increasing in sophistication and have achieved high success rate that has led to attackers generating direct revenue thru anonymized channels. Various variants are found and the ‘copy-cat’ phenomenon in the underground is picking up with a number of new ransomwares being found on a daily basis. Ransomwares have crossed boundaries and is taking advantage of advancements in technology to spread itself rapidly. Ransomwares can be prevented by securing a system in a layered manner and staying ware about the risks it poses. Avoid drive-by-downloads and keep your antivirus up-to date.

REFERENCES

• The Security Ledger,. ‘FBI’S Advice On Ransomware? Just Pay The Ransom.’. N.p., 2015. Web.
• norton.com,. ‘Beware The Rise Of Ransomware’. N.p., 2015. Web.
• Buckley, Sean. ‘​Google Says The Best Phishing Scams Have A 45-Percent Success Rate’. Engadget. N.p., 2015. Web.
• Weisbaum, Herb. ‘Cryptolocker Crooks Launch New ‘Customer Service’ Website For Victims’. com. N.p., 2013. Web.
• co.uk,. ‘Hi! You’ve Reached Teslacrypt Ransomware Customer Support. How May We Fleece You?’. N.p., 2015. Web.
• Savage, Kevin, Peter Coogan, and Hon Lau. The Evolution Of Ransomware. 1st ed. Symantec, 2015. Web.
• Wikipedia,. ‘Ransomware’. N.p., 2015. Web.
• Constantin, Lucian. ‘With Ransomware On The Rise, Cryptographers Take It Personally’. PCWorld. N.p., 2015. Web.
• InfoSec Resources,. ‘API Hooking – Infosec Resources’. N.p., 2014. Web.
• Engineer, Anthony. ‘Crypto-Ransomware Sightings And Trends For 1Q 2015 | Security Intelligence Blog | Trend Micro’. trendmicro.com. N.p., 2015. Web.
• Minor, Jordan. ‘Ransomware On The Rise’. PCMag India. N.p., 2015. Web.