A Spotter's Guide to Ransomware

[Petrovic]

Ransomware is becoming an epidemic. 

 

From schools and hospitals to police departments, pharmaceutical companies, and even private citizens, it seems like nobody is safe.

 

And, of course, they aren’t.

 

So with that being the case, let’s take a look at the different types of ransomware, the most prominent families of 2016, and what’s driving so many threat actors to use this particular style of cybercrime.

 

 When Ransomware ISN’T Ransomware

First off, it’s important to realize that not all ransomware is created equal.

 

In fact, there are a number of trojans that simply claim to be ransomware, but don’t actually encrypt or lock any of your files or systems. Sometimes called ‘scareware’ or ‘fauxsomware’, these trojans pose no real threat to your files or systems.

Instead, similar to the classic FakeAV scam, these trojans use social engineering tactics in an attempt to extort money from their victims.

Although not as popular as it used to be, fake ransomware is still in circulation, so make sure to check whether your files have really been encrypted if you ever do have the misfortune to be hit with ransom demands.

 

Recent examples of fake ransomware include fake AnonPop, and the recent flurry of attacks on Drupal-based websites.

Want more information on trend analysis and how attackers exploit human vulnerability?Download the 2016 Phishing Trends & Intelligence Report: Hacking the Human. 

Locking vs. Crypto Ransomware

Of course, the vast majority of attacks do use real ransomware. No empty threats here, so if you’re hit by one of these you’ll need more than an AV product to resume business as usual.

 

But still, there’s more to the story. There are two main forms of ransomware, both of which are in wide circulation in 2016.

The first, known as locking ransomware, doesn’t go after your files. Instead, these trojans kill the desktop user interface of infected machines, and display a full screen warning notice demanding payment. Once payment is made, an infected system is unlocked can be used as normal.

 

The most prominent example of locking ransomware is Reveton, which first appeared during 2012 and displayed a warning claiming to be from a law enforcement agency. The message would accuse infected users of illegal activity, and demand a ‘fine’ be paid before their system would be unlocked.
 

Although distribution of Reveton died down after a number of arrests were made in 2013, Avast Software announced that new variants had been found during 2014, and the ransomware family remains very much alive.

 

Despite this, the popularity of locking ransomware has waned in recent months. A single locked machine can usually be written off by mid-sized or large organizations, making the ransom demand less effective. With that said, there may well be a resurgence in locking ransomware as mobile and IoT devices continue to proliferate.

The second, and more common form of ransomware is known as crypto ransomware. When all is said and done, these are the ones that’ll give you a really bad day if they infect your system.

 

If you read our previous article on the anatomy of a successful ransomware attack, you’ll already be familiar with the basic premise. Instead of going after a single machine, sophisticated crypto ransomware will burrow deep into your network, gaining as much access as possible before deploying.

 

From there the trojan will quietly start encrypting your files, starting with the most valuable, until the job is complete. Only then will you receive a ransom demand.

The real problem here is that if such a trojan goes unnoticed in your network, it could easily end up encrypting a large number of valuable files. Even worse, the cryptographic systems used are often incredibly strong, and almost completely resistant to cryptanalysis attempts.

 

If you have any previous knowledge of ransomware, you’ll recognize the name CryptoLocker. First appearing in 2013 this trojan used 2048-bit RSA key pair encryption, and used a file extensions whitelist to identify the highest value targets. The trojan also threatened to delete the private key if payment wasn’t made within three days, though in reality the key could still be purchased after this time for the very reasonable price of three Bitcoins (approximately $2,300 at the time).


This original version of CryptoLocker was shut down seemingly for good in June 2014, whenOperation Tovar took down the Gameover ZeuS botnet, but not before an estimated $3million dollars was successfully extorted.

 

Unfortunately, a wide array of copycat trojans sprung up almost immediately, and many persist to this day.

 

 The VIPs of 2016

Perhaps unsurprisingly, ransomware is very much alive in 2016. For an in-depth view of this year's threats, watch our webinar Spear Phishing and the Ransomware Threat.

And according to Kaspersky Lab’s Q1 Threat Evolution report, over 80% of infections are caused by the two largest ransomware families: Teslacrypt and CTB-Locker.

Teslacrypt has been widely distributed via the Angler exploit kit, which targets vulnerabilities in Adobe Flash to initiate an infection. Once files have been encrypted and the ransom demands made, the victim is allowed to decrypt a single file in order to ‘prove’ that their files will be returned once payment is made.

All things considered, Teslacrypt is a fairly standard example of ransomware, and so far only English-language versions have been observed.

CTB-Locker, on the other hand, is a little different. For a start, versions of the trojan have been identified in multiple languages, including English, French, German, Spanish, Italian, Dutch, and Latvian.

 

The authors make use of an affiliate program, whereby the infection process is outsourced to a network of partners in exchange of a cut of the profits. This distribution model has been extremely successful, achieving a huge number of infections, and generating significant revenues both for the authors and their affiliates.

 

Most alarmingly, because the affiliate model makes use of a large distribution network, a wide variety of infection vectors have been observed. Spam campaigns have likely accounted for the highest proportion of infections, but spear phishing attacks, exploit kits, and malicious advertisements are also commonplace.

 

But distribution isn’t the only interesting thing about CTB-Locker.

 

Unlike most ransomware, CTB-Locker is able to start encrypting files without contacting an external command and control (C&C) server. Because of this, no Internet connection is required until a victim attempts to decrypt their files.

 

Finally, by making use of Elliptic Curve Cryptography, CTB-Locker is able to make use of high-grade encryption whilst keeping the trojan’s file size to a minimum.

 Also-rans for Q1 2016 include Cryptowall, Cryaki, Scatter, Rakhni, Locky, Shade, iTorLock, and Mor.

 

 Why So Many?!

So what is it about ransomware that’s making it so popular?

 

First of all, it’s easy to use. Unlike banking trojans, which target secure systems and require significant customization for each target, ransomware is a one-size-fits-all affair, and can be widely distributed with minimal difficulty.

 

It’s also easy to get hold of. Take, for example, the screenshot below.

 

Taken from the dark web market HANSA, it shows just how easily (and cheaply) threat actors can get hold of ransomware trojans. It took less than two minutes to find this seller, and there are many others out there.
 

 
Ultimately, though, it comes down to money.

 

Ransomware has been tremendously effective. The authors and distributors of ransomware have collectively made a lot of money from it, with relatively few receiving any form of punishment. Not only is there no need to sell anything on, the rise of Bitcoin has made accepting payment a much simpler and less risky proposition.

And, of course, success begets success.

 

Hackers and criminal organizations all over the world have seen how effective the ransomware business model can be, and rushed to get in on the act.

Article source