Anti-Malware , Risk Management , Technology

FBI Warning: Ransomware Is Surging

Attackers Are Plowing Profits Back Into Code Development, Experts Warn
FBI Warning: Ransomware Is Surging

The FBI calls ransomware "a prevalent, increasing threat."

Chris Stangl, a section chief at the FBI's Cyber Division, tells The Wall Street Journal that the threat is compounded by the difficulty of arresting the cybercriminals involved.

See Also: Faster Payments, Faster Fraud?

Although authorities are pursuing the perpetrators behind multiple campaigns, many of them are located in Eastern Europe, outside the reach of U.S. extradition agreements (see How Do We Catch Cybercrime Kingpins?).

At the same time, many organizations and individuals are apparently failing to follow related recommendations from security experts, including using anti-malware software, keeping up-to-date backups on disconnected media and never paying ransoms (see Ransomware: 7 Defensive Strategies).

The FBI's Internet Crime Complaint Center will soon release statistics reporting that in 2015, it received complaints relating to 2,453 ransomware incidents, with victims paying a total of more than $24 million, The Wall Street Journal reports. Of course, that only reveals a fraction of the true scale of ransomware infections - or ransom payments - because it's based solely on those who report related losses to the FBI. Still, the figure is a sharp increase from last year. From April to December 2014, 1,838 victims reported total losses of $23.8 million to the FBI. The rise in attacks also parallels what security experts say has been a surge in cybercrime profits, thanks, in part, to ransom payments (see I Believe in Cybercrime Unicorns ).

Ransomware, of course, is a global problem. Furthermore, such attacks aren't the province of any single criminal group. Indeed, cybercriminals can buy or subscribe to various ransomware packages - CryptoWall, CTB-Locker, Locky, TeslaCrypt, TorrentLocker - to forcibly encrypt victims' PCs and demand a payoff in exchange for the decryption key. Those waging attacks typically demand payment in bitcoins, making the money trail more difficult for law enforcement agencies to follow (see Tougher to Use Bitcoin for Crime?).

Servers, Macs Under Fire

More recently, attackers have also begun to target Apple OS X systems using natively built ransomware called KeRanger, although the BitTorrent software in which the malware was hidden was reportedly downloaded only about 6,000 times before the related campaign was disrupted. There are no signs - at least yet - that attackers are trying again.

Servers are also at risk. In fact, a new variant of CTB-Locker known as Onion Ransomware is designed to target servers, Kaspersky Lab security researcher Ido Naor says in a blog post. If the ransomware is successful, the related, automated attack infrastructure displays a $150 ransom demand to generate the decryption key, typically on a highly visible, public-facing Web page generated by the server. The demand doubles to $300 if the ransom isn't paid quickly.

So far, Naor says, related infections have been seen on more than 70 servers located in 10 countries, but mostly in the United States.

Paying Doesn't Pay

The FBI's Stangl said that the bureau doesn't recommend paying ransoms under any circumstances, although that advice only goes so far. "The FBI can't tell somebody not to pay the ransom. That is a business decision to make, period," he said. "If the business needs to operate, they need to do something."

Many victims apparently do pay. Raj Samani, the CTO for Europe, the Middle East and Africa for Intel Security, said that together with the Cyber Threat Alliance, his firm found that criminals who employed CryptoWall version 3 earned massive profits. "The amount of money they made was at least $325 million U.S. dollars, and we had to peel back 40 layers of obfuscation" to reach that "conservative" estimate, Samani said in an interview at this month's RSA Conference in San Francisco.

Immediately after the researchers published a related report on CryptoWall 3 last year, attackers pulled the plug on that version, releasing an updated version 4 that was designed to be harder to detect.

As that suggests, attackers are plowing at least some of their profits back into code development. "What we found was the level of investment has actually gone in directly to innovating the next version or iteration of ransomware," Samani said.

Ransomware Gets Targeted

Most ransomware attacks, Samani said, are shotgun affairs: Criminals attempt to infect as many systems as possible and set a ransom amount that seems calculated to maximize profits as well as victims' propensity to pay. Some versions of CryptoWall 3, for example, demanded $700 in bitcoins for U.S. victims and $500 from victims in Israel, Mexico and Russia.

Intel Security researchers Christiaan Beek and Andrew Furtak write in a blog post that in 2015, they spotted the first ransomware campaign that was designed to target a specific sector - in this case, the financial services industry in an unspecified country. In addition, they report, attackers have been adapting their ransomware to make it more difficult to detect, for example by leaving out some of the traditional components and having their attack code download it later.

New Defenses Thwart Easy Decryption

When ransomware gangs get busted, or whenever security researchers are able to crack the crypto they're using, authorities typically release the decryption keys or related tools to help victims. But the ransomware employed in the targeted attacks seen by Intel Security was designed to complicate any such scenario. Instead of using a single private key to encrypt all files on a system, the attackers designed their ransomware to encrypt every file using a unique key.

"Now, if you have 10,000 files, there's 10,000 keys," Samani said. "And if you've infected a million people, well, my math isn't very good, but that's a lot of keys."

Attackers also seem to be taking a greater interest in targeting organizations that will pay larger ransoms.

Multiple healthcare organizations, for example, have recently paid off their ransomware attackers. In interviews at the RSA Conference, several security experts said they expect such behavior to drive even more cybercrime gangs to target the healthcare sector because hospitals are earning a reputation for being relatively easy marks (see: Hollywood Hospital Pays Ransom to Unlock Data).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network