Ransomware has been dominating the news for several weeks, and is likely to stay in the news for most of the year. Ransomware is a distinct type of cyber attack, in that it extorts payment from the victim in exchange for allowing access to something that was encrypted in the attack. The most prevalent type of malware used in this kind of crime is ‘crypto-ransomware’, which normally encrypts the files on the compromised system, and then demands a ransom in return for the ability to decrypt and recover the files. The latest iteration of crypto-ransomware is called Locky, and is the most advanced version of ransomware we have seen in the wild.
Ransomware isn’t new; the first piece of ransomware was distributed via 5 1/4 floppy drives through snail mail back in 1989 (pdf). It wasn’t very successful, but criminals obviously recognized the potential of generating revenue through extortion. Modern ransomware was first discovered in the wild in May of 2005, as a “low risk” Trojan horse named Trojan.Gpcoder. This Trojan would encode files and create an “ATTENTION.txt” file that contained the following message:
Some files are coded.
To buy decoder mail: [user]@yahoo.com
with subject: PGPcoder 000000000032
Early ransomware disguised itself as spyware removal or PC cleanup applications. These did not rely on encryption, but they damaged the PC and offered to fix the damage upon payment for the application. After a couple of years, these scams gave way to attacks using fake antivirus applications. These fake AV applications were similar to earlier ransomware attempts, but also attempted to trick users into paying for multiple years of support.
Encryption-based ransomware first came into prominence in 2011, in the form of malware that prevented access to the computer system. As defenses and recovery methods improved, ransomware evolved into the crypto ransomware that is so prominent now. There are three variants that currently dominate the crypto ransomware landscape:
- CryptoWall: The oldest of the three, it also has the greatest share of worldwide ransomware infections, at 83.45%.
- Locky: The most recent of the top three, it is also the fastest growing and the most advanced ransomware found in the wild. It captured 16.47% of all ransomware attacks between February 17 and March 2, 2016.
- TeslaCrypt: This malware was spread primarily through hijacked WordPress and Joomla sites, and represents .08% of all infections.
There are several reasons why ransomware attacks have been spreading so quickly over the last few years:
- The development of international payment systems like bitcoin have made it easier to transfer money.
- Encryption technologies have advanced and made it more difficult for victims to decrypt the seized data.
- The growth of Ransomware-as-a-Service allows low-skilled, inexperienced “hackers” to deploy their own ransomware attack. The service provider gets a percentage of any ransom collected from the victims.
- The maturing of cybercrime allows current attackers to model ransomware on other types of successful attacks.
- Ransomware attacks have been added to most exploit kits, which attack PCs throughdrive-by downloads, without any human intervention.
- Computers that are already infected with malware may download and install new malware, including ransomware.
The growth in ransomware attacks is expected to continue throughout the year, and expand to other platforms such as Macs, smartphones, and IoT endpoints. Even the most successful iterations of ransomware will evolve to stay ahead of defenses. Users should deploy multiple layers of protection to secure their networks.
- Advanced Threat Detection: suspicious or unknown files are executed in a sandbox environment prior to being forwarded to the user.
- Email protection: stop Email messages that carry ransomware and other attacks before they get to the inbox.
- Web filtering: prevent drive-by downloads and “phone home” activity with a web security gateway or other secure web filtering solution.
- Endpoint scanning: scan every file before use at the endpoint. This detects malware and prevents the file from opening.
- Security policies: disable Office macros and other potential means of attack.
- Data backups: keep good backups of all data, and have a disaster recovery plan in place to recover from ransomware.
Cybercriminals do not seem to care who they target with ransomware attack, as long as the victim is willing to pay. All sizes of organizations have been targeted, with the health care sector taking an especially heavy hit recently. Several hospitals have confirmed ransomware attacks since the beginning of the year, including Hollywood Presbyterian Medical Center, Lukas Hospital, and Klinikum Arnsberg, and the Ottawa Hospital. Additionally, three more US-based hospitals have confirmed ransomware attacks as well.