Ransomware as a Service fuels explosive growth

The ease and minimal expense of launching a ransomware “career” means that just about anyone, including those with little or no IT experience, can become a successful cyber criminal

ransom service
Credit: Thinkstock

Believe it – you too can become a successful cyber criminal! It’s easy! It’s cheap! It’s short hours for big bucks! No need to spend years on boring things like learning how to write code or develop software.

Just download our simple ransomware toolkit and we can have you up and running in hours – stealing hundreds or thousands of dollars from people in other countries, all from the comfort of your home office – or your parents’ basement. Sit back and watch the Bitcoin roll in!

OK, that’s not the literal pitch coming from the developers of ransomware. But, given the rise of Ransomware as a Service (RaaS) – a business model in which malware authors enlist “distributors” to spread the infections and then take a cut of the profits – it sounds like it could be a candidate for the kind of “direct-response” TV ads that made the late pitchman Billy Mays famous.

As Trend Micro put it more soberly in a recent blog post, “Potential distributors don’t even need much capital or technical expertise to start; even those without coding experience can launch a ransomware campaign.” Indeed, the cost of some ransomware packages is less than $100.

In other words, just about anybody can do it.

All of which, until the recent ransomware attack on San Francisco's Municipal Transportation Agency (MTA), has seemed to be happening a bit under the radar.

With high-profile Distributed Denial of Service (DDoS) attacks like the one against Internet backbone provider Dyn grabbing most of the recent headlines, you could be forgiven for thinking that ransomware might be on the decline.

But the reality is just the opposite, according to various experts and studies.

According to a white paper from Osterman Research, it is at “epidemic” levels, with nearly 50% of US companies experiencing a ransomware attack during the past year.

And a Trend Micro report released in August found that about 80 new ransomware "families" – an increase of 172 percent – were discovered in the first half of 2016. A single, older version of the CryptoWall family brought in an estimated $325 million in 2015.

Ed Cabrera, chief cybersecurity officer at Trend Micro, said things have become markedly worse since that report. He said at the end of September, the increase was 400 percent. “In 2015, there had been 29 families observed, and as of September, we have observed and blocked 145 families,” he said.

edcabrera

Ed Cabrera, chief cybersecurity officer, Trend Micro

That is no surprise to Andrew Hay, CISO at DataGravity, who said a DDoS attack tends to get more publicity because, “it affects all users of a product or service, so the news of its impact spreads at the speed of typical internet news.

“Ransomware, conversely, is often hidden from people outside the company until the company, attacker or affected customers release details,” he said.

Javvad Malik, security advocate at AlienVault, has a similar take on it. Many companies don’t report ransomware attacks, he said, while DDoS attacks are, “by design, intended to be as publicly visible as possible.”

javvadmalik

Javvad Malik, security advocate, AlienVault

But they agree, ransomware is a growth industry. “I don’t think it has peaked. I think it is just getting started,” said Christopher Hadnagy, chief human hacker at Social-Engineer. “I still hear of lots of accounts of companies left to either pay or start over.”

And Orla Cox, director of security intelligence delivery at Symantec, said not only has the number of attacks increased, but the demanded ransom has as well.

“The average ransom demand has more than doubled, and is now $679 (US dollars), up from $294 at the end of 2015,” she said.

[ MORE ON CSO: The history of ransomware ]

She added that 2016, "has also seen a new record in terms of ransom demands, with a threat known as 7ev3n-HONE$T (Trojan.Cryptolocker.AD),” which demands a ransom of 13 Bitcoin per computer, or $5,083 at the time of discovery in January.

One reason for that explosive growth is probably because, even with headlines and continuous warnings about it, most individuals and organizations remain woefully vulnerable. Even if protection is available, they don’t always use it.

orlacox

Orla Cox, director, Security Intelligence Delivery, Symantec

The recent attack on the San Francisco MTA (known as “Muni”) is an example. Security researcher and blogger Brian Krebs noted in a recent post that the attacker actually advised his victims to, “Read this and install patch before you connect your server to internet again,” with a link to an advisory Oracle issued about a vulnerability in its Oracle WebLogic Server.

Oracle had made that patch available on Nov. 10, 2015 – more than a year ago.

Another reason for ransomware’s success is that it takes time for security researchers to decrypt the files so they can provide solutions that will block them.

That work is ongoing. Malik said once researchers can break into the software, “they are able to create signatures or indicators of compromise.”

A collaborative effort is by the Cyber Threat Alliance (CTA), founded by security vendors Fortinet, Intel Security, Palo Alto Networks and Symantec, which has used shared threat intelligence – in its words, “a huge effort of pooling the Alliance’s collective resources,” to track and analyze the CryptoWal family.

According to the alliance, the effort led to “enhanced protection against this threat with each member’s individual products,” plus building public awareness through its reports.”

Other experts applaud sharing threat data, but note that it remains reactive – the updates, patches and other tools to block malware don’t show up until after the threat has already caused plenty of damage.

Hay said antivirus and antimalware products are good at, “protecting the low-hanging fruit,” but the threats evolve too quickly for any tool to offer 100 percent protection.

He added that while he supports the goals of the CTA, “it is a members-only club. To join that club, you must provide a minimum of 1,000 unique malware executables daily that do not overlap with VirusTotal.

“This high barrier to entry means that while the goals of the alliance are good, it’s simply not inclusive enough to help those affected,” he said. “A better solution would be to open the doors and let vetted organizations and researchers contribute and work with the samples.”

Cabrera called the sharing of threat information “critical to combating all cyber threats.”

[ RELATED: Tricks that ransomware uses to fool you ]

But he said the reality is that, “due to the dynamic nature of these threats obtaining and sharing actionable intelligence in a timely manner is the biggest challenge.”

He, like all experts, agreed that there is no “silver bullet” that will block all threats. But he said, “a layered, connected threat defense that protects endpoint, network and cloud infrastructure,” will at least allow organizations to manage the ransomware threat.

The best solutions, however, are the preventive ones, which include:

  • Install software patches and updates as soon as they are available.
  • Become savvy enough not to fall victim to phishing emails. “Be wary of unexpected emails especially if they contain links and/or attachments,” Cox said, adding that users should be especially careful of any Microsoft Office email attachment that advises enabling macros to view content. “Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros,” she said.
  • Do regular backups – and make sure those have added protection or are stored offline.

Hay said organizations can start by limiting access to their most important data and then rigorously monitor the network for anomalies.

“When these anomalies are detected, you can automatically create copies of your files in a safe location,” he said, but added that it is also important to test the restoration of backups. “The last thing you want in the midst of an incident is to learn that your backups don’t work,” he said.

Finally, experts are mixed on the wisdom of paying the demanded ransom.

Hadnagy and Cox take the hard line. “Never,” Hadnagy said. “Sadly many times even if the ransom is paid they do not unlock the files. It seems that if the ransom is paid the criminals learn it is good business and continue this type of attacks.”

Cox agreed, for the same reasons – no guarantee that files will be unlocked, and increased likelihood of being attacked again.

Cabrera added that even if the attacker provides the encryption key, he could have already exfiltrated data, and then sell it on the Deep Web.

Others agree that it is a bad idea, but say there are times it could be the only feasible idea.

Malik said paying, “should be an absolute last resort.”

And Hay said his “security side” would dictate that victims never pay, since that will simply encourage another attack with a larger ransom demand.

But he said his “business side” knows that, “if the business cannot continue to operate without paying the ransom, they’ll pay the ransom.”

To comment on this story, head over to Facebook.

Cybersecurity market research: Top 15 statistics for 2017