More than 312,000 unique samples of ransomware appeared during Q3 last year, according to McAfee Labs Threat Report: Third Quarter 2013. "We see virtual currencies also experiencing massive growth," says Raj Samani, EMEA CTO, McAfee. With hackers combining the virtually untraceable currencies with ransomware attacks to ease fee collection, enterprise and end-user losses are certain to also multiply.
[Tips to avoid being bit by Cryptolocker (and what to do if you are)]
Apart from proper protection, enterprises, employees and consumers will reach for their e-wallets or face losing something of greater value than the typical US$300 ransom fees. Thankfully, those protections are within reach.
By using preventive educational and security measures, the enterprise can safe guarding its people and itself against costly, embarrassing losses.
Ransomware update
"We categorize ransomware as either police-themed or encryptors," says Sean Sullivan, Security Advisor, F-Secure. Police-themed ransomware uses images from law enforcement websites in order to reinforce claims that the attack comes from a legitimate law enforcement authority and that the victim must pay a 'fine' in order to restore data access, according to Sullivan.
The police-themed variants lock up the browser or the desktop. Because these don't encrypt the system, it is possible to recover system data. "The encryptors are the more serious threat as this malware cannot be undone," says Sullivan.
Examples of ransomware include the notorious Cryptolocker, which is the most successful iteration and the result of an evolution of ransomware. "Historically, we've seen ransomware based in browser hijacks but Cryptolocker was the tipping point where we started to see the use of encryption and of making corporate data less available," says Samani.
Encryptors like Cryptolocker do not discriminate, locking up corporate data as well. "With the greater adoption of corporate data on consumer devices (BYOD) comes an increasing risk of ransomware holding corporate data for ransom," says Samani. McAfee anticipates a migration of ransomware from the traditional PC platform to the mobile platform this year, according to Samani.
Additional ransomware and variants include Reveton versions such as Ransom-FFK!, Ransom-FFM!, Ransom-FFN!, Ransom-FFO! and Ransom-FFQ! As well as Trojan:W32/Reveton, Trojan:W32:Ransom (aka Urausy) and Trojan:W32/RansomCrypt.A. There is no exhaustive list.
[Ransomware leverages victims' browser histories for increased credibility]
Ransomware insertion and operation
Ransomware delivery is complex. "At this point, the entire crimeware ecosystem is commoditized," says Sullivan. According to Sullivan, spam gangs create traps for users in the form of spam, which links to servers run by another gang. Those servers determine the user's OS and redirect the traffic to the appropriate exploit servers run by another gang, which house exploits that work on that type of system. An exploit kit from that server drops malware on to the system, creating a bot.
"The hackers then sell the resulting botnets," says Sullivan. Hackers who deal in ransomware buy the compromised endpoints and drop their attacks on the victim machines.
[Data encryption adds twist to ransomware]
Once ransomware activates on a system, it encrypts the drive and opens a dialog box with a message informing the user that the hacker is holding their data hostage via encryption. If they don't pay by the specified deadline to purchase the decryption key, the hacker will automatically destroy the key, leaving the data trapped indefinitely.
Virtual currencies and hacker advantages
It is typical of hackers to use either virtual currencies or electronic money platforms to retrieve ransomware payments. "Virtual currencies leverage an inventive unit of currency such as Bitcoin," says Samani. Virtual currencies are much more advantageous for the hackers than electronic money due to greater financial stealth for the hackers.
Bitcoin is the leading virtual currency. "Bitcoin is the first real alternative that hackers have pushed directly at victims (past examples such as Liberty Reserve were traded between crimeware vendors)," says Sullivan. Hackers previously demanded payment through anonymous wire transfer services and e-cash systems. "Hackers use PaysafeCard and UKash in Europe. They also use Green.dot/MoneyPak and MoneyGram via CVS in the U.S.," says Sullivan.
"The allure of Bitcoin is that it is a decentralized peer-to-peer model for virtual currency. I can pay you and I don't have to go through a centralized model to do it," says Samani. Creators of earlier currencies centralized their works. This allowed law enforcement to focus on specific location(s) to effectively bring down the currencies.
By using virtual currencies such as Bitcoin, hackers receive payment almost instantaneously. Virtual currencies require minimal verification for users to sign-up and use the services, making these payment methods largely anonymous.
"The University of San Diego tried to reverse engineer an individual Bitcoin payment and realized that they were unable to identify the specific individuals behind the transactions," says Samani. Bitcoin transactions are much harder to trace than electronic money transactions. This enables hackers the stealth they crave when taking payments from ransomware victims. Payments are also irrevocable so the victim cannot get their money back.
[Cryptolocker lowers ransom demands as Bitcoin price surges]
Fighting virtual currency-enabled ransomware
Hackers using virtual currencies with ransomware attacks create challenges for enterprises. "Using virtual currencies almost certainly makes it more difficult for enterprises to work with law enforcement in determining the attacker," says Sullivan. And as early adopters, hackers can take advantage of the learning curve that is limiting law enforcement until authorities figure out how to trace virtual currency transactions.
To prevent ransomware, continue to educate users that they should not click on suspicious links. Teach them what criterion makes a link suspicious. Don't assume they know. Test their knowledge and reinforce positive learning and behavior. Limit negative behavior using policies and policy enforcement, both technical and managerial.
Enterprises should focus on blocking the front end of the crimeware ecosystem using anti-spam and anti-exploit technologies and rigorous software updates. Anti-adware technologies and ad-blocking approaches such as host files from Microsoft Most Valuable Professionals (Windows only) help address malvertising, which uses bogus ads sprinkled among legitimate advertising to lure people into clicking a link and downloading ransomware or other malware.
System hardening is important. Enterprises supporting BYOD can refer to mobile device hardening data from Apple. Android offers data about security features. As of this writing, the University of Texas at Austin offers valid hardening checklists for iOS and Android. IT should already have all systems under its control hardened.
[Android ransomware marks profitable new era for cybercriminals]
The less software you have installed, the less software you need to update and the smaller your attack surface will be. "If an enterprise or employee doesn't require a particular browser plug-in, for example, they should uninstall it," says Sullivan.
If system-locker ransomware hits a machine, the reimaging the computer is a very good option. Keep important files backed up on network drives and monitor those with AV to prevent infection of that drive. "That way only a little work will be lost if a hard drive is compromised by ransomware," says Sullivan.
Leverage file and document management systems to prevent ransomware infections. Document management systems equipped with version controls on a separate server protect data from ransomware, unless of course the document server is infected. "Even then, mirroring that data and creating nightly backups should protect against ransomware," says Sullivan.
If an encryptor infects a machine, check very carefully to ensure that it has not compromised other machines on the network. Then go back and plug vulnerabilities in the enterprise perimeter.