A More Courteous Kidnapper? Ransomware Changes Tactics

With an eye to the short term, cybercriminals turn to ransomware, forcing users to pay up or face long clean-up times -- but forgo the full encryption of data that made past attacks so vicious

Dark Reading Staff, Dark Reading

November 21, 2012

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Five years ago, ransomware threats were rare and took the brutal tactic of encrypting data on the hard drive. In most cases, the cybercriminals made technical mistakes, allowing antivirus firms the chance to decrypt the information and restore their customers' data. Yet well-built ransomware could turn a company's entire digital business into a scrambled mess, with only backups on which to rely.

While some businesses continue to run into encrypting ransomware, today's digital kidnappers have largely taken a different tack, changing startup files to block a user from doing anything, but leaving most of the data intact. The move from an uncompromising tactic to one that is recoverable by the technically savvy is only one way that ransomware has evolved, combining tactics from older threats with the more recent strategies of fake antivirus scams.

"Like fake AV, ransomware basically botches up your machine and then says, 'We have determined that your machine is infected, pay us to clean it up,'" says Adam Wosotowsky, a malware researcher with security firm McAfee, a subsidiary of Intel. "Ransomware is a continued evolution of that scheme to get money. If you want control of your machine back, then you need to pay some money."

It's a tactic that is become quite popular as well, with a number of quarterly reports from security firms highlighting the increased incidence of the threat. McAfee documented a three-fold increase in ransomware samples, to more than 200,000, in the third quarter of 2012 compared to the same quarter a year ago. Symantec recently estimated that a single ransomware scheme could profit criminals $5 million in a single year if left unchecked.

[The latest brand of ransomware attacks has been on the rise over the past year across in Western Europe, the U.S., and Canada. See Ransomware Scams Net $5 Million Per Year.]

The latest variant of ransomware seizes control of a victim's computer and displays a notice seemingly from the police in whichever country the victim resides, accusing the user of accessing illegal pornography. Then comes the threat: Pay $200 or law enforcement will arrive within 72 hours. The scam started hitting victims in Germany first, moving onto other Western European countries and, recently, started focusing on North American computer users as well as those in Australia.

A Short-Term Payoff...
The current ransomware trend is fueled by economics. While large botnets can make much more money on click fraud or other low-profile schemes, burning a botnet to install ransomware is an attractive option for smaller bot operators.

If only 3 percent of victims pay the ransom, and bot operators get two-thirds of each $200 fee -- both the current trends -- a relatively small botnet can make a good amount of money, says Vikram Thakur, principal security response manager for Symantec.

"The botmasters realized that they can make a lot more with a 3 percent conversion rate than running their bots for a year," he says.

Moving from past tactics that encrypted a victim's data unless they paid also benefits the criminals. Companies and other bastions of technical prowess can recover important data from machines. If criminals had stuck with encrypting data, then they would have added large companies -- and their technical resources -- to the list of groups trying to hunt them down.

Because of ransomware's obvious infection tactics, however, victims cannot help but realize their systems are infected, and those efforts will shorten the useful life of any botnet that installs ransomware.

But A Loss In The Long Term?
The in-your-face approach is not the only part of the ransomware strategy that will pressure the cybercriminals behind it to eventually curtail their efforts.

Using notices that appear to come from law enforcement are a critical mistake and will likely lead to an aggressive push for arrests in many of the cases, says Symantec's Thakur. The notices have created an image problem for law enforcement, and the organizations are not happy about it, he says.

"The in-your-face methodology that ransomware uses puts those criminal in the spotlight for a lot of law-enforcement investigations across the globe," Thakur says. "In the last year, the ransomware actors have really pushed the buttons of law enforcement, not just for doing ransomware, but for doing it under the pretext of different law enforcement agencies."

With ransomware spotlighting the botnets that employ it and law enforcement hunting down the criminals responsible, the rise of ransomware may just as quickly turn into a decline.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

2012

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights