Ransomware: First files … now complete devices

A major threat to computer security is malicious code. In fact, over the years, it has become one of the main causes of security incidents, from the first viruses in 1986 to the most sophisticated malware of today. Recently, a particular type of malware, although not new, has become increasingly troublesome for both businesses and home users. It is is known as ransomware.

Varieties of ransomware

Over the past year, cases of ransomware have gained prominence in the field of computer security due to a notable growth in the number of victims. This is, in turn, due to the significant profits that cybercriminals can obtain from this type of malicious campaign.

This form of attack may seem innovative, but it is not. In fact, the first widely-known case of ransomware goes back 25 years – PC Cyborg, aka the ‘AIDS trojan’, was malware that hid directories and encrypted the names of all the files on the C drive, thus making the system unusable. The victims were then requested to “renew their licenses” with a payment of $189.

Since then, new programs seeking to extort money from users have been identified which, unlike PC Cyborg’s symmetric encryption, used asymmetric encryption algorithms with larger keys. In 2005, GPCoder, and its subsequent variants, requested a payment ranging from $100 to $200 to recover files with specific extensions that had been encrypted.

However, this type of malicious code goes further and, in fact, there are groups of cybercriminals offering this kind of malware as a service. Ransomware as a Service (RaaS) has been discovered through the prominence of tools to create ransomware automatically, allowing criminals to create this type of malware automatically, regardless of their technical expertise.

Similarly, with fairly recent news of the publication of Hidden Tear, the first open source ransomware, a new window has opened for the development of such malware and its variants. Consequently, we predict the creation of increasingly sophisticated and massively prevalent malware.

The increase in the number of variants

One of the highlights of ransomware evolution is the growth in the number of variants seen in recent years, targeting various platforms and technologies. The following chart shows that, as you might expect, Windows-related families are the ones that have been showing a year-on-year growth in terms of the number of detections.

ransomware

Growth of variants for the Filecoder family (in the last five years)

But, in addition to Windows, variants have also been designed for other operating systems. Such is the case with OS X since, during 2015, variants of the families of Filecoders unique to these systems were detected. Other technologies such as VBS, Python, BAT and PowerShell are also used by cybercriminals to compromise users’ systems for profit.

Evolution of threats

Although, until now, operating systems for desktop computers or laptops have been discussed, these are not the only platforms that are exposed to this threat. Cases of ransomware have also been found to affect mobile devices, particularly those running Android (which is the mobile operating system with the most users worldwide).

The first Android-targeting families included fake antivirus with the ability to lock the screens of the devices. In 2014 Simplocker, the first ransomware for Android activated in Tor that encrypts user files directly, was discovered by ESET. In fact, the number of malware families detected during 2015 is 4% higher compared to the number detected during 2014. A small percentage increase in malware families can represent a huge increase in individual samples.

ransomware

Distribution of the amount of Simplocker’s variants detected in the last two years

During 2015, ESET researchers discovered the first type of ransomware for Android to lock the screen: this modifies the phone unlock code to prevent the owner accessing his own device. This is a significant change from the first trojans to lock Android screens; it constantly puts up windows – displaying the demand for ransom – in an infinite loop in the foreground.

As this mechanism was not technically very complex, some informed users easily bypassed it. As a result, cybercriminals stepped up their efforts and created new ransomware families intended to block access to the device. These new families, such as the one detected by ESET as LockerPIN, deprive users of an effective way to regain access to their devices without root privileges or an already-installed security management solution.

However, Android is not the only platform on which ransomware has evolved. In 2013, Cryptolocker rose to prominence on Windows computers due to the number of infections generated in various countries. Among its key features is encryption using RSA 2048-bit public key algorithms, targeting only files with certain filename extensions, as well as communication with a command and control (C&C) server through the Tor anonymous network.

“It seems that this type of malicious code is here to stay and will surely continue mutating in the coming years.”

In 2015, a new wave of ransomware was identified with the appearance of CTB-Locker, downloaded to the victim’s computer using a TrojanDownloader, as witnessed in January 2015 with Win32/ TrojanDownloader.Elenoocka.

Among its various versions, there was one with messages and payment instructions targeting Spanish-speaking countries.

These developments lead us to believe that ransomware has not yet found a limit as to the number of victims that could be reached and the complexity that its code – and forms of attack – it could attain. It seems that this type of malicious code is here to stay and will surely continue mutating in the coming years.

From the computer to the TV

So far, the evolution of this threat is evident by its large number of variants, with increasingly complex mechanisms that make it almost impossible to retrieve the information unless payment is made to the attacker – a practice that fosters criminality. It’s even possible that the victim might pay without receiving a recovery key – or that there is some kind of legitimate technical support that wouldn’t even be able to recover the files, as it is not susceptible to a brute force attack.

“In the last months of 2015, there was a significant growth in ransomware that focuses on equipment associated with the IoT.”

The threat has also diversified in terms of approach and vector. In the last months of 2015, for example, there was a significant growth in ransomware that focuses on equipment associated with the Internet of Things (IoT). Various devices, such as smart watches or smart televisions, are likely to be compromised by malicious software of this type, mainly those that operate on Android.

But IoT encompasses more than watches and televisions. Products ranging from automobiles to refrigerators already have the ability to connect to the internet and all their operations are controlled by some form of CPU.

In other words, they are computerized. While there are many devices for which no threats have yet been found, their operation involves a software or firmware component and an internet connection. Attackers may therefore be attracted to them and may be able to misuse them in order to obtain valuable information.

Proof-of-concept tests have already been performed where, for example, control of an automobile has been successfully from a remote location. For this reason, if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return it. Perhaps this is not a threat that we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Conclusion: The same goal for another threat

In recent years, the seizure of information stored by users and companies on various platforms has become one of the most notable trends. The impact it can have on users, by preventing them from accessing all their information due to the action of malicious code, is of growing concern.

It is one of the most concerning types of security incidents, as one, it takes full advantage of situations where a company has a lack of an effective backup strategy and two, success of this type of attack for cybercriminals has led them to extend it beyond the Windows systems and mobile devices. Its increasing impact has made it one of the greatest current concerns of consumers and companies alike.

During 2015, we have seen large ransomware campaigns in multiple languages, as was the case with CTB-Locker in January 2015, which must not be viewed as an isolated event.

Cybercriminals seek to convince users to accede to their threats by encrypting their files and seizing their information, and this is something that is likely to continue happening. As technology has evolved, the protection mechanisms to counter threats such as ransomware have improved based on experience, and they must be accompanied by user management and education.

However, not all devices can be protected with a security solution, and this threatens to become a future risk for consumers and companies. Based on these points, by 2016, we expect to see more ransomware campaigns trying to exploit new attack surfaces by prohibiting users from accessing their information or services. The increasing trend toward more and more devices being supplied with an internet connection provides cybercriminals with a greater variety of devices that might be attacked.

“The challenge is not only to detect and block or remove such attacks, but also to ensure the continuing availability of information.”

From the security side, the challenge is not only to detect and block or remove such attacks, but also to ensure the continuing availability of information. In the near future, network security, the prevention of exploits, and the appropriate configuration of devices will take on greater importance to prevent such attacks, so that users can enjoy the technology.

We are on our way towards a fivefold increase in the number of devices connected to internet over the next five years, thus reaching 25 billion online devices, so the challenge is to protect them properly against this type of attack.

This article is an adapted version of the corresponding section from ESET’s 2016 trends paper(In)security Everywhere.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.