Sophistication Makes Ransomware Harder to Spot

Ransomware is expected to continue to be an increasing threat in 2016, according to McAfee Labs 2016 Threat Predictions report, issued late last year. The report stated that with “new variants and the success of the “ransomware-as-a-service” business model, we predict that the rise of ransomware that started in the third quarter of 2014 will continue in 2016.”

Rising attacks against financial and local government are expected because of their need to maintain critical systems operations and their willingness to pay ransoms quickly.

The malware came into the spotlight once again when a California hospital reported that its medical records had been locked down and it paid a $17,000 ransom to regain access.

A way of preventing or limiting users from accessing systems until a ransom is paid via an online payment system, is how global IT security company TrendMicro defines ransomware.

Hackers typically target wealthy countries where ransom is likely to be paid.

According to data from the FBI’s Internet Crime Complaint Center (IC3), CryptoWall is the main ransomware threat targeting private individuals and businesses in the U.S. The investigative agency’s data indicated that since April 2014, various forms of CryptoWall have been used to target U.S. victims.

The agency noted that the financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling more than $18 million.

In addition to the financial implications, businesses affected by ransomware may suffer temporary or permanent loss of sensitive or proprietary information, business interruption and reputational harm.

Tricky to avoid, ransomware can be unwittingly downloaded via visits to compromised websites, through spammed email web attachments or through a payload download. The first sign of an issue is when a computer owner or user encounters a locked screen or encrypted files. The malware was first reported in Russia around 2005, according to the IT security company’s account of the history of ransomware.

When ransomware was first discovered, computers typically became infected when users opened email attachments that contained the malware, according to the Federal Bureau of Investigation. But more recently, the agency has noted an increased number of incidents involving “drive-by” ransomware, where users – lured by a deceptive e-mail or pop-up window – infect their computers by clicking on a compromised website.

The way the ransom is paid is also evolving. While some earlier ransomware scams involved having victims pay “ransom” with pre-paid cards, the agency said there has been an increase in victims being asked to pay with Bitcoin, a virtual currency attractive to criminals because of the anonymity it offers.

The FBI also noted that mobile phones are now being targeted by hackers seeking payment to unlock them.

In its report, McAfee Labs reported that last year ransomware-as-a-service was hosted on the Tor network, which enables anonymous communication, using virtual currencies for payments. The anonymity the network offers means that there will likely be an increase in inexperienced cybercriminals using the service, the report noted.

As use of the malware increases, the company expects variations in the types of ransomware to expand.

“Although a few families—including CryptoWall 3, CTB-Locker, andCryptoLocker—dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities. For example, new variants may start to silently encrypt data,” stated the report’s author. “These encrypted files will be backed up and eventually the attacker will pull the key, resulting in encrypted files both on the system and in the backup.”

The report suggested additional variants could use kernel components to hook the file system and encrypt files as accesses them.

Applications will also be the focus of more attacks by ransomware, according to the report.

“Usually only Microsoft Office, Adobe PDF, and graphics files are targeted; in 2016 we predict that other file extensions typically found in business environments will also become targets. Attacks will continue on Microsoft Windows. We also expect ransomware to start targeting Mac OSX in 2016 due to its growing popularity,” stated Christiann Beek, author of the ransomware section of the report.

Researchers and investigative agencies are working to thwart these types of attacks.

James Cannady, Ph.D., a professor of Information Assurance at the Fort Lauderdale-based Nova Southeastern University College of Engineering and Computing, is working to develop new adaptive intelligent systems that can be applied to protect computer systems and networks, including the use of complex adaptive systems and advanced neural networks in the detection of network-based attacks.

The United States Computer Emergency Readiness Team offers tips to avoid becoming a victim of ransomware. These include:

• Performing regular backups to limit the impact of a data or system loss and to expedite the recovery process. The data should be kept offline and stored on a separate device.
• Maintaining current anti-virus software.
• Keeping operating systems and software up-to-date with the latest patches.
• Avoid following unsolicited web links in email.
• Using caution when opening email attachments.
• Following safe practices when browsing the web.