‘Filecoder’ ransomware that uses strong encryption to lock files and extort money from victims has spiked over the summer months, security firm ESET has reported. The reasons for the surge are not yet clear but probably include attacks on small businesses.
Using its LiveGrid cloud system, the firm recorded a 200 percent rise in the volume of incidents since July compared to the first six months of 2013, with a marked rising trend running from roughly mid-June to the most recent measurement in the first week of September.
ESET was unable to confirm the absolute numbers for these infections but it is clear that a particularly nasty type of ransomware has become more prevalent. What might be going on?
The overwhelming majority of today’s ransomware – popularly called ‘police Trojans’ after the official-looking warning screens they use – simply locks files or interferes with the victim’s PC in the hope that the ransom will be paid to avoid further hassle. The techniques are unpleasant usually relatively trivial to block and clean up.
File encryption ransomware is a completely different order of threat because it wields industry-standard forms of encryption to scramble data. As long as it’s been competently implemented, the victim can’t recover the files unless they have the key used to encrypt them and that is only known to the criminals behind the attack.
Curiously, file encryption Trojans are where the whole software extortion or ransomware industry started in 2005 with a Russian example called Gpcode based on RSA encryption. This approach has persisted at low levels ever since but has never gained much popularity.
The assumption has always been that while it's basically impossible to defeat encryption, ransom malware is simply overkill. Much easier simply to trick users into paying up using threats or social engineering than deploy more complicated and sometimes computationally slower methods.
Among the clutch of Trojan variants doing the round in the latest campaigns, ESET has noticed Win32/Filecoder.Q which goes back to 2010, and Win32/Filecoder.AA and Win32/Filecoder.W, which date from 2011. Another, Win32/Filecoder.BQ, even ramps up the pressure on its victims by “displaying a countdown timer showing how long it will be before the encryption key is permanently deleted.”
Some appear to be spread using the popular Poison Ivy Remote Access Trojan (RAT), which offers a clue that the targets might be small businesses whose systems are being targeted by criminals. Payment methods include the established channels of MoneyPak or Ukash but also now Bitcoins.
Criminals were also installing the crypto Trojans directly using compromised RDP credentials, ESET said. Some instances it had researched pointed to the manual setting of an encryption key after infection, a further hint that these are not attacks on low-value targets.
The sums being demanded ranged up to 3,000 euros ($4,000), with most of the victims in Russia with smaller volumes in Italy, Spain, the US, Germany, and other Eastern European countries. It’s not clear how much of this global picture can be explained by ESET’s customer base (the firm is based in Slovakia).
The security firm offers no clear explanation for the sudden increase in crypto ransomware but one can infer from the inherent complexity of the attacks that suspicion should fall on criminals targeting vulnerable business rated as likely to pay up.
There has been a slowly increasing frequency of targeted attacks using encryption going back a couple of years, with a particularly good example the sustained campaign on Australian businesses in 2012. Victims reported paying up to $3,000 AUD to retrieve the key for encrypted database files they could not function without.
It is likely that many businesses have simply not been reporting incidents for fear of the reputational damage. Some will have paid up. But as with every extortion racket, the criminals don’t let up because a victim pays up. There is always another target to hunt down.
"I think the increase in numbers for encrypting ransomware is largely down to the increased awareness of non-encrypting forms of ransomware: as more people become aware of them, they become somewhat less effective and therefore less profitable," commented ESET senior research fellow, David Harley, by email.
"Cybercriminals have developed increasingly sophisticated crypto methodology in other fields of malware, so it’s probably less bother to apply those techniques in this area and still make a profit. As so often, it’s about technological escalation driven by potential profit."