CryptoLocker, TorrentLocker, CryptoWall, CTB-Locker, ZeroLocker, TeslaCrypt; the once-select roll call of ransom malware and the exploit kits that sustain them only seems to lengthen. As soon as security companies and the police find a way to disrupt one family up pops another to take its place and so the cycle continues.
In 2014, the authorities trumpeted the killing of the Gameover Zeus botnet that was the chief means for distributing CryptoLocker, probably the most successful ransomware variant yet conceived. A year on and others have flourished in the market it created while, plus ça change, even CryptoLocker has made a comeback of sorts.
Today’s ransom malware comes in different forms depending on the intended victim. It used to be aimed at consumers and small businesses in equal measure but more recently the focus for most campaigns has shifted to focus to the latter, presumably because commercial organisations have more to lose and are more willing to pay up. Recent figures from Trend Micro suggest that more than two thirds of users clicking on campaigns connected to the aggressive CryptoWall form were from inside SMEs or SMBs, a sign that this sector is receiving more booby-trapped emails.
With the criminals adopting Tor and other anonymising networks for command & control as well as moving to target business web applications, the assumption if that the criminals won’t be giving up soon.
Consumers, meanwhile, are still on the receiving end but a growing proportion of the criminal effort to target them seems to be shifting to mobile devices – seen as a bigger paint point - rather than desktops. Although the overwhelming majority of these arrive on a phone from a third-party app store, they are getting more severe over time. The discovery by security firm ESET of a ransomware variant that can engineer administrator access and change the user’s PIN to lock them out of their device, is only the latest example of that disturbing trend.
So what, if anything have we learned, three years into the age of mass ransomware? Here we ask David Emm, principal security analyst at Kaspersky Lab for his views.
TW: Ransomware is a form that goes back a decade at least but never seemed to catch on. Why did it suddenly become so popular in the last three years?
Emm: Kapsersky Lab: It’s hard to say for sure. It’s true that this method of attack goes back a long way. However, early ransomware programs, such as Gpcode, didn’t implement their encryption method as effectively – in many cases it was possible for anti-malware researchers to provide decryption routines as well as detection. This has become harder over time.
Next: the main types of ransom malware
Surviving ransomware: CryptoLocker, TorrentLocker, CryptoWall, CTB-Locker, ZeroLocker, TeslaCrypt