Infections caused by the innovative Kovter police blackmail Trojan continued to surge between May and June, security firm Damballa has reported. Could old-style police ransom attacks, once seen as past it, be on their way back with a vengeance?
In April daily infection rates detected by the firm were around the 10,000 mark, which rose to 25,000 in May before reaching 38,000 in June, representing a very decent hit rate for by malware standards. This kind of success could turn into hundreds of thousands of users in a matter of a weeks.
First recorded in 2013, Kovter eschews the complex encryption shenanigans of more famous extortion malware such as CryptoLocker and CryptoWall in favour of plain old embarrassment.
As with any police ransom/blackmail Trojan, a message is displayed to encourage payment but Kovter will also claim it has detected incriminating porn or other embarrassing activity after studying the victim’s browser history. In the past it has even thrown up child porn images to induce more fear.
What seems to hit home is that Kovter can tailor the message according to what it has found, which makes it more convincing. The ransom demanded is often at the outrageous end of the scale, as much as much as $1,000 (£650) a pop. Paying this makes no odds – the malware’s threats persist regardless of whether money is handed over or not.
Whatever else Kovter is, it is a step up in aggressiveness from the flood of police ransom malware that started this industry off around 2011.
Why it is increasing is not clear but it could be that criminals have turned to it as other forms of previously successful ransom malware, for instance CryptoLocker, have been destroyed (Damballa being among the firms that helped with the downing of its distribution platform, Gozeus, during Operation Tovar).
Damballa’s analysis does at least suggest that the latter nasty remains caged for now.
“When it comes to mass infections, we can apply best practices from Operation Tovar as a blueprint for managing global cyber public health,” commented Damballa CTO, Brian Foster.
“It underscores the need for continued, co-ordinated efforts across the security community. These lessons must continue to shape our activity; threat actors are well resourced, agile and quick to adapt. Our approach to response must match this."
Where all of this goes is hard to say. The first wave of police ransom scareware was eventually stopped by better detection of the command and control servers but years on this isn’t effective enough. The second generation such as CryptoLocker took months of multi-vendor, multi-agency co-operation to dismantle, including the naming of the Russian alleged to have masterminded it.
But like a hydra, Kovter is an example of the way that ransomware has so far been able to reinvent itself no matter what is thrown at it