CryptoLocker, TorrentLocker, CryptoWall, CTB-Locker, ZeroLocker, TeslaCrypt; the once-select roll call of ransom malware and the exploit kits that sustain them only seems to lengthen. As soon as security companies and the police find a way to disrupt one family up pops another to take its place and so the cycle continues.

In 2014, the authorities trumpeted the killing of the Gameover Zeus botnet that was the chief means for distributing CryptoLocker, probably the most successful ransomware variant yet conceived. A year on and others have flourished in the market it created while, plus ça change, even CryptoLocker has made a comeback of sorts.

Image: ESET
Image: ESET

Today’s ransom malware comes in different forms depending on the intended victim. It used to be aimed at consumers and small businesses in equal measure but more recently the focus for most campaigns has shifted to focus to the latter, presumably because commercial organisations have more to lose and are more willing to pay up. Recent figures from Trend Micro suggest that more than two thirds of users clicking on campaigns connected to the aggressive CryptoWall form were from inside SMEs or SMBs, a sign that this sector is receiving more booby-trapped emails.

With the criminals adopting Tor and other anonymising networks for command & control as well as moving to target business web applications, the assumption if that the criminals won’t be giving up soon.

Consumers, meanwhile, are still on the receiving end but a growing proportion of the criminal effort to target them seems to be shifting to mobile devices – seen as a bigger paint point - rather than desktops. Although the overwhelming majority of these arrive on a phone from a third-party app store, they are getting more severe over time. The discovery by security firm ESET of a ransomware variant that can engineer administrator access and change the user’s PIN to lock them out of their device, is only the latest example of that disturbing trend.

So what, if anything have we learned, three years into the age of mass ransomware? Here we ask David Emm, principal security analyst at Kaspersky Lab for his views.

TW: Ransomware is a form that goes back a decade at least but never seemed to catch on. Why did it suddenly become so popular in the last three years?

Emm: Kapsersky Lab: It’s hard to say for sure.  It’s true that this method of attack goes back a long way.  However, early ransomware programs, such as Gpcode, didn’t implement their encryption method as effectively – in many cases it was possible for anti-malware researchers to provide decryption routines as well as detection. This has become harder over time.

Next: the main types of ransom malware

Surviving ransomware: CryptoLocker, TorrentLocker, CryptoWall, CTB-Locker, ZeroLocker, TeslaCrypt

TW: Can you explain the main types of ransom malware? People are aware of the type that encrypts files but there are also forms that are closer to PC takeover and nuisance software.

Emm: As their name suggests, ransomware Trojans, are designed to directly extort money from their victims. They take two forms.  Some block access to a computer's file system.  Others encrypt data that's stored on it and then ask for a payment to release the data. The modus operandi of such malware varies. Some claim to have found unlicensed software on the victim's computer and demand payment before allowing further access to the computer. Some masquerade as pop-up messages from police agencies that report the presence on the computer of pornography or illegal content and demand a fine. Some involve no subterfuge at all - they simply encrypt data and warn the victim that unless they pay up all data will be erased.

TW: What would Kaspersky Lab rate as the most potent ransom malware threats?  CryptoLocker is the most famous but it’s best days are over now.

Emm: The worrying trend is the growth of mobile ransomware.  There’s a growing trend in mobile malware development towards monetisation.  Our recent report found that 23 per cent of the new malware threats detected were created to steal or extort money.  And ransomware is showing the highest growth rate of all in this area.  

TW: A sensitive question here for a Russian firm but where did ransomware come from and who is behind it? The general view is it’s almost exclusively Russian and is perhaps controlled by a relatively small group of cybercriminals in that country.

Emm: Until a few years ago, this type of malware was developed exclusively by Russian speakers.  However, there are now non-Russian authors (e.g. Blackshades).  In addition, even Russian authors typically work jointly with gangs from other countries.

TW: We saw CryptoLocker de-fanged in 2014 through a collaboration between security firms and the authorities in several countries. How practical is that model for countering ransomware given that it appears to have taken many months and a lot of effort?

Emm: There have been a number of such successful collaborations in the past (Cryptlocker, the disruption of the network behind the Shylock Trojan and the take-down of dark markets operating within the Tor network ‘Operation Onymous’).  Not only do such operations close down specific cybercrime operations, but they also make it clear that cybercriminals are not able to operate with impunity.  It requires time for researchers and law enforcement agencies to bring such operations to fruition, but they are effective.

TW: If a ransomware message pops up on a machine in a company or at someone’s home, what is the first thing you’d advise people to do?

Emm: Prevention is always better than cure, of course. However, if such programs slip through the defensive net of an Internet security program, a regular backup routine (to offline storage – so that backed-up data can’t be encrypted too) will ensure that data loss doesn’t result from such an attack. For anyone who sees a message like this, I would recommend that they contact their Internet security vendor immediately for advice on what steps to take.

Next: Is it worth paying the ransom?

Surviving ransomware: CryptoLocker, TorrentLocker, CryptoWall, CTB-Locker, ZeroLocker, TeslaCrypt

TW: When affected by the most serious ransom attacks that use encryption, is it worth paying the ransom in the hope of getting a key? A few have, controversially, suggested that doing so might have be necessary for small businesses and anecdotal evidence tells us that many do. On the other hand, this encourages further attacks and there is a chance that no key will be forthcoming.

Emm: The problem with paying the ransom is that it confirms the cybercriminals’ business model – it underlines the financial viability of what they’re doing.  In addition, there’s no guarantee that encrypted data will be decrypted – the cybercriminals might just take the money and run, or their decryption code might fail to work.  I would recommend that victims check with their Internet security vendor, to see if they are able to decrypt the data.  If they are forced into paying the ransom, it’s important that they understand that there’s no guarantee that they will get their data back.

TW: What sort of defences can, realistically, stop this form of malware. Anti-virus seems to have been pretty ineffective. Should people focus more on data recovery by employing layered backup?

Emm: Traditional signature-based scanning may offer little help against new ransomware versions.  However, modern Internet security programs often include proactive detection technologies that can successfully block malware based on its behaviour.  Kaspersky Internet Security, for example, is able to intercept the actions of ransomware and proactively backup data files before they are encryption by a ransomware program.  However, I would recommend that everyone – individuals and businesses alike – backup their data regularly, to prevent data loss.  It’s important that backups should be held offline – connected storage is accessible from the computer, so a ransomware program may encrypt data in storage devices too.

TW: What developments do you expect in ransom attacks over the coming year or two? We’ve heard talk of a shift to targeting the cloud and applications rather than simply scrambling data.

Emm: This is a lucrative business for cybercriminals, so it’s likely that they will develop ransomware techniques while it continues to bring a return on investment.  Developments don’t just focus on infection and encryption, but on management of ransomware botnets – e.g. locating the command-and-control server in the Tor network, to make detection harder.  I believe they will continue to focus on data specifically, since – while enough people fail to back up regularly – this cannot be replaced easily.  They may also include cloud-based data storage:  the key thing to remember here is that if I can access data, the same may be true for programs running on my computer.