THE EVO­LU­TION OF RAN­SOMWARE

To win the fight against a rapid­lye­volv­ing mal­ware, it has be­come the re­spon­si­bil­ity of ev­ery de­vice user to pro­tect them­selves be­fore ran­somware strikes. But where does it come from? How does it spread? And where can it pos­si­bly go?

HWM (Malaysia) - - FEATURE - By Liu Hongzuo

A PROF­ITABLE OR­GA­NIZED CRIME

De­spite its brief spurt of fame, the ef­fects of Wan­naCry ran­somware had cer­tainly left its mark. Ac­cord­ing to McAfee Labs’s es­ti­mates from midMay 2017, the ran­somware struck over 10,000 or­ga­ni­za­tions, and 200,000 in­di­vid­u­als across 150 coun­tries, col­lect­ing at least US$145,168.96 in just 20 days. It’s not like any or­ga­nized crime we’ve known, since car­tels and black mar­kets take decades to con­sol­i­date its in­flu­ence and prof­its. In fact, ran­somware has a rel­a­tively short his­tory com­pared to reg­u­lar mal­ware, such as viruses, tro­jans, and ad­ware.

The ear­li­est in­stances of ran­somware were first spot­ted in Rus­sia as early as 2005. Their en­cryp­tion meth­ods were prim­i­tive, in com­par­i­son to mod­ern strains like Cryp­toLocker and Wan­naCry. A 2006 ran­somware called TROJ_CRYZIP.A zipped par­tic­u­lar file types (.doc, .xls, .jpg, etc.) with pass­word pro­tec­tion, and de­manded US$300 in ran­som via a sim­ple .txt file.

It was only af­ter 2012 when ran­somware started ac­tively tar­get­ing other ter­ri­to­ries, such as Europe and North Amer­ica. One of the more mem­o­rable ex­am­ples was Reve­ton, which uses lo­ca­tion track­ing to dis­play a fake en­force­ment agency no­ti­fi­ca­tion that’s rel­e­vant to the vic­tims. For ex­am­ple, a U.S.-based user would get a fake FBI no­ti­fi­ca­tion about their al­leged “il­le­gal ac­tiv­i­ties” on­line. Folks in France would see the same mes­sage in French, while it spoofed the Gen­darmerie

Na­tionale em­blem in­stead. Ac­cord­ing to cy­ber­se­cu­rity blog Mal­ware­bytes Lab, this vari­ant still per­sisted in March 2016, and fur­ther im­prove­ments al­low it to tar­get macOS users. It also in­cluded a wider panel of im­per­son­ated au­thor­i­ties, such as the Royal Cana­dian Mounted Po­lice and Europol.

Cy­ber­se­cu­rity firms in gen­eral have a con­sen­sus on what ran­somware en­tails. Ac­cord­ing to Kasper­sky Lab, Trend Mi­cro, and Nor­ton by Sy­man­tec, it is re­ally just an­other vari­ant of mal­ware that crip­ples your sys­tem, usu­ally through en­cryp­tion meth­ods. What sets it apart is the ran­som fee it de­mands, promis­ing vic­tims ac­cess back to their own data once it’s paid up.

Col­lect­ing that ran­som is what truly sep­a­rates it from typ­i­cal mal­ware – and it’s lu­cra­tive to do so. Ac­cord­ing to Sy­man­tec’s

Ran­somware and Busi­nesses 2016 white pa­per, the av­er­age ran­som de­mand was US$679 per per­son last year. Son­icWall’s 2017 An­nual Threat Re­port showed busi­nesses pay­ing a to­tal of US$209 mil­lion to ran­somers in the first quar­ter of the year alone. Cryp­toLocker, a ran­somware that made its run 2013, re­ceived US$27 mil­lion in Bit­coins over three short months. Ma­li­cious cod­ing isn’t just a prank by script kid­dies; it’s now a full-time ca­reer with multi-mil­lion dol­lar rev­enues.

Along with in­crease in prof­its, ran­somware also up­dated their collection meth­ods from anony­mous pre­paid cash cards to Bit­coin.

“Click-bait sites and fake bank sites pre­tend to give the user their dues, while they in­ject info-steal­ing mal­ware and Tro­jans into your com­puter. Ex­er­cise com­mon sense and use le­git sources at all times.” - Ryan Flores, Se­nior Man­ager, Fu­ture Threat Re­search TrendLabs, Trend Mi­cro, Asia Pa­cific

THE OB­SES­SION WITH BIT­COIN

Bit­coin is one of the many cryp­tocur­ren­cies that ex­ist to­day, but was one of the first de­cen­tral­ized cryp­tocur­ren­cies back in 2009. Bit­coin trans­ac­tions are done user-to-user (with­out a mid­dleper­son), and the ledger of th­ese trans­ac­tions are held by pub­licly-run, de­cen­tral­ized Bit­coin servers man­aged by Bit­coin min­ers all over the globe. Th­ese ledgers are copied across all servers, making it easy to re­fer to and keep track of, but ex­tremely dif­fi­cult to al­ter.

Bit­coins’ se­cu­rity lies in its SHA-256 en­cryp­tion strength and its de­cen­tral­ized record-keep­ing. Com­bined with its trans­ac­tion trans­parency and dura­bil­ity, Bit­coin amassed sig­nif­i­cant in­trin­sic value in a few short years.

The in­crease at­tracted the at­ten­tion of banks and pay­ment lo­gis­tics firms (such as Pay­pal); th­ese ser­vices started ac­cept­ing Bit­coins as pay­ment trans­ac­tions. If you re­mem­ber the Wan­naCry screen­shots, you’d re­al­ized that buy­ing Bit­coins is as easy as swip­ing a credit card now.

While Bit­coins al­low ma­li­cious hack­ers to col­lect ran­som with­out a real-world bank ac­count, Bit­coins aren’t truly anony­mous be­cause of its metic­u­lous record-keep­ing na­ture. To over­come that, they can be laun­dered by us­ing a ‘tumbler’ that ran­dom­izes your Bit­coins with other users’ BT, or through us­ing mul­ti­ple e-wal­lets, and dis­pos­able pay­ment ad­dresses. With th­ese tools avail­able, it’s no sur­prise that any com­pe­tent ran­somware coder would pre­fer Bit­coin over a more trace­able al­ter­na­tive.

RAN­SOMWARE TO GO

Ran­somware isn’t a PC-only prob­lem any­more. A re­cent mo­bile ex­am­ple that came to mind is Charger. Dis­cov­ered in Jan­uary 2017, its host app saw at least one mil­lion in­stalls across An­droid OS de­vices. Like Wan­naCry, it de­manded Bit­coin pay­ment, but it threat­ened to sell the vic­tim’s per­sonal in­for­ma­tion if de­mands aren’t met. While it sounds like typ­i­cal ran­somware mis­for­tune, what made Charger more dan­ger­ous was how it rode in through the of­fi­cial Google Play store.

Mo­bile ran­somware is also on the rise. When ob­serv­ing mo­bile trends from April 2015 to April 2016, Fed­erico Maggi, Trend Mi­cro’s Se­nior Threat Re­searcher, saw a 140-per­cent growth in An­droid ran­somware sam­ples, with up to 22 per­cent of all mo­bile mal­ware be­ing ran­somware.

Ran­somware on mo­bile de­vices is an evo­lu­tion from typ­i­cal smart­phone mal­ware. In our HWM Novem­ber 2016 is­sue, we looked at Cal­lJam: a clear ex­am­ple of a ran­somware vari­ant that man­aged to in­fect 500,000 users via a Google Play-ver­i­fied app. Ac­cord­ing to Check Point cy­ber­se­cu­rity firm, it forces the mo­bile de­vice to dial ex­pen­sive pre­mium calls and it dis­plays fraud ad­ver­tise­ments that profit the cre­ators. What makes Cal­lJam more in­ter­est­ing is how it baits the user with more in-app fea­tures, ask­ing them for a glow­ing Google Play store re­view in ex­change for ad­di­tional con­tent.

As with the ex­am­ples given above, sim­ply look­ing at star-based rat­ings or down­load­ing of­fi­cial APKs from le­git­i­mate app stores isn’t suf­fi­cient mal­ware pro­tec­tion any­more. Some 4,000 apps were re­moved from the Google Play store in the past year, with more than 500,000 de­vices around the world still hold­ing onto th­ese apps. Google did not no­tify their users when an app is no longer sup­ported, leav­ing many or­phaned apps on phones.

Are phones more sus­cep­ti­ble to their PC-coun­ter­parts? Well, the McAfee Mo­bile Threat Re­port for 2017 rea­soned that ma­li­cious apps have an easy time in­fect­ing smart­phones due to a lack of trans­parency in app stores, com­bined with the ease of get­ting an app ap­proved for sale. Trend Mi­cro’s 2016 re­port ac­tu­ally found more than 400 mal­ware-laden apps on the of­fi­cial Play store it­self. In fact, a known alert win­dow vul­ner­a­bil­ity that ex­isted since An­droid 6.0 will only get a fix in ‘An­droid O’ this Au­gust, which em­pha­sizes how vul­ner­a­ble the mo­bile ecosys­tem can be. Also, un­like com­put­ers, mo­bile users may not even have the op­tion to up­date their de­vices. It is com­mon that older de­vices do not re­ceive the lat­est soft­ware. So what can mo­bile users do?

At the ba­sic level, ed­u­ca­tion and due dili­gence. Un­der­stand the apps you down­load and the per­mis­sions they re­quire; re­duce the amount of sen­si­tive data stored on your de­vices and cloud-based ser­vices; and lastly, do not pay the ran­som, ever. It will only en­cour­age ran­somware mak­ers, prov­ing its ef­fec­tive­ness.

“The mo­ment you un­box your phone, en­sure that your op­er­at­ing sys­tem is up to date. Ad­di­tion­ally, en­sure that any pre-in­stalled ap­pli­ca­tions and ap­pli­ca­tions that you down­load are also of the lat­est ver­sion. Up­dates help to patch vul­ner­a­bil­i­ties that ex­pose your de­vice to cy­ber­se­cu­rity risks such as ran­somware and mal­ware.” – David Freer, Vice Pres­i­dent, Con­sumer, APAC, Intel Se­cu­rity

Newspapers in English

Newspapers from Malaysia

© PressReader. All rights reserved.