Ransomware turns Ponzi
THE first message to pop up on the computer screen let the victims know they had been hacked. The second gave them a way out. The victim had a choice: Pay the hackers a ransom of one bitcoin, a digital currency worth roughly $2,365, in exchange for regaining access to the computer, or try to infect two new people on behalf of the attackers. If someone the victim knew fell for the bait and became infected, the attackers would consider the ransom paid and cede control of the infected computer.
The attack late last year was, according to the cybersecurity researchers who discovered what they now call the Popcorn Time ransomware, the first Ponzi scheme for one of the internet’s oldest types of cyberattacks.
Ransomware, a type of malicious software that infects a system and then holds it hostage, demanding a ransom for its release, is one of the most popular and lucrative ways to attack computers.
Security companies estimate that criminals raked in roughly $1 billion from ransomware attacks in 2016. This year, the number is likely to be much higher, as ransomware schemes multiply. One strain, WannaCry, made global headlines last month by infecting hundreds of thousands of computers in 74 countries in about a day.
The scheme has become more successful as more of what we do goes online, from business client lists to family photos. With the click of a button, an entire system can be infected. With another click, criminals can wipe information from a computer or expose it to the public. It all depends on what commands a bigger ransom: losing information or exposing it.
Security researchers warn thatWannaCry, which exploited a wide-ranging vulnerability in Windows systems and then used a clever mechanism to spread itself across new systems, is just the tip of the iceberg. They are tracking new schemes dreamed up by criminals who have quickly realised that people are willing to pay hundreds, if not thousands, of dollars in ransom.
“This is a growing business because it works,” said Mikko Hypponen, chief research officer at F-Secure, a security firm based in Helsinki, Finland. “And the attacks are becoming more creative and effective.”
Hypponen, whose team found and first reported on the Popcorn malware, said it was an outlier in the world of ransomware. It was the first attempt to combine a Ponzi, or pyramid scheme, in which one person entraps another, with malware that holds a computer hostage for payment. If it proved successful, he added, a number of criminal networks were likely to copy the model. Researchers are still monitoring the scheme to see if it works.
“These networks all watch each other and learn. When a new model works, it quickly grows as others build on it,” Hypponen said.
Asaf Cidon, a vice president at the security company Barracuda Networks who studies ransomware, said that criminals had become more sophisticated in the last year, especially in how they choose their victims.
“Attackers will go after a specific department at a company, for instance human resources, where they know emails and links are more likely to get opened,” Cidon said. Networks will choose a company to target and then comb LinkedIn to draw a map of people employed by that company, he said.
They might then use that map to impersonate various people or leverage their way into the company’s social network, ultimately using whatever means necessary to make sure that the system becomes infected with the ransomware.
Other notable ransomware schemes dis- covered recently included a plot to infect internet-connected home devices, such as the LG Smart TV, by displaying a fake FBI warning screen on the television and demanding $500 to unlock it.
“There is a lot of money at stake here, so criminals are always going to be interested,” said Hypponen, whose company is still tracking the fallout from last month’s WannaCry virus.
Though the speed and effectiveness through which that particular attack spread caused it to make headlines, Hypponen said it was, in ransomware terms, unsuccessful.
“WannaCry was a failure because it became too public, too visible and it made almost no money,” said Hypponen, citing the most recent figures that the ransomware netted just under $100,000 for the attackers, who have not yet been caught. WannaCry, he explained, was a victim of its own success. The more public it became, the more unlikely it was that a potential victim would pay out the ransom.
He also said it was an innovative idea, as the attackers combined ransomware with malware that acted like an old internet scourge known as a “worm”, essentially spreading itself across systems as it infected them.
“This was a good idea, to combine the two processes together,” Hypponen said. “Other groups are watching this, and we are going to see other versions of this, better versions, soon.”