THE EVOLUTION OF RAN$OM WARE
To win the fight against a rapidly-evolving malware, it has become the responsibility of every device user to protect themselves before ransomware strikes. But where does it come from? How does it spread? And where can it possibly go?
A PROFITABLE ORGANIZED CRIME
D espite its brief spurt of fame, the effects of Wanna Cry ransomware had certainly left its mark. According to McAfee Labs’s estimates from mid-May 2017, the ransomware struck over 10,000 organizations, and 200,000 individuals across 150 countries, collecting at least US$145,168.96 in just 20 days. It’s not like any organized crime we’ve known, since cartels and black markets take decades to consolidate its influence and profits. In fact, ransomware has a relatively short history compared to regular malware, such as viruses, trojans, and adware.
The earliest instances of ransomware were rst spotted in Russia as early as 2005. Their encryption methods were primitive, in comparison to modern strains like Crypto Locker and Wanna Cry. A 2006 ransomware called TROJ_CRYZIP. A zipped particular le types (.doc, .xls, .jpg, etc.) with password protection, and demanded US$300 in ransom via a simple .txt le.
It was only after 2012 when ransomware started actively targeting other territories, such as Europe and North America. One of the more memorable examples was Reveton, which uses location tracking to display a fake enforcement agency notification that’s relevant to the victims. For example, a US-based user would get a fake FBI notification about their alleged “illegal activities” online. Folks in France would see the same message in French, while it spoofed the Gendarmerie
Nationale emblem instead. According to cybersecurity blog Malwarebytes Lab, this variant still persisted in March 2016, and further improvements allow it to target Mac OS X users. It also included a wider panel of impersonated authorities, such as the Royal Canadian Mounted Police and Europol.
Cybersecurity rms in general have a consensus on what ransomware entails. According to Kaspersky Labs, Trend Micro, and Norton by Symantec, it is really just another variant of malware that cripples your system, usually through encryption methods. What sets it apart is the ransom fee it demands, promising victims access back to their own data once it’s paid up.
Advice from security experts
“Click-bait sites and fake bank sites pretend to give the user their dues, while they inject info-stealing malware and Trojans into your computer. Exercise common sense and use legit sources at all times.”
- Ryan Flores, Senior Manager, Future Threat Research Trend Labs, Trend Micro, Asia Pacific
Collecting that ransom is what truly separates it from typical malware – and it’s lucrative to do so. According to Symantec’s Ransomware and Businesses 2016 white paper, the average ransom demand was US$679 per person last year. Sonic Wall’s 2017 Annual Threat Report showed businesses paying a total of US$209 million to ransomers in the rst quarter of the year alone. Crypto Locker, a ransomware that made its run 2013, received US$27 million in Bitcoins over three short months. Malicious coding isn’t just a prank by script kiddies; it’s now a full-time career with multi-million dollar revenues.
Along with increase in profits, ransomware also updated their collection methods from anonymous prepaid cash cards to Bitcoin.
THE OBSESSION WITH BITCOIN
Bitcoin is one of the many cryptocurrencies that exist today, but was one of the rst decentralized cryptocurrencies back in 2009. Bitcoin transactions are done user-to-user (without a middle person), and the ledger of these transactions are held by publicly-run, decentralized Bitcoin servers managed by Bitcoin miners all over the globe. These ledgers are copied across all servers, making it easy to refer to and keep track of, but extremely difficult to alter.
Bitcoins’ security lies in its SHA-256 encryption strength and its decentralized record-keeping. Combined with its transaction transparency and durability, Bitcoin amassed significant intrinsic value in a few short years.
The increase attracted the attention of banks and payment logistics rms (such as Paypal); these services started accepting Bitcoins as payment transactions. If you remember the Wanna Cry screenshots, you’d realized that buying Bitcoins is as easy is swiping a credit card now.
While Bitcoins allow malicious hackers to collect ransom without a real-world bank account, Bitcoins aren’t truly anonymous because of its meticulous record-keeping nature. To overcome that, they can be laundered by using a ‘tumbler’ th at randomizes your Bitcoins with other users’ BT, or through using multiple e-wallets, and disposable payment addresses. With these tools available, it’s no surprise that any competent ransomware coder would prefer Bitcoin over a more traceable alternative.
RANSOMWARE TO GO
Ransomware isn’t a PC-only problem anymore. A recent mobile example that came to mind is Charger. Discovered in January 2017, its host app saw at least one million installs across Android OS devices. Like Wanna Cry, it demanded Bitcoin payment, but it threatened to sell the victim’s personal information if demands aren’t met. While it sounds like typical ransomware misfortune, what made Charger more dangerous was how it rode in through the official Google Play store.
Mobile ransomware is also on the rise. When observing mobile trends from April 2015 to April 2016, Federico Maggi, Trend Micro’s Senior Threat Researcher, saw a 140% growth in Android ransomware samples, with up to 22% of all mobile malware being ransomware.
Ransomware on mobile devices is an evolution from typical smartphone malware. In our HWM November 2016 issue, we looked at Call Jam: a clear example of a ransomware variant that managed to infect 500,000 users via a Google
Play-verified app. According to Check Point cybersecurity firm, it forces the mobile device to dial expensive premium calls and it displays fraud advertisements that profit the creators. What makes Call Jam more interesting is how it baits the user with more in-app features, asking them for a glowing Google Play store review in exchange for additional content.
As with the examples given above, simply looking at star-based ratings or downloading official APKs from legitimate app stores isn’t sufficient malware protection anymore. Some 4,000 apps were removed from the Google Play app store in the past year, with more than 500,000 devices around the world still holding onto these apps. Google did not notify their users when an app is no longer supported, leaving many orphaned apps on phones.
Are phones more susceptible to their PC-counterparts? Well, the McAfee Mobile Threat Report for 2017
Advice from security experts
“The moment you unbox your phone, ensure that your operating system is up to date. Additionally, ensure that any pre-installed applications and applications that you download are also of the latest version. Updates help to patch vulnerabilities that expose your device to cybersecurity risks such as ransomware and malware.”
– David Freer, Vice President, Consumer, APAC, Intel Security
reasoned that malicious apps have an easy time infecting smartphones due to a lack of transparency in app stores, combined with the ease of getting an app approved for sale. Trend Micro’s 2016 report actually found more than 400 malware-laden apps on the official Play store itself. In fact, a known alert window vulnerability that existed since Android 6.0 will only get a )x in “Android O” this August, which emphasizes how vulnerable the mobile ecosystem can be. Also, unlike computers, mobile users may not even have the option to update their devices. It is common that older devices do not receive the latest software. So what can mobile users do?
At the basic level, education and due diligence. Understand the apps you download and the permissions they require; reduce the amount of sensitive data stored on your devices and cloud-based services; and lastly, do not pay the ransom, ever. It will only encourage ransomware makers, proving its effectiveness.