Sunday, 20 September 2015

The Rise of Ransomware

The Rise of Ransomware

We look at the increasing growth of a particularly nasty form of malware

All forms of malware are unwanted, vicious and a pain in the backside. However, ransomware has always been particularly nasty in its execution. There’s a certain level of vindictiveness about ransomware that separates it from the usual splurge of malware. Something a little sinister.


According to popular belief, the first example of ransomware appeared in 1989 and was called the ‘AIDS trojan’ or ‘PC Cyborg’. It was, if you delve into the history of this particular form of malware, written by Dr Joseph L Popp, an anthropologist who was working on the Flying Doctors project as a part of the African Medical Research Foundation (AMREF). Popp wrote the AIDS trojan to be activated after 90 reboots, and on the 91st reboot the Autoexec.bat file would be replaced, and the entire file structure of the PC in question would be encrypted.

When the encryption was complete, a message would appear asking for $190 to be sent to a PO box in Panama, after which a recovery disk would be mailed to claim back your drive contents.

Popp was caught and detained in Brixton but was deported back to the US after being declared mentally unfit to stand trial. He died in 2007.

The effect of the AIDS trojan, though, was felt globally. Popp himself managed to mail out over 20,000 floppy disks containing the ransomware and uploaded many more to the smattering of bulletin boards that were available at the time. How much he actually made as a result of his holding users to ransom is unknown, but the criminal underworld and hackers alike suddenly found a new method of squeezing money from unsuspecting computer users as the home PC boom started to take off.

The encryption form of ransomware is just one example, but other forms include locking people out from areas of their system, usually by displaying pornographic images, until they pay a fee. This ransomware accuses users of downloading porn (in some even sicker cases, child porn) and threatens to inform the authorities until a payment is met, or it displays messages from such agencies as the FBI, claiming that the user’s computer has been used for illegal activities and that they have to pay a fine of several hundred dollars. There was even one instance where Russian ransomware demanded images of the users in various states of undress and conducting lewd scenes before the system was apparently declared clean.

Generally though, most ransomware examples are the kind that infect a user’s browser, changing the home page and targeting them with countless adverts for pharmaceutical enhancements, nice young Russian ladies who seem to want to meet up with you and some of the more explicit images that are available throughout the internet.

Mostly these require you to download and install another tool, which could either do something useful, like cleaning your system, or something bad, like simply bombarding you with countless more adverts. Or it could involve something a little worse by installing yet another trojan, which captures keystrokes, passwords or, in some cases, can allow an external user to control your PC.

Social Engineering


While a terrible blight on the face of technology, ransomware does offer some insight into human behaviour.

The social engineers used to extract money or some other form of ransom from a user is really quite fascinating. Take, for example, the aforementioned warnings from government agencies. Realistically, how many of you reading this would be fooled by a personalised warning from the FBI? Yet it happens all too regularly.

The same can be said for phonebased ransomware. Most of us have had that chap on the other end of the line claiming that there’s a problem with our Windows PCs and that he’ll be able to fix it for a minor fee, as long as we download a program that will give his team of experts access to our system. Perhaps it’s the fear of the unknown that causes people to believe in these callers, in the same way that they believe an agency that has spent millions trying to oust Castro is currently gunning for them personally.

Perhaps we’ve downloaded something we shouldn’t have in the past (an MP3, for example) or we’ve accidentally clicked on something that revealed a pornographic image. The guilt of something like that can have an effect, and when someone suddenly appears and preys on that guilt, those susceptible to such feelings take the bait.

The social engineering aspect is a difficult weakness to combat, because it’s not as straightforward as simply installing an AV/malware scanner to combat a digital weakness and keeping it up to date. There’s an element of education needed, which we’ll look at later, but with human nature being what it is, this isn’t always the easiest solution to the problem – especially as the ‘art’ of ransomware is expanding into new territories.

Ransom On The Go


Ransomware, in all its guises and uses, did appear to settle down somewhat a couple of years ago. The majority of cases were of the phone-based, ‘We’re from Windows’ variety, rather than actual downloaded and installed stuff that displays some kind of message asking for payment or some other form of ransom. The worst instance of 2013 was undoubtedly the CryptoLocker and its variants that appeared months
later, CryptoLocker.F and TorrentLocker. However, these were isolated after having infected the Australian Broadcasting Corporation and were, to a degree, laid to rest while the world updated its virus and malware scanners.

Over the last year, though, anti-virus software companies are starting to see a rise in the instances of ransomware once more. And it looks like this particular breed may turn out to be far worse than the previous generation’s offerings.

While the PC was the main affected platform of the past, a new outbreak is starting to hit mobile devices, in particular Android phones and tablets.

One example, known as Android.trojan.SLocker, is a form of ransomware that arrives via an email disguised as an update to Adobe Flash Player, and it will lock you out of your images and media folders until it receives payment of $500, demanded by a fake FBI warning that appears on the screen, claiming that you’ve been caught looking at porn.

As most of us who follow technology already know, Flash isn’t being updated any more for the mobile platform, but to the thousands of users who aren’t aware of this and are likely to fall for it, the situation is beginning to get out of control.

BitDefender has identified that Android.trojan.SLocker is affecting nearly 3,000 devices per month, with a huge jump in February of this year from a mere thousand cases. While still reasonably low, considering the number of Android devices there are in the world, what’s worrying most analysts is the fact that around 90% of active Android devices don’t have any kind of protection installed on them, and most even allow the installation of apps from unidentified sources.

McAfee Labs also reported a 58% rise in ransomware samples from mobile devices in the last couple of months, mostly originating from Russia and the Ukraine. Surprisingly, the most hit users were those who use Android mobile devices for work, where they’ve been targeted with an email, unknowingly installed the ransomware and paid the amount in fear of being caught by their employer using a work device for illegal activities – even if they’ve never conducted any illegal activities on any computer or device!

The detection is then picked up once they return to base and submit their phones or tablets or once connected to the company servers and caught by the AV server.

Raj Samani of Intel Security mentioned in a McAfee blog (goo.gl/Qjhvmf) that mobile device ransomware has become much easier to deploy due to the userfriendly graphical interfaces now used on phones and tablets. There’s also the fact that many mobile device users are too young to consider the implications of not actually reading something or investigating its legitimacy before blindly tapping the OK button.

With ransomware examples such as Koler, SLocker, trojan.Android, SVPENG, Lockscreen and ScarePackage, Android appears to be bearing the brunt of the attacks so far, with 61 identified different ransomware examples discovered this year alone – obviously due to its openlike nature. However, those with iOS devices may need to keep an on their products as well.

iOS Infiltration


A recent report released by F-Secure has identified a number of potential ransomware threats that are currently probing the outer edges of the iOS security envelope.

EXPLOIT:iPHONEOS/CVE-2014-4377 is a cleverly designed PDF document, which when opened on an iOS device using unpatched versions of iOS 7.1x can exploit the CVE-2014-4377 flaw that exists on the system. This will, in theory at least, grant an external attacker the ability to exploit further security flaws in order to remotely execute code on the system.

TROJAN-SPY:iPHONEOS and WireLurker are mostly found in pirated apps and third-party pirate app sites for OS X systems. Any iOS device that’s connected to an infected Mac via USB can have an equally infected app downloaded on to them. Apple has since responded by blocking all WireLurker detected apps in the iTunes Store.

BackDoor:iPHONEOS/XSSER is a combination of tools that have been ported over from Android and is capable of harvesting data, such as SMS texts and stored photos. So far, it only seems to affect jailbroken iOS devices, but the potential for a sudden lurch into the mainstream device users is there, and the ransomware possibilities are quite scary as a result.

The Curse Of Cryptocurrencies


One major advantage for the ransomware criminal is the sudden rise of cryptocurrencies over the last couple of years. Although BitCoin was in full use in 2009, there have since been many more additions to the market – more than 670 by today’s count.

The likes of Aurorcoin, BlackCoin, Dash, Dodgecoin, Litecoin and Ethereum are just some of the more notable means by which a ransomware criminal can extract money from an infected user while still remaining safely anonymous – as credit card transactions can be traced, blocked an so on.

While cryptocurrencies have many positive uses, like allowing people to pay for services or goods without the usual banks, credit agencies and so on tracking their every move, the inherent anonymity of them is also allowing the criminal fraternity a clean getaway when it comes to trying to track the source of a ransomware attack.

As Mikko Hypponen, F-Secure’s chief research officer, said recently, “Because of virtual currencies, it’s becoming a lot easier for criminals to use ransomware, making it more profitable and more useful for them.”

According to F-Secure, a lot of the attacks that demand cryptocurrency are originating from China, using the county’s Great Cannon extension of the Great Firewall in much the same way that Chinese hackers brought down GitHub a few months ago.

Social Media Ransomware


The ever increasing rise of social media brings with it a new form of ransomware. With over 1.3 billion users logging into a social media site of some description monthly (source: www.searchenginejournal.com) and the increasingly open profiles of users, it’s little wonder why.

Take an average user, for example: they’re just one of that 1.3 billion, but from viewing their profile – without them even being aware of it or ‘friending’ them – a ransomware attacker is able to find out the user’s full name, date of birth, workplace, interests, hobbies, skills, relationship status, likes and dislikes. In some cases, their phone numbers, contacts and email addresses can be viewed.

From that basic information, an attacker can send a personally crafted email to the user, they can target particular contacts (work or private) and threaten the user into handing over money. And they can target the user’s Likes, tricking them to click something that would appeal to them, thus installing or downloading an active ransomware code.

Unbelievably, according to InternetSafety.org, 66% of adult Facebook users don’t know or are completely unaware of the privacy controls. 71% of consumer purchasing is based on what they see via social media. And 26% of social media users have made an in-app purchase with their credit cards. This all accumulates fodder for a ransomware attack – and criminals don’t even need to sit there and go through profiles themselves, because there are bots that collect that data for them.

Ransomware Growth


Looking back at everything we’ve discussed so far, it’s little wonder that ransomware is beginning to come back in a big way.

The number of unprotected Android devices, the possible beginning of iOS infiltration and the increase in viewable personal data has given rise to more opportunities for ransomware attackers. Couple this with the ability to remain mostly anonymous from the authorities by using virtual currencies and hiding behind country-wide firewalls and such, and it’s quite amazing that the number of ransomware instances isn’t bigger.

One of the major problems, though, with tracking a ransomware attack is the simple fact that many of them are never reported.

The current numbers generated by the various AV firms are just the tip of the iceberg, as users who have fallen for ransomware are either scared of the repercussions of being targeted and essentially scammed or are embarrassed to admit it. So while the ones we do know of are being tackled by the authorities as best they can, a vast number of attackers are getting away with it.

What Can We Do About It?


There are a number of different ways we can tackle ransomware attacks. The first and foremost is to make sure that you, as both a PC and mobile user, have adequate security and malware protection installed on your system and devices, and that you keep it up to date.

Most attacks are based on malicious code, targeting a vulnerability of some form, inherent to the system. With proper system patching, installing updates instead of ignoring them, and making sure that your anti-virus provider is up to date with the latest trends, you’ll be able to fend off most of the potential ransomware attacks. Also, it’s worth noting that most AV companies have the ability to decrypt a ransomware locked PC with their own software, which means you won’t need to contact the attackers.

Education is something we mentioned earlier in the article and, as we said, it’s one of the more difficult aspects of ransomware combat to nail down.

A lot of humans, it appears, don’t like to take good advice. No matter how many times someone informs them that the chap on the other end of the phone isn’t from Microsoft and doesn’t have in front of them a light indicating that your computer has a virus, they’ll somehow continue to believe these calls.

Likewise, the fact that 66% of users don’t know how to configure a Facebook privacy setting is equally scary.

So how would we deal with the education of the technological masses?

Perhaps more advertising campaigns on TV or radio would help. Maybe even a story line in the nation’s favourite soap about someone falling for a ransomware attack might do the trick? For the time being, we’ll just have to keep on telling everyone that these types of calls or FBI warnings are fake and that they shouldn’t contact or click on anything until they’ve sought professional IT advice.

Speaking of social media, to avoid any targeted attacks on you or someone you know, you need to have a look at what’s currently visible to the general public.

Perhaps the Facebook user could ask someone who currently isn’t their friend to look them up and see exactly what information can be gleaned from their account. Also, with settings being changed through updates to the service, social media users should really be continually reviewing their security settings on a regular basis. This way, should an update alter a setting, the user can adjust accordingly to keep their profile private.

However, it’s a lot of effort for a casual user. Perhaps, then, the likes of Facebook or Twitter should make all critical information private to begin with.

Above all, though, the best advice you can give to someone is to not give in to a ransomware attack. Paying off the ransom to unlock your files will most likely, as we said earlier, result in more malware appearing on your system. Remember, these are criminals you’re dealing with here; they have little regard for what’s yours and even less interest in the data that they’re stopping you from accessing.

No matter how tempting it is, it’s probably best you don’t go visiting sites where you’re likely to pick up some malicious code. Porn sites are an obvious place to avoid, as are the various illegal download sites for movies, music and so on. But also avoid pirated app sites, and certainly don’t go installing such apps on your device. The app in question may work, and you haven’t paid for it, but it’ll more than likely contain other code beyond the actual stuff needed for the app to work.

We keep saying this, but backing up your information to a source other than an attached, secondary hard drive will allow you restart and rebuild your computer in the event of an infection.

While it’s not ideal, at least you can start again, wipe the drive and restore your work and data with the ransomware gone – hopefully now a little wiser.

Finally, never allow someone you don’t know to have control of your PC remotely. It may sound obvious, but the phone scam ransom works in
this way, and there have already been millions paid by unwitting victims. The chances are they’ll install something on your system to spy on your accounts or they’ll simply lift the data straight from your drive while they run some useless so-called scan.

What To Do Next?


Reporting a ransomware attack isn’t always an easy thing to do. For the majority of cases, the local police are unfortunately powerless.

If you’ve already paid the ransom, then there’s a reasonable chance you could claim it back from your bank. After all, you’ve been the victim of online fraud, and there are measures in place to help you in such circumstances.

If you suddenly have a warning from the FBI or Metropolitan police on your screen, asking for money, then your best bet is to look to anti-virus forums – on another system, obviously. 

BitDefender has a Tech Assist page dedicated to helping you and offering advice and downloads to clean the infection off your PC. Other than that, most local computer engineers or shops will be able to help out, as well as some of the notable repair companies in this or other magazines.

Will Ransomware Ever Die Out?


The chances are, no. It’ll evolve into new and varied forms as technology evolves. All we can do in such circumstances is stay as vigilant as possible, keep everything up to date, avoid going to places where it’s likely to appear and try to inform everyone of the various scams and ransomware threats that are around.

What we’ll most likely see in the coming months are targeted ransomware attacks on users’ cloud accounts and services and, of course, an increase in mobile attacks. Either way, it’s enough to make you want to be technology free.


How Does Most Ransomware Get On Your System?


There are different points of access for ransomware, but to quote the BitDefender Tech Help, “Most likely it happened when you accessed a website containing malicious scripts. These can be hidden under the form of:

• A browser plug-in or extension (typically a toolbar).
• A multimedia codec required to play a certain video clip.
• Software shared on peer-to-peer networks.
• A free online malware scanning service.

The infection will take over the computer within moments. At the next restart, you will notice you are unable to access Windows unless you  pay a ransom.”

SimpleLocker, The First Android Ransomware


F-Secure was one of the first companies to track the Android ransomware code known as SimpleLocker. As it explains, “Upon installation, this fake video player app searches for user files on the Android device’s SD card such as images, documents, video, etc.”

The trojan will then use AES encryption to lock the files, then it displays a message in Cyrillic asking for the equivalent of around £15. The  money was to be paid to internet kiosks popular in Eastern Europe, where the ransomware was thought to originate, and unless payment was met within 24, all the files would be destroyed along with the cryptographic keys needed to unlock the device.

In addition, unless the user paid up, a threat was issued that every so many hours a contact from their address book would be given evidence that the user visited some of the worst examples of pornography on the internet, and that it would also download examples of those clips to  the device for the police to find.

Nasty, eh?