SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Ransomware: First files … now complete devices
Mon, 11th Jul 2016
FYI, this story is more than a year old

A major threat to computer security is malicious code. In fact, over the years, it has become one of the main causes of security incidents, from the first viruses in 1986 to the most sophisticated malware of today. Recently, a particular type of malware, although not new, has become increasingly troublesome for both businesses and home users. It is is known as ransomware.

Varieties of ransomware

Over the past year, cases of ransomware have gained prominence in the field of computer security due to a notable growth in the number of victims. This is, in turn, due to the significant profits that cybercriminals can obtain from this type of malicious campaign.

This form of attack may seem innovative, but it is not. In fact, the first widely-known case of ransomware goes back 25 years – PC Cyborg, aka the ‘AIDS trojan', was malware that hid directories and encrypted the names of all the files on the C drive, thus making the system unusable. The victims were then requested to “renew their licenses” with a payment of $189.

Since then, new programs seeking to extort money from users have been identified which, unlike PC Cyborg's symmetric encryption, used asymmetric encryption algorithms with larger keys. In 2005, GPCoder, and its subsequent variants, requested a payment ranging from $100 to $200 to recover files with specific extensions that had been encrypted.

However, this type of malicious code goes further and, in fact, there are groups of cybercriminals offering this kind of malware as a service. Ransomware as a Service (RaaS) has been discovered through the prominence of tools to create ransomware automatically, allowing criminals to create this type of malware automatically, regardless of their technical expertise.

Similarly, with fairly recent news of the publication of Hidden Tear, the first open source ransomware, a new window has opened for the development of such malware and its variants. Consequently, we predict the creation of increasingly sophisticated and massively prevalent malware.

The increase in the number of variants

One of the highlights of ransomware evolution is the growth in the number of variants seen in recent years, targeting various platforms and technologies. The following chart shows that, as you might expect, Windows-related families are the ones that have been showing a year-on-year growth in terms of the number of detections.

But, in addition to Windows, variants have also been designed for other operating systems. Such is the case with OS X since, during 2015, variants of the families of Filecoders unique to these systems were detected. Other technologies such as VBS, Python, BAT and PowerShell are also used by cybercriminals to compromise users' systems for profit.

Evolution of threats

Although, until now, operating systems for desktop computers or laptops have been discussed, these are not the only platforms that are exposed to this threat. Cases of ransomware have also been found to affect mobile devices, particularly those running Android (which is the mobile operating system with the most users worldwide).

The first Android-targeting families included fake antivirus with the ability to lock the screens of the devices. In 2014 Simplocker, the first ransomware for Android activated in Tor that encrypts user files directly, was discovered by ESET. In fact, the number of malware families detected during 2015 is 4% higher compared to the number detected during 2014. A small percentage increase in malware families can represent a huge increase in individual samples.

Conclusion: The same goal for another threat

In recent years, the seizure of information stored by users and companies on various platforms has become one of the most notable trends. The impact it can have on users, by preventing them from accessing all their information due to the action of malicious code, is of growing concern.

It is one of the most concerning types of security incidents, as one, it takes full advantage of situations where a company has a lack of an effective backup strategy and two, success of this type of attack for cybercriminals has led them to extend it beyond the Windows systems and mobile devices. Its increasing impact has made it one of the greatest current concerns of consumers and companies alike.

During 2015, we have seen large ransomware campaigns in multiple languages, as was the case with CTB-Locker in January 2015, which must not be viewed as an isolated event.

Cybercriminals seek to convince users to accede to their threats by encrypting their files and seizing their information, and this is something that is likely to continue happening. As technology has evolved, the protection mechanisms to counter threats such as ransomware have improved based on experience, and they must be accompanied by user management and education.

However, not all devices can be protected with a security solution, and this threatens to become a future risk for consumers and companies. Based on these points, by 2016, we expect to see more ransomware campaigns trying to exploit new attack surfaces by prohibiting users from accessing their information or services. The increasing trend toward more and more devices being supplied with an internet connection provides cybercriminals with a greater variety of devices that might be attacked.

From the security side, the challenge is not only to detect and block or remove such attacks, but also to ensure the continuing availability of information. In the near future, network security, the prevention of exploits, and the appropriate configuration of devices will take on greater importance to prevent such attacks, so that users can enjoy the technology.

We are on our way towards a fivefold increase in the number of devices connected to internet over the next five years, thus reaching 25 billion online devices, so the challenge is to protect them properly against this type of attack.

Article by  Camilo Gutièrrez Amaya, welivesecurity analyst