Ransomware is not new – it has been around in one form or another for more than 20 years. It comes in two main varieties: ‘blockers’ that simply block the users’ access to files, and ‘encryptors’ that irreversibly encrypt the users’ files. Both hold the victim to ransom. Kaspersky Lab has analyzed figures from its users between 2014 and 2015 and finds that while crypto ransomware is increasing dramatically, ransom blockers remain worryingly common.
In reality, blockers are not a serious problem. Arrests in Russia in 2010 and the launch of “services offering the free unlocking of locked systems made criminal efforts to extort money in this way both more risky and less profitable.” Nevertheless, the rise of crypto currencies has provided a safer method for criminals to receive payment, and while the threat dipped for a while, it still exists.
The most dramatic change in the ransomware landscape has been the emergence and growth of crypto ransomware. The number of Kaspersky users encountering any type of ransomware increased 17.7% over the two years of the study. However, during the same period, the number of users encountering the cryptoware variant increased 5.5 times (from 131,111 instances in 2014-2015 to 718,536 instances in 2014-2016). This increase in cryptoware has more than offset the decrease in blockers, down by by 13% from 1,836,673 in 2014-2015 to 1,597,395 in 2015-2016.
In cryptoware instances there is an increasing concentration within a relatively small number of different malware families. In 2014-2015 CryptoWall accounted for nearly 59% of incidents, with the top three families accounting for 71%. In 2015-2016, TeslaCrypt replaced CryptoWall and accounted for almost 49% of incidents. In this latter year, the top three families accounted for more than 86% of incidents.
The speed with which TeslaCrypt replaced CryptoWall, and the concentration within a few major cryptoware families could be, suggest Kaspersky, “a sign of the development of criminal-to-criminal infrastructure. Instead of developing their own, unique crypto-ransomware, criminals started to purchase off-the-shelf, ready-to-use malware.” This is part of the increasing professionalization of the cyber criminal world noted by many different security vendors. Where less technically able criminals might be able to develop simple Windows blockers but not cryptoware, they can now hire or buy ready-made cryptoware.
In a move that surprised many, the operators of TeslaCrypt shut down their operations in May and the authors released a master decryption key.
The rise in cryptoware is also fueling a change in targets. Blockers are almost entirely directed at home users. In 2014-2015, only 6.8% of incidents involved corporate users. During 2015-2016, this proportion more than doubled to 13.13%. In terms of raw numbers, the increase appears even more dramatic. In 2014-2015, around 27,000 corporate users were attacked. But in 2015-2016, the figure rose six-fold to more than 158,000. The root cause is obvious: corporates can both afford to pay higher ransoms, and are less likely to be able to weather a complete loss of their systems.
Kaspersky’s research also shows increased cryptoware activity in particular geographic areas: Germany, Brazil, Kazakhstan and Italy have all seen double-digit growth in cryptoware incidents. The US remains the most attacked nation when blockers are added to the equation.
Kaspersky takes the ‘official’ line in its advice to victims. “If, for some reason your files are encrypted with ransomware and you are asked to a pay a ransom, don’t pay. Every bitcoin transferred to the hands of criminals builds their confidence in the profitability of this kind of cybercrime, which in its turn leads to the creation of new ransomware.” While this is certainly true, it is not necessarily realistic advice for corporates. The loss for home users is ultimately emotional (loss of personal files and photos); but the potential loss for corporates could be catastrophic.
The most important thing for any corporate is to be prepared. Corporates are more able to defend against ransomware than are home users; and more able to limit its effect. Network segmentation, threat detection and a formal response plan based on realistic risk analysis is more important than a blanket ‘don’t pay’ approach.