2015 has been an eventful year in the world of malware, and few threats have risen more dramatically than ransomware. Unlike other types of malware that attempt to steal data, ransomware such as CryptoWall or CTB Locker simply encrypt data on the infected machine or network, and then demand payment from the victims in order to decrypt the frozen data.
It was obvious from early in the year that it was going to be a big year for ransomware. In May, McAfee reported that the volume of ransomware doubled with a variety of new ransomware families leading the charge. Likewise, Kaspersky saw 65% growth and identified ransomware as the fastest growing threat.
Although ransomware is commonly targeted at consumers, recent versions have targeted the enterprise with a vengeance. In addition to encrypting the hard drive of infected hosts, ransomware explores the network to find file shares and network drives, which can also be encrypted. This has shifted ransomware from a nuisance to a potentially debilitating attack that can freeze critical assets and intellectual property.
Ransomware and the criminal business model
Security professionals can become hardened by the barrage of new threats, and may brush off ransomware as just another passing phase in the march of malware. But while malware families come and go, there are vital elements in the ransomware business model that will impact cybercrime in the foreseeable future.
To understand these drivers, it is important to look at the malware from the perspective of cybercriminals.
It’s a fact of criminal life that thieves have to figure out how to sell their stolen goods, and this is especially true for cybercriminals. The criminal underworld includes a rich ecosystem for this express purpose.
For example, criminals who steal credit card numbers typically can’t monetize the cards directly. Card numbers are sold in bulk, broken into smaller batches, and resold to criminals who print new cards, and, in turn hire low-level criminals to buy products with the stolen cards.
Those products are then resold and the money is moved through mules before the actual cash is collected. Each step is an opportunity to get caught and introduces a middle-man that takes a cut of the profit.
Ransomware short-circuits this highly complicated fencing operation. Criminals encrypt the data and demand payment directly from victims. Payment is typically delivered in bitcoins or similar crypto-currency.
This relatively direct path to cash makes ransomware attacks profitable and removes the need for a large, complex criminal network. It also lowers the bar for would-be cybercriminals, and in effect brings more bad guys onto the playing field.
Everyone’s data is valuable to them
“No one cares about our data enough to break in and steal it.” This is one of the huge misconceptions that executives whisper to themselves before they ignore an important security project.
While it is certainly true that some data is more valuable than others, the ransomware model turns this short-sighted thinking on its head. Attackers don’t need your data to be valuable to the outside world, they only need that data to be valuable to you.
This makes everyone a potential target, including organizations that have been giving security short shrift over the years. For attackers, this is a great development. Instead of robbing banks, which are relatively few and very well-defended, ransomware opens up a massive supply of relatively unsecured potential targets.
Avoiding the Pinkerton’s
Targeting a diverse set of victims has an added benefit: It vastly complicates the building of coalitions and information sharing. Outlaw Butch Cassidy found out the hard way that if you steal regularly from banks and railroads, you will eventually attract the attention of Pinkerton detectives.
Today, banking malware has had a similar effect on criminals. Financial institutions share cybersecurity intelligence and multiple law enforcement agencies are coordinating their efforts to focus on banking malware.
Ransomware makes building these coalitions far more daunting. Many victims pay the ransom and do not report the crime. Likewise, since victims can come from any industry, it further complicates the process of sharing information between organizations.
Additionally, ransomware operations have fewer moving parts and a lower dependence on command-and-control attack maneuvers. Unlike other malware campaigns that require consistent C&C communications, ransomware only needs C&C servers for encryption and decryption keys.
This makes it easier for attackers to stay on the move and harder for law enforcement to target and takedown the C&C infrastructure. Anything that makes life difficult for security teams and law enforcement is typically going to be a good thing for criminals.
These are some of the natural benefits of ransomware that criminals are quickly learning to use to their advantage. Given the consistency with which malware can penetrate an organization’s defenses, it is no wonder that this type of attack is on the rise.
In the coming year, it will be critically important for security teams to watch the ransomware trend closely. Virtually every network has malware, and these infections are more than enough for a ransomware attack. A few spambots in your network may not seem like a big deal, but a few CryptoWall infections could bring business to a standstill.