Threat Intelligence Blog

Posted July 28, 2016

By Emilio Iasiello and Steven Weinstein

Ransomware is on the rise, and while this isn’t something new, with an increasing amount of attacks against enterprises, as well as the U.S. Health and Human Service Office for Civil Rights (HHS) releasing new guidance via the Healthcare Insurance Portability and Accountability Act (HIPAA), we thought we’d revisit the topic.

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems and temporarily or permanently rendering it inaccessible unless a “ransom” is paid within a specific time period. The malware has been around since the late 1980s, but began to rise in popularity about three years ago when the infamous program Cryptolocker – which is seen as one of the most destructive malware out there – was introduced to the public. CryptoLocker is considered unique because it appears that the authors and operators studied previous variants and styles of ransomware so CryptoLocker would not have the same flaws. Of note, the perpetrators requested ransom to be paid in bitcoin. In the year that CryptoLocker was in the wild, the attackers behind the scheme generated revenue of approximately 42,000 Bitcoin, or about $27 million US dollars.

There are currently 120 strains of ransomware, and some researchers are even reporting a 3,500 percent increase in the criminal use of net infrastructure used to run these nasty pieces of malware. What’s more, in the first quarter of 2016, Kaspersky Lab detected 2,900 new malware modifications, an increase of 14 percent from the previous quarter.  Currently, Locky is the leading ransomware strain and has been detected in 114 countries.  According to security researcher Bart Parys, most ransomware is controlled by individual groups, like Cryptolocker, but he revealed that there are some who actually purchase ransomware from an underground market.

Bad guys implement a variety of delivery methods to deploy ransomware, such as through phishing/spear phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website – even legitimate websites – and then malware is downloaded and installed without the user’s knowledge. Cyber criminals have also booby-trapped advertisements and used specialized “crypters” and “packers” that made files look benign. Spam e-mails have even been embedded with ransomware.

There are several types of ransomware that criminals employ to seek their paydays:

  • Encryption: This is the most popular form of ransomware. It encrypts not only the files on the infected device, but also the contents of shared or networked drives, rendering them inaccessible until a ransom is paid out.
  • Deletion: The ransomware claims to delete your files if you attempt to decrypt the ransomware without paying. Not paying the ransom will also result in your files being deleted.
  • Locking: This ransomware makes it look like a law enforcement agency has taken over your device, typically with an image that reads, “Your computer has been locked.”

According to the Institute for Critical Infrastructure Technology, ransomware campaigns only care about the payout rather than the individual target. Statistics from the Microsoft Malware Protection Center revealed that in 2015 the United States ranked as the top ransomware target, with nearly 321,000 infected systems. Italy came in a distant second with almost 79,000 systems, and Canada took third place with 45,580 systems infected. The United Kingdom and Spain rounded out the top five with 38,068 and 35,992 infected machines, respectively.  Ransomware campaigns typically cast a wide net in the hopes of snaring those willing to pay the ransom. Known sectors that have fallen victim to ransomware campaigns include healthcare, certified public accountants, law enforcement entities, financial institutions, and universities.

What You Can Do to Protect Yourself

  • Backup your data: The simplest way to protect yourself from ransomware attacks is to regularly backup all of your important information and data. Dedicated backup software makes full copies of hard disk drives and stores them on some external source, usually a storage drive that is disconnected and purposefully kept offline following backups. An alternative is using a network attached storage (NAS) appliance for backing up the data. A third option is using a cloud storage service, This option is not always the best because of how encrypted files synchronize; however, many have file-version features that make it possible to recover copies of files.
  • Always disconnect USB or external drives after use.
  • Remove all possible network shares.
  • Use pop-up blockers.
  • Disable plugins.
  • Use antivirus software – and keep it updated.

What’s the Future for Ransomware?

The success of ransomware is evidenced by the multiple variants that are being developed and released into the wild. Ransomware-as-a-service has emerged in the underground, thereby enabling any willing buyer to get involved in this criminal endeavor without needing to be technically proficient. Ultimately, ransomware campaigns are a numbers game; the more hits that are recorded, the more opportunity for victims to pay up.  Interestingly, the cost of the ransom remains an affordable expense for victimized organizations, perhaps a purposeful tack by criminals to persuade victims to pay rather than not. Because in the end, it’s money that these gangs want.

Contact us to learn how LookingGlass threat intelligence services can help protect your organization from the risk of ransomware.

Additional Posts

LookingGlass Cyber Solutions Launches Innovative Global Partner Program

LookingGlass Cyber Solutions, a leader in threat intelligence driven security, today announced the ...

Weekly Threat Intelligence: July 26, 2016

Energy "A sophisticated piece of government-made malware, designed to do reconnaissance on energy ...