Cybercriminals are fully embracing ransomware. Ransomware, a specific form or malware, which encrypts files and extorts money from victims, is quickly becoming a favorite among criminals. It is easy to develop, simple to execute, and does a very good job at compelling users to pay in order to regain access to their precious files or systems. Almost anyone and every business is a potential victim. More importantly, people are paying. Even law enforcement organizations have fallen victim, only to cede defeat and pay the criminals to restore access to their digital files or computers.
In just the first half of 2015 the number of ransomware samples has exploded with a near ~190% gain. Compare that to the 127% growth for the whole of 2014. We predicted a spike in such personal attacks for this year, but I am shocked at how fast code development has been accelerated by the criminals.
Total ransomware has quickly exceeded 4 million unique samples in the wild. If the trend continues, by the end of the year we will have over 5 million types of this malware to deal with.
Cybercriminals have found a spectacular method of fleecing a broad community of potential victims. Ransomware uses proven technology to undermine security. Encryption, the long-time friend of cybersecurity professionals, can also be used by nefarious elements to cause harm. It is just a tool. How it is wielded determines if it is beneficial or caustic. In this case, ransomware uses encryption to scramble select data or critical systems files in a way only recoverable by a key they possess. The locked files never leave the system, but are unusable until decrypted. Attackers then offer to provide the key or an unlocking service for a fee. Normally in the hundreds of dollars, the fee is typically requested in the form of a cryptocurrency like Bitcoin. This makes the payment transaction un-revocable and almost impossibly difficult to track attribution and know who is on the receiving end.
This type of an attack is very personal in nature and specific in what it targets. It may lock treasured pictures, game accounts, financial records, legal documents, or work files. These are important to us personally or professionally and is a strong motivator to pay the criminals.
Payment simply reinforces the motivation to use this method again by the attackers and adds resources for continued investment in new tools and techniques. The technical bar for entry into this criminal activity is lowering as malware writers are making this type of attack easier for anyone to attempt. In June, the author of the TOX variant offered ransomware as a service. The criminal made available software for other criminals to distribute. It would handle all the back-end transactions and provide the author a 20% skim of ransoms being paid. Fortunately, the author was influenced to a better path after being exposed by Intel Security. More recently an open source kit, named Hidden Tear, was developed for novices to create their own fully function ransomware code. Although not too sophisticated, it is a watershed moment showing just how accessible making this type of malware is becoming. I expect future open source and software-as-a-service efforts to rapidly improve in quality, features, and availability.
Ransomware will continue to be a major problem. More sophisticated cybercriminals will begin integrating with other exploitation techniques such as malvertizing ad-services, malicious websites, bot uploads, fake software updates, waterhole attacks, spoofed emails, personalized phishing, signed Trojan downloads, etc. Ransomware will grow, more people and business will be affected, and it will become more difficult to recover without paying the ransom. The growth in new ransomware samples is an indication of things to come.