When crypto ransomware started, it was a mere “side project” for some of the big fraudsters out there. What has led to this attack becoming a global menace?

In May 2014 in operation Tovar, the FBI isolated CryptoLocker as a result of taking down GameOver ZeuS. CryptoLocker was crypto ransomware from the “creative mind” of Evgeniy Bogachev, who ran this as part of his GameOver ZeuS operations. It was the first ransomware “which worked”, meaning it encrypted your files with AES and RSA private keys at the criminals infra. If you paid your bitcoin, you would get a private key to decrypt your files. As a result, you would get them all back.

“Lazy” Ransomware

Before CryptoLocker, there’s been other ransomware, which wasn’t as well architected. “Screen locking ransomware”, “Police ransomware”, and others types, would aim at scaring you into paying up (“we’ve seen you download illegal content, pay a fine!”). It didn’t actually hold files ransom. Other types would mutilate files but they wouldn’t restore the originals. These types were never as successful because the word got around – they were either relatively harmless or they wouldn’t hold up their end of the criminal bargain. In other words, this is very bad marketing.

Good marketing

The success of ransomware is tied to how well it works. Cryptolocker would give your files back for a bitcoin (then around $300). For the victims, this was a relatively small amount if it meant recovering photographs of all your loved ones. For business, it’s investing they would rather make than restoring entire drives from backup. The word got around: yes, you will get your files back if you pay. Working tech is key in ransomware, marketing is essential for the criminals to get the word out: pay and you will get your files back.

Exaggerated success

That said, the original Cryptolocker has never been a big money maker. It was one of the ideas to increase the ROI from GameOver ZeuS botnets. It victimized about half a million, of whom only one in 75 would pay, making the GameOver ZeuS gang around $3M. Not bad for a rainy day, but a mere rounding error compared to the estimated hundreds of millions they stole through fraud campaigns.

They got good marketing though: journalists and security vendors were quick to extrapolate vague numbers, make guesses, and soon the world was led to believe ransomware was the next big thing, and the world was about to end.This marketing has likely had a big impact to ransomware becoming the menace it is today.

Criminals take notice

Usually, the world deals with inflated numbers and security FUD by shrugging its shoulders and moving on. But in this case, the criminals took notice. They reckoned: “Hey, here’s a relatively low-risk attack, with an easy cash out through bitcoin, and we could make dozens of millions! We need to get on the bandwagon”.

Very fast, copycat attacks arose, imitating the CryptoLocker modus operandi. Sometimes even branding their ransomware CryptoLocker, because that’s what got all the “good press”. Cryptowall, Torrentlocker, and others blatantly stole Bogachev’s concept and started out for themselves. Up until this week, we have seen Torrentlocker variant “Crypt0L0cker” in the wild in our 5 CDC’s.

The inflated threat soon caught up with reality. Dozens of copycat attacks, millions of victims, and uncountable productivity loss is the result. Some of the criminals have sent bottles of champagne with a friendly note to tech bloggers, thanking them for the free marketing.

“Let’s play a game”

Ransomware inevitably has evolved. Some of them feature “Jigsaw” who invites you to play a game, deleting one thousand files every hour on top of the crypto-ransom. For those organisations that have excellent recovery procedures, schemes have been seen where the malware publishes files every hour until payment.

Today files are being ransomed, tomorrow processes will be ransomed. Some of the possibilities are increasingly scary, ransoming a smart car (pay to drive), or pacemakers (pay to live). When ransomware will firmly enter the internet of things, we’ll need to be ready for unimaginable threats. In addition, the marketing for the criminals will be great and free of charge.

Recommendations

1.    To prevent impact from today’s ransomware: update, patch and run (next gen) AV. Create awareness with your personnel. Test your recovery processes. If your backup is working, that is no guarantee your restore will work too.

2.    If you need to deal with a ransomware infection: Invest in detection and response such as quarantining solutions. The general advice is not to pay up, to avoid striking business deals with criminals, even if it means you need to perform a full-fledged recovery of your network shares. Make sure all infected machines are quarantined before you do, or you can repeat your efforts.

3.   For dealing with tomorrow’s (process) ransomware: hire the best CISO you can afford today. Likely it means hardening different parts of your defenses & processes.

Further resources you may like:

Eward Driehuis

Chief Research Officer
eward.driehuis@securelink.nl