XXI century thiefs, stalkers of your information.
Organized crime, always looking to profit quickly at expense of somebody else.
Those who witnessed the very early stages of personal computing, may remember that the term virus was exotic and sometimes misleading. Once i was asked and I've heard anecdotes about people who were afraid of being "contaminated" by a computer virus in the same sense as if they could be infected by someone with biological viruses equivalent to the influenza.
At that time, incipient virus writers were trying to determine the scope and reach of their work, and then there was a nascent need to protect PCs industry, with a brand new concept at the time, an ANTIVIRUS solution. Visionary entrepreneurs just like John McAfee formed brand new companies that took the challenge to stop and neutralize its emerging effects. It was the first glimpse of fear to lose the integrity of data in computers.
Those innocent times are long gone.
Nowadays in that line, digital smugglers of the XXI century have found that is profitable to raise fear into the cybernauts, in the form of digital files kidnapping. If you want your files back, you need to pay a ransom now in bitcoins, making it quite difficult to trace back the real criminal networks behind ransomware.
At first quarter of 2015, as per my professional banking experience, i was aware of a dramatic increase in malware detection, specifically in the ransomware category. McAfee Labs documented that observation in the statistics for the year shown in figure 1.
Fig 1 - Steep increase in ransomware detections - Source McAfee Labs 2015
In all cases, the observations in our security tools were about plenty of attached files from several IPs worldwide with malware such as CTB-Locker & CryptoWall, including some very generic email subjects in English language such as "import invoice", "Re: Po/invoice CZCZTUTSUD", embedding some Rar files and some other Zip files, containing an infamous .scr file, that once executed, pretended to be installed in many %AppData% paths, like:
- %AppData%\*.exe %LocalAppData%\*.exe %
- %AppData%\*\*.exe %LocalAppData%\*\*.exe %
- %LocalAppData%\Temp\Rar*\*.exe %LocalAppData%\Temp\7z*\*.exe %
- %LocalAppData%\Temp\wz*\*.exe %LocalAppData%\Temp\*.zip\*.exe
To accomplish this, ransomware aims to take advantage of operating system vulnerabilities, and the time gap between the malware development & deployment on the wild, versus the antivirus signature and antispam filters release of the main security software providers. The profit depends entirely on a massive swift strike against a vast and unprepared infrastructure.
If allowed, and we did in a controlled lab environment, this evil software normally evolved into the PC, performing the file hijacking, sending an explicit message to the user, stating that computer is compromised unless a verified payment is done.
The ransomware in these days, is continually evolving into a very well crafted attempt to exploit off guard defenses, and the lack of user's culture of backing up data in external devices, and of properly upgrade software to recent and patched versions.
Once caught, ransomware criminals look more like drug dealers than IT experts, in the way they store profits and hide against police surveillance.
One pretty good description about what is going on with the life of common digital hijackers, is shown in a revealing raid video from the Policia Nacional, Ministerio del Interior from Spain.
A very fascinating description about a real police force forensics procedure to seize digital evidence to be presented in court against ransomware bandits, as presented in Figure 1 and Figure 2.
Fig 2 - Seizure of mobile devices, Source - Policia Nacional M° Interior, Spain
Fig 3 - Euros seized, Source - Policia Nacional M° Interior, Spain
Just like in a production chain factory, there are different groups that collaborate in this criminal offense:
- - The "Brains", or the responsibles of vulnerabilities research among the targeted platforms. They develop specially crafted kits that are easy to deploy or to modify, aiming to create ransomware variants as long and as quick as needed. It is understood that they are developing in several platforms, even mobiles, such as Android in rooted devices that don´t have the Google Play Store protection and some more safety validations from the provider.
- - The "Distributors", or digital crime gangs that provide networking between the malware kit consumers , keeping a relevant profit share of this illegal activity.
- - The "Buyers", or the end customers of this supply chain model, willing to "invest" in certain malware kits to obtain revenue through distribution in Internet, catching a mass of unprotected victims as much as possible, knowing that time is a key element in a shock and awe method, causing fear, and a willingness of a victim to pay for hijacked files.
All these activities, happen underground, covered by restricted collaboration group sites (deep web), tor communications or from compromised sites such as universities, bad managed corporate sites etc.
At the end, those participants bet on the inability for internauts to protect themselves, applying very basic countermeasures, such as file backups, proper patching and updated antimalware definitions.
Unfortunately, this will be a persistent trend as long as there exist people willing to pay for an uncertain data rescue information of their own.
It is worth to survey alternative control methods other than antivirus services, such as Advanced Threat Protection solutions that emerge as a viable alternative to manage infrastructure risks.
Continuous monitoring and user's culture of reporting unexpected and suspicious mails, will always help to stop this menace.
Author
David Ruiz