"I saw it was CryptoLocker and I knew we were hosed. Our critical stuff was locked up and I just told the boss to pay up and pay now.”
The system administrator for one of Australia’s biggest hotel chains had little choice but to pay the ransom when financial data and operational critical files were last year encrypted by the most dangerous variant of ransomware.
“It cost the company $8,000 – chickenfeed in terms of its cash flow and probably less than the hit to daily operations, but it shook the executives to their core. The administrator, speaking to CRN under the condition of anonymity, says the attackers got lucky and phished the company’s human resources manager who had access to the most sensitive data.
Soon after the Bitcoin ransom was paid, the company received the decryption key to unscramble their critical data. “They were relieved,” says the sysadmin.
They always are relieved. The victims of high-end CryptoLocker attacks are more akin to unwilling clients of this well-oiled, ultra-sophisticated sprawling criminal enterprise, which took the world by storm and in just five short years has become an industry worth tens of millions of dollars.
What’s helping ransomware spread so voraciously is something CRN readers hold dear: a channel model. The authors who write the malicious code are often not the same criminals who deploy the malware; instead developers make money from licence payments or clipping the ticket on subscriptions. By doing so, they distance themselves from the crime, while also creating a scalable model.
Rise of the colossus
The concept of ransomware was first hatched in 1989 when the trojan known as AIDS began locking up users’ files. The ancestor to the modern-day menaces was spread via a floppy disk posted out to subscribers of an online mailing list. It used weak symmetric encryption to lock up the subscribers’ files before demanding they send US$189 to a post office box in Panama. Once the cash was received, a decryption key was sent back.
The author, Dr Joseph Popp – who was identified by the antivirus industry and later arrested – says he intended the cash to go to AIDS research. Dr Popp was associated with medical organisations including the Flying Doctors and the World Health Organization. He was soon released without standing trial and his ransomware was cracked with the antidote program CLEARAID, which removed the encryption.
The unknown authors of CryptoLocker have no such misplaced goodwill. The FBI puts the damages from victims – who have paid after being unable to crack CryptoLocker’s watertight encryption – at some US$18 million in the States alone. That number is certain to blow out considering the estimates, which vary by time and type, and suggests North America represents between 40-60 percent of the global victim base. But Americans are not alone; Aussies are also in the crosshairs.
“Australia is disproportionately represented in ransomware,” says Bradley Marden, coordinator of Interpol’s Digital Crime Centre. “Australia is actually disproportionately represented in almost every financially motivated cyber crime.”
The near-30-year veteran of the Australian Federal Police moved to Interpol’s Singapore office in January to take his cyber crime fighting efforts to the global stage. He has seen the carnage of ransomware first hand and has the criminals firmly in his sights.
Marden says CryptoLocker stands out as the most damaging among the variants of ransomware. It belongs to his category of ‘strong ransomware’, sharing podium space with the likes of Cryptowall and Torrentlocker.
Oh Sieng Chye, threat researcher at infosec vendor ESET, finds similar damage down under. “There were some 8,000 infections in Australia in the first half of this year of various forms of ransomware,” the Singapore security bod says. “We receive calls from infected customers on a weekly basis.”
Oh says ransomware should be considered in the top three online threats to organisations and individuals.
Android-based ransomware is also enjoying a rise in sophistication and profits. BitDefender’s most recent statistics from July say infection rates rocketed this year from a paltry 6 percent to 25 percent of all reported mobile malware in April and May.
“Android ransomware has drastically changed from being a small benign application that used to trick and scare users into thinking they have been infected, to actively seizing control over their devices and preventing users from uninstalling the malicious application,” says Bogdan Botezatu, senior threat researcher at BitDefender. “While at first ransomware could have been removed by simply uninstalling the app, today’s versions require a bit more technical expertise to ‘flush’ the application from a users’ Android device.”
Next: The dark channel
Cybercrime is a machine oiled by organised criminals. Not the cigar-puffing Mafia or Triad types, but rather a gathering of professional criminals with aligned interests. They use various closed forums where buyers and sellers are vetted, and services are compartmentalised and outsourced.
“When a CryptoLocker or another type of ransomware is created, there are two scenarios: developers sell their malware on underground forums and don’t use it themselves, or they work together with the malware distributors to infect users’ devices,” says Ilya Sachkov, chief executive of top Russian forensics firm Group-IB.
“The first scenario is more common as the authors of malware take on less responsibility and lower risks. The second option, however, allows them to earn much more.”
There is a third model, too: ‘ransomware-as-a-service’. Here, authors take a 20-30 percent cut of payments, says Webroot threat expert Armando Manago, making it “easier than ever” for crooks to kickstart campaigns.
Group-IB’s Sachkov is at the heart of where much of the world’s worst ransomware is created, but he says Russian authorities have not made arrests, a fact that helps fuel the booming crimeware market. He says the author of the first CryptoLocker ransomware variant for Android devices, known as GanjaMan, is hoping to avoid stirring the hornet’s nest by ensuring that the malware self-destructs if it detects the Russian language in use on a victim’s handset.
While the creators of ransomware, which is sold on English- and Russian-speaking forums, have solid programming and cryptography skills, buyers need not be technically savvy. This, experts say, is thanks to ‘communicators’ or ‘facilitators’ who connect buyers to ransomware authors and other crucial players, such as exploit kit developers and spammers who are required to spread the malware.
“They run like a business,” Marden says. “The facilitators help people get into the malware game; they know who can provide the malware, who can provide the spam run or the exploit kit, and who can provide remittance.” These cyber crime coordinators may tell customers, for example, about an upcoming large spam campaign that they should buy into to help distribute their newly purchased ransomware.
Or they could pair the customer up with a popular exploit kit like Angler, which is a one-stop shop for popping unpatched Adobe Flash, Java and Microsoft Silverlight machines, and a popular delivery tool in ransomware circles. They may also link the client up with adware services to squeeze extra money from their infections by injecting fake advertisements into web browsers.
All told, an investment of about $6,000 a month for ransomware, such as CTB Locker, an exploit kit, spam services and a malware obfuscation service can net a criminal a conservative $84,000, according to Trustwave, the security services company which was acquired by Optus’ parent SingTel in April for US$810 million.
A light in the darkness
Governments like to say they don’t negotiate with terrorists, and the official advice for considering ransomware capitulation is similar; don’t pay. But that steadfast script runs contrary to the clandestine back-channel payments that so often gets the hostages home, and the same could be said of ransomware. Ultimately, a ransom payment is an individual business decision that weighs the cost of downtime with the risk of being cheated. Executives may also find the fuelling of the cybercrime market somewhat distasteful. Police certainly do.
There are a few things businesses can do to resist, however. Chief among them is to ensure regular offline backups are conducted. Network attached drives can and will be encrypted, including cloud accounts, making an air-gapped backup essential.
Administrators must also pay attention to clandestine encryption efforts by some advanced and rare variants, such as Ransomweb, which silently encrypt web databases, decrypting it on-the-fly as it is accessed such that the encryption effort remains almost invisible. This process persists until many months worth of a victim’s backups have been quietly encrypted. The attacker then withdraws the private key, killing the decryption process, and demands payment.
Experts are unanimous: education is key. Every business with an internet connection that cannot afford lengthy downtime must understand the gravity of the ransomware threat if they are to avoid disaster.
“If there was a lot more rigour around backups,” Marden says, “the ransomware market could die out in 12 months.”
BREAKOUT: Resisting ransomware
Webroot threat experts Armando Manago and Daniel Slattery told CRN that ransomware is rising in our region.
“In the past month, we have seen an influx of the CryptoLocker infection in the APAC region thanks to a successful spam campaign by malware authors in the US. If organisations have a solid backup solution and disaster recovery plan there should be no need to pay the ransom,” says Manago.
“With the spread of ransomware continuing to increase and develop it is important for all Australian businesses to develop and prepare for these occurrences. While paying the ransom will allow the user to decrypt their files this time, it opens them up to being targeted repeatedly.”
The Australian government provides some helpful and specific tips via CERT,
the national Computer Emergency Response Team – see their website at
www.cert.gov.au/advisories/ransomware
Specific recommendations
Activate Volume Shadow Copy on the relevant Windows PCs. This feature
maintains previous versions of files in a location that is not accessible by current samples of CryptoLocker. Once the malware has been removed from an infected PC, files mirrored by the Volume Shadow Copy service can be recovered by the user
Make regular backups of valuable files and maintain an offline copy. As online drives and network shares are encrypted by the malware, any connected backups will be unusable
Ensure antivirus software with the latest signatures is running on all computer systems
Consider implementing application whitelisting or, at least, software restriction
policies to hinder the ability of malicious software to execute successfully
General recommendations
Use application white-listing to only allow specifically authorised applications to
operate on networks. This mitigation helps prevent malicious software or unauthorised applications from executing
Ensure applications and operating systems are kept up-to-date with the latest
software patches
Ensure users are restricted from, or are administratively prohibited from, installing
unauthorised software and browsing the internet with administrator privileges.
Remove, disable or rename any default system accounts wherever possible.
Enforce strong passphrase policies to reduce the risk from brute forcing attempts.
Implement account lockout policies to reduce the risk from brute forcing attempts.
Monitor the creation of administrator level accounts by third party vendors.
Monitor intrusion detection and/or prevention systems, user logs and server logs for suspicious behaviour.
Use defence-in-depth methods in system design to restrict and control access to
individual products and control networks.
When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with two-factor authentication.
If infected, review your antivirus software specific removal guidelines for the malware.
_page-0001.jpg&w=100&c=1&s=0)
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
![[Opinion] It's time to rethink the MSP machine](https://i.nextmedia.com.au/Utils/ImageResizerWebP.ashx?n=https%3a%2f%2fi.nextmedia.com.au%2fNews%2fAnna_Furlong_-_square_crop_v2.jpg&q=95&h=298&w=480&c=1&s=1)
