Cybercrime is a machine oiled by organised criminals. Not the cigar-puffing Mafia or Triad types, but rather a gathering of professional criminals with aligned interests. They use various closed forums where buyers and sellers are vetted, and services are compartmentalised and outsourced.
“When a CryptoLocker or another type of ransomware is created, there are two scenarios: developers sell their malware on underground forums and don’t use it themselves, or they work together with the malware distributors to infect users’ devices,” says Ilya Sachkov, chief executive of top Russian forensics firm Group-IB.
“The first scenario is more common as the authors of malware take on less responsibility and lower risks. The second option, however, allows them to earn much more.”
There is a third model, too: ‘ransomware-as-a-service’. Here, authors take a 20-30 percent cut of payments, says Webroot threat expert Armando Manago, making it “easier than ever” for crooks to kickstart campaigns.
Group-IB’s Sachkov is at the heart of where much of the world’s worst ransomware is created, but he says Russian authorities have not made arrests, a fact that helps fuel the booming crimeware market. He says the author of the first CryptoLocker ransomware variant for Android devices, known as GanjaMan, is hoping to avoid stirring the hornet’s nest by ensuring that the malware self-destructs if it detects the Russian language in use on a victim’s handset.
While the creators of ransomware, which is sold on English- and Russian-speaking forums, have solid programming and cryptography skills, buyers need not be technically savvy. This, experts say, is thanks to ‘communicators’ or ‘facilitators’ who connect buyers to ransomware authors and other crucial players, such as exploit kit developers and spammers who are required to spread the malware.
“They run like a business,” Marden says. “The facilitators help people get into the malware game; they know who can provide the malware, who can provide the spam run or the exploit kit, and who can provide remittance.” These cyber crime coordinators may tell customers, for example, about an upcoming large spam campaign that they should buy into to help distribute their newly purchased ransomware.
Or they could pair the customer up with a popular exploit kit like Angler, which is a one-stop shop for popping unpatched Adobe Flash, Java and Microsoft Silverlight machines, and a popular delivery tool in ransomware circles. They may also link the client up with adware services to squeeze extra money from their infections by injecting fake advertisements into web browsers.
All told, an investment of about $6,000 a month for ransomware, such as CTB Locker, an exploit kit, spam services and a malware obfuscation service can net a criminal a conservative $84,000, according to Trustwave, the security services company which was acquired by Optus’ parent SingTel in April for US$810 million.
A light in the darkness
Governments like to say they don’t negotiate with terrorists, and the official advice for considering ransomware capitulation is similar; don’t pay. But that steadfast script runs contrary to the clandestine back-channel payments that so often gets the hostages home, and the same could be said of ransomware. Ultimately, a ransom payment is an individual business decision that weighs the cost of downtime with the risk of being cheated. Executives may also find the fuelling of the cybercrime market somewhat distasteful. Police certainly do.
There are a few things businesses can do to resist, however. Chief among them is to ensure regular offline backups are conducted. Network attached drives can and will be encrypted, including cloud accounts, making an air-gapped backup essential.
Administrators must also pay attention to clandestine encryption efforts by some advanced and rare variants, such as Ransomweb, which silently encrypt web databases, decrypting it on-the-fly as it is accessed such that the encryption effort remains almost invisible. This process persists until many months worth of a victim’s backups have been quietly encrypted. The attacker then withdraws the private key, killing the decryption process, and demands payment.
Experts are unanimous: education is key. Every business with an internet connection that cannot afford lengthy downtime must understand the gravity of the ransomware threat if they are to avoid disaster.
“If there was a lot more rigour around backups,” Marden says, “the ransomware market could die out in 12 months.”
BREAKOUT: Resisting ransomware
Webroot threat experts Armando Manago and Daniel Slattery told CRN that ransomware is rising in our region.
“In the past month, we have seen an influx of the CryptoLocker infection in the APAC region thanks to a successful spam campaign by malware authors in the US. If organisations have a solid backup solution and disaster recovery plan there should be no need to pay the ransom,” says Manago.
“With the spread of ransomware continuing to increase and develop it is important for all Australian businesses to develop and prepare for these occurrences. While paying the ransom will allow the user to decrypt their files this time, it opens them up to being targeted repeatedly.”
The Australian government provides some helpful and specific tips via CERT,
the national Computer Emergency Response Team – see their website at
www.cert.gov.au/advisories/ransomware
Specific recommendations
Activate Volume Shadow Copy on the relevant Windows PCs. This feature
maintains previous versions of files in a location that is not accessible by current samples of CryptoLocker. Once the malware has been removed from an infected PC, files mirrored by the Volume Shadow Copy service can be recovered by the user
Make regular backups of valuable files and maintain an offline copy. As online drives and network shares are encrypted by the malware, any connected backups will be unusable
Ensure antivirus software with the latest signatures is running on all computer systems
Consider implementing application whitelisting or, at least, software restriction
policies to hinder the ability of malicious software to execute successfully
General recommendations
Use application white-listing to only allow specifically authorised applications to
operate on networks. This mitigation helps prevent malicious software or unauthorised applications from executing
Ensure applications and operating systems are kept up-to-date with the latest
software patches
Ensure users are restricted from, or are administratively prohibited from, installing
unauthorised software and browsing the internet with administrator privileges.
Remove, disable or rename any default system accounts wherever possible.
Enforce strong passphrase policies to reduce the risk from brute forcing attempts.
Implement account lockout policies to reduce the risk from brute forcing attempts.
Monitor the creation of administrator level accounts by third party vendors.
Monitor intrusion detection and/or prevention systems, user logs and server logs for suspicious behaviour.
Use defence-in-depth methods in system design to restrict and control access to
individual products and control networks.
When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with two-factor authentication.
If infected, review your antivirus software specific removal guidelines for the malware.
_page-0001.jpg&w=100&c=1&s=0)
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
![[Opinion] It's time to rethink the MSP machine](https://i.nextmedia.com.au/Utils/ImageResizerWebP.ashx?n=https%3a%2f%2fi.nextmedia.com.au%2fNews%2fAnna_Furlong_-_square_crop_v2.jpg&q=95&h=298&w=480&c=1&s=1)
