(336) 315-3935

Ransomware – New Trends & How to Stay Safe

Ransom note made out of magazine letters

Written by Brent Quick

October 25, 2016

Basic Overview of Ransomware and What to Do if You Fall Victim

Ransomware is malicious software that encrypts a user’s files (and any files that users has access to on a shared drive) and forces the user to pay a “ransom” in exchange for the decryption key to get the files back.  Payment is done via a number of untraceable methods but the most popular is Bitcoin.  Users can request a “key” that will allow decrypting of one or two files to verify the Ransomware is reversible.  If payment is made a full decryption key is sent, and unless user falls victim again no further encryption takes place.  If the ransom is paid never let that machine connect to any network.  Copy all needed files to an external hard drive, run anti-virus scans, and only if no viruses are found, connect that hard drive to another PC.  The original infected PC should be totally wiped and reimaged, including the operating system.


The Changing Model of Ransomware Proliferation

A new report by Check Point software’s researchers showed that Cerber’s Ransomware-as-a-Service (RaaS) affiliate program, which allows “affiliates” to produce a “marketing” campaign, manage updates to the ransomware code, and process payments all within one platform has become quite popular. At the time this blog post was published, Cerber had more than 160 participants, and its combined direct sales plus affiliates revenue was almost $200,000 USD, despite a victim payment rate of just 0.3%.  That puts it on track to make 2.3 million dollars this year, said Maya Horowitz, group manager of threat intelligence at Check Point. The RaaS model is so popular and profitable that competition has already started.  Symantec reported on a new RaaS dubbed Shark that is currently available with no upfront charge, but keeps 20% of what payments are made by victims and directs those funds to the Shark developers.


Conversion Rate – Marketing 2.3% Vs Ransomware 0.3%

The Check Point researchers identified IP addresses of infected machines and from there the IP addresses of the Command & Control (C&C) servers.  This allowed them to monitor different aspects of the traffic, and using the paying Bitcoin wallet IDs, trace payments to a central Bitcoin wallet.  Using this information, they determined that 0.3% of infected individuals paid the ransom. In marketing the rate of success for a site visitor to make a purchase averages 2.3% which is defined as the conversion rate.  Ransomware with a 0.3% conversion rate has room for improvement, which I predict will be the public posting of files from victim’s machine.  As files are being encrypted, searches for key words or phrases will identify files and copy them to a file sharing site.  The leverage of “pay to get your files back” and “pay to keep them private” could spur a victim to pay where losing the files has not.


Russian Ransomware – For Export Only

More interesting but not surprising, the Check Point researchers also discovered the Cerber ransomware authors set a default to not operate on devices that use Russian as their default language.  It is believed that the existing Russian government will allow any and all cyber activities to take place as long as there is no occurrence inside Russian borders.  The FSB (modern version of KGB) has broken up and arrested individuals and organizations in the past, and Russian crime syndicates and cyber criminals have gotten the message.


Locky – Healthcare Ransomware On The Rise

FireEye Warns ‘Massive’ Locky Ransomware Campaign Hits America with a specific focus on healthcare with distribution via massive email campaigns.  Word document attachments containing macro’s (extension .docm) are the main means of distributing Locky ransomware.  Each email has a unique campaign code used to download Locky from a C&C server to victim machines. Security firm Proofpoint reported in its most recent survey that approximately 69% of email attacks that used malicious document attachments featured Locky ransomware up from 24% in the previous quarter. Last month, Locky claimed top spot for email-based malware in Q2, overtaking Dridex.


The Changing Landscape of Hacking and Cyber Attacks

Fortune Magazine published an article about how the stock price of a leading security firm reflects the changing landscape in “What FireEye’s Stock Crash Says About Hacking.”  FireEye, whose business model is based on responding to large-scale breaches and selling security software to detect and protect against such threats, recently has missed revenue targets.  Prior revenue shortfalls have been blamed on decreases in Chinese cyber-attacks following the country’s truce with the Obama administration.  While Symantec has not had a similar revenue drop off due to the change a recent report stated, “In the past three years, the number of email phishing campaigns has nearly doubled, but the number of people targeted in each has fallen by more than half, to an average of 11…” What does this mean for businesses? This change may signal that the Advanced Persistent Threat (APT) risk maybe overblown, but the mass-distributed malware, particularly ransomware should still be a concern for most organizations.


The Phone as A Risk Vector – Helpful People are Exposing Your Company

Black Hat and the related DefCon is an annual security and hacking conference.  It has several competitions, one of which this year was about how to get information about a target company using only a phone.  USA TODAY has the write up for how the competition was run (soundproof booth on a stage and a phone that can spoof the caller ID), what competitors did to gain information, and the “why” they were so successful. If you are wondering why this is included, the term Spear Phishing represents a targeted email (spear) containing (malware) or other security risks.  If someone knows enough about a business or company, then crafting a believable and successful message becomes much easier. I will close with the following advice, users must always be cautious and should adopt the stance of David Foster Wallace in his book the Infinite Jest, “Yes, I’m paranoid — but am I paranoid enough?” Want help keeping your company safe?  Learn more about the managed IT services we offer.

You May Also Like…

Top 10 Technology Blog Posts for 2019

Top 10 Technology Blog Posts for 2019

With 2020 quickly approaching, we thought it’d be fun to look back at our top 10 technology blog posts for the past year. This year’s list is a great mixture of tips and tricks for current users of Acumatica and Microsoft software solutions, plus expert advice for people in the market for a new ERP.

read more