Extortion on the cards
Ransomware is an attack unlike any other.
The internet has created the perfect ecosystem for one of the oldest crimes in the book – extortion.
In the classic extortion scenario, the attacker takes something of value to the victim, which could be private or embarrassing information, or a person close to the victim, and demands money for it.
Whether it's blackmail or kidnap, the weaknesses in the classic extortion scenario are that the victim may already know who the attacker is or may find out their identity and location in the course of negotiating the ransom payment. Thus, the rewards had to be balanced against the risks of intervention by law enforcement and the criminal justice system or more personal – and painful – forms of retribution.
On the internet, extortion has evolved into an office job through the science of ransomware, malicious software designed to lock you out of valuable information for the purpose of extorting money.
Striking back is nearly impossible because of the problem of identifying the attacker, and even if you do finger them, you may discover they are beyond your reach.
A problem for you, a benefit for the crooks: given the evidence, why would a rational criminal engage in kidnapping or blackmail when they can run riot on the wild, wild web?
Ransomware is almost as old as the world wide web itself. In 1996, just five years after the launch of the web, Adam Young at Columbia University presented a paper called “Cryptovirology: Extortion-based security threats and countermeasures” at the IEEE's Security and Privacy symposium. In the paper, he described the first ransomware prototype using asymmetric encryption, painting a picture of what was to come.
For years it remained just a concept because of the number of different elements which had to come together to create the ecosystem in which ransomware could operate.
Despite the rapid growth of the internet and development of web technologies, it still took eight years for the first confirmed ransomware, Gpcode.ak, to appear in the wild.
First identified in Russia in late 2004, it used a custom-made encryption algorithm which, according to Kaspersky Lab, was easy to crack.
However, things soon moved up a gear with the appearance of a new variant that used a 56-bit RSA key followed by ever-stronger keys. As security researchers continued to crack the keys, the ransomware authors upped the ante. In 2006, Kaspersky proudly announced it had cracked a 660-bit key but it was clear that in the encryption/decryption arms race, the good guys were not going to win.
Today, it's standard for crypto malware to use 1024- and 2048-bit RSA encryption.
A key element of any ransomware attack is providing the victim with a method by which to pay the ransom and GPCode used the best methods available at the time, e-gold and Liberty Reserve.
However, the subsequent shutdown of Liberty Reserve in 2013 following legal action by the US government revealed a fundamental flaw in these centralised payment systems, prompting a switch to a novel and relatively obscure type of online transaction known as crypto-currency.
While Bitcoin is the most widely known of these currencies – there are more than 20 – it holds the title as the first decentralised digital currency.
The emergence of crypto-currencies like Bitcoin, where every transaction is public but the ownership cloaked, provided the extortionists with another required tool in the ransomer's arsenal: true anonymity. The exponential growth in Bitcoin transactions since late 2012, which continues today, has created an underground currency market in which the criminals can collect ransom money. Not only that, they can redeem it for real world currencies and even buy goods and services from many mainstream brands including Overstock.com, Expedia, Dell and Microsoft.
“These key features of Bitcoin and other similar crypto-currencies read like a wish list for a criminal transaction,” says Ryan Merritt, malware research lead at Trustwave.
While there are techniques for breaking the anonymity of the service, the savvy criminal can get around these by creating separate Bitcoin wallets for each transaction and using a tumbler service to mix and further anonymise their ownership.
In the back of every victim's mind has to be the question, if I pay the ransom, will I get my files back? A second question for the less tech savvy victims – and let's face it, ransomware tends to favour the naive – is, how on earth do I buy Bitcoins?
In an irony that won't be lost on the IT industry, the criminals have set up their own tech support service, providing websites, videos and even Skype telephone support to guide their victims through the process.
Three elements – unbreakable encryption, untraceable transactions and silky smooth “customer” support – has created a business model that is simple to follow and, for its ensnared victims, impossible to escape.
Given this dangerous ecosystem in which we find ourselves, what can be done about ransomware?
If you have been ensnared, you can either pay up or accept the loss of your data. The keys to avoiding that stark binary choice are preparation, remediation and education.
The simplest and most common advice from the security community to dealing with ransomware is to backup your data. Given that this is the solution to many internet problems, it's something you should be doing anyway. However, modern ransomware will encrypt everything it has access to including external hard-drives and mounted network shares, says Stephen Newman, CTO at Damballa. “If the infected user/machine has write access to those areas, it's very possible that the backups can get encrypted along with the original files,” he says.
Security experts will tell you that education is the key to avoiding ransomware infections. Despite all the technical advances in the malware, it still relies on phishing, malvertising and other social-engineering attacks to implant itself on the victim's computer. Training users to question every attachment, no matter how plausible it appears, is the standard advice, but despite years of education about the dangers of malware, people continue to fall for phishing attacks at an alarming rate.
Solutions more sophisticated than backups and user education rely on an understanding of how modern ransomware works.
The epitome of ransomware is CTB-Locker. According to McAfee Labs, part of Intel Security, it uses persistent cryptography based on elliptical curves to encrypt files with a unique RSA key. That's the “C” part of the name. It uses C&C servers on the Tor network to hide their location and uses Bitcoin for ransom payments. That's the “T” and the “B”. And “Locker” – that's what the ransomware game is all about.
Its success comes down to the evasive techniques it uses to get around security technology and the quality of the phishing emails it uses as bait. Unlike many phishing campaigns, the antagonists behind CTB Locker appear to use writers who are literate and clever enough to create convincing copies of emails that people would actually expect to receive.