FBI 'alerts world' on cryptographic ransomware spread

Criminal gangs and even ties to state actors can be behind ransomware, and the problem is growing, so ensure its factored in your information security plans.

FBI 'alerts world' on cryptographic ransomware spread
FBI 'alerts world' on cryptographic ransomware spread

The FBI's own Internet Crime Complaint Center (known as IC3) has highlighted what it calls the “continued spread” of cryptographic ransomware around the world.

As a strain of malware or ‘scareware', cryptographic ransomware works by delivering a ‘payload' (often carried via an innocuous looking email attachment or website advertisement for example) that is capable of encrypting a user's data files to render them useless.

The software itself is governed by a ‘key', which is held and managed by criminals on a remote server. Subsequent to infecting a victim's device, perpetrators will typically then look to extort monetary funds from the user so that they can recover their files.

CrytoWall of death

The FBI's alert points logically to the CrytoWall ransomware family that emerged in April 2014. Although this FBI-originated alert highlights threats to US individuals and businesses, the threats here are global in nature.

The insight from this FBI warning reminds users that the impact arising from ransomware goes beyond the ransom fee itself ie many victims incur additional costs associated with network mitigation, network counter-measures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.

Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totalling over £11.5 million.

Ransomware redemption prices vary, often ranging from a hundred £100 GBP or less, to more than £6,000, or even its bitcoin equivalent. 

According to Trend Micro's threat definition pages, it is important to note, however, that paying the ransom does not guarantee that users can eventually access the infected system.

“Once executed in the system, a ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with a password. In the first scenario, a ransomware shows a full-screen image or notification, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files,” reads Trend Micro's advice.

“Be under no illusion that state sponsored resources can be linked to these ransomware labs… and these are actual teams, where many of these threats are created. Whilst nation state agencies can examine and look to exploit or prosecute these organisations (these aren't script kiddies) the lack of jurisdictional power disables their ability to react and to take any form of immediate action,” said Richard Morrell, senior cloud security architect and evangelist at Red Hat and head of social media for the Cloud Security Alliance.

Stephen Newman, CTO at Damballa agrees, telling SC:“Once a device is infected, cyber-criminals engage in activity analogous to the stock exchange – buying and trading infected devices to future monetise them with new infections. Damballa's State of Infections report details this intricate malware lifecycle, demonstrating how a click-fraud infection morphed into CryptoWall within two hours – necessitating the need for continuous network security monitoring and profiling of device behaviour.”

Co-author and founder of web filtering and firewall company SmoothWall, Morrell spoke directly to SCMagazineUK.com today adding, “Windows clients are always going to be a massive fruitful playground for these coders, hence the ever increasing use of Chromebooks whose encrypted desktop and threat aware user-space built entirely protects the user from threats and blackmail.”

What if it happens to you?

The FBI's advice if you receive a ransomware popup or message on your device alerting you to an infection, is to immediately disconnect from the Internet to avoid any additional infections or data losses.

Page 1 of 2