PhishMe codifies ransomware as a formal business model

Steganographic subterfuge: ransomware was already 'a thing', now it's a mature and established business model

PhishMe codifies ransomware as a formal business model
PhishMe codifies ransomware as a formal business model

If the fallout from the summer infosecurity exhibitions, conferences and press tours has left one taste in the mouth… it is surely the maturity of ransomware. PhishMe Inc has added to the voices now attempting to affirm this notion and said that the second quarter of 2016 saw ransomware firmly establish itself as a ‘mature business model', albeit a despicable one.

The human phishing defence solutions company says that encryption ransomware now accounts for 50 percent of all malware configurations. This assertion echoes comments made by Trend Micro's VP of security research Rik Ferguson this summer when he stated that ransomware is now ‘an enterprise problem' ie it is no longer just a sporadic threat targeted at individuals for quick profit, but a permanent fixture on the threat landscape.

Three key factors in ransomware

PhishMe's Q2 2016 Malware Review identified three key areas as ‘firmly established': encryption ransomware itself, a rise in evasion techniques (many of them ‘simple' techniques to circumvent protection by security solutions) and the fact that simple attacks still hurt ie less sophisticated actors who still wield robust feature sets.

Key payloads delivered in 2016 have been attributed to the Cerber encryption ransomware and Locky, both of which enjoyed strong domination.

“Barely a year ago, ransomware was a concerning trend on the rise. Now, ransomware is a fully established business model and a reliable profit engine for cyber-criminals, as threat actors involved treat it as a legitimate industry by selling information, tools and resources to peers based all around the world,” said Rohyt Belani, CEO and co-founder of PhishMe.

Belani suggests that ‘empowering the human element' to detect and report these campaigns needs to be a top priority for organisations if they are to protect themselves from a threat that is here for the long term.

Steganography subterfuge

PhishMe's report also unveils findings on the usage of steganographic techniques and ciphers in malware delivery. Steganography being the art and science of hiding information by embedding messages within other, seemingly harmless messages. 

According to the report, “Using a common steganographic technique, threat actors are able to hide the Cerber executable of a Cerber malware payload within a seemingly harmless image file – sneaking past layers of security technologies to make its way into the target victim's inbox. The report provides further examples on how the executables are embedded and what to look for when conducting a deep ransomware analysis.”

This report and review also aims to shed light on remote access Trojan utilities, which have garnered significant attention recently due to their purported use in the high profile intrusion and apparent theft of data from the Democratic National Committee.

Troy Gill, manager of security research at AppRiver spoke to SCMagazineUK.com in line with this story to comment, “Ransomware keeps growing in popularity because, well, it doesn't just work; it works really, really well. Why does it work? Because many netizens and organisations don't properly backup their files, if it all - a backed up copy of an encrypted file would negate the need to pay a ransom.”

Gill continued, "To make sure their business model continues, many cyber-criminals will even help their victims decrypt their files (post payment, of course) to ensure that their reputation for delivering the encryption key is intact. Because if word spread that it doesn't matter how much victims pay, they won't get their files back, people would likely stop paying. And ultimately people paying is what will continue to drive this malware and variants being released."