The rise and rise of ransomware

The relative low cost of ransomware as a business means that criminals can jump in and out of the business. Davey Winder looks at why it continues to work.

Ransomware notification
Ransomware notification

Newly published research suggests that the growth in ransomware infrastructure is, frankly, incredible. With old threats being neutralised, and the public becoming increasingly aware of how to mitigate against these attacks, we wonder just how big a threat ransomware really is?

The latest Infoblox DNS Threat Index for Q1 2016 reports a 3,500 percent increase in ransomware domain creation quarter on quarter from 2015. "The relative cost of infrastructure is so low that it completely makes sense from the criminal's point of view," Rod Rasmussen, vice president of cybersecurity at Infoblox told SCMagazineUK.com, "to scale up those activities that prove to have a return on their investment."

Ransomware has certainly jumped on that commoditisation of cyber-crime wave, and are riding it for all it's worth. And let's not forget that the Infoblox DNS numbers are not the end of all of it. "Ransomware can work perfectly well without needing freshly registered domains," warns Paul Ducklin, senior technologist at Sophos, "if it uses Tor, or a collection of hacked servers on legitimate domains."

Another factor in the ongoing rise and rise of ransomware is, Rasmussen suggests, that since "the criminals have typically provided the unlocking keys, mainly due to automation in their tools, people are paying the ransoms".  

Don't mistake this as an honourable act though. According to SecureWorks senior security researcher Keith Jarvis, more than four dozen distinct families of ransomware have emerged since the start of 2015 and "generally, 0.25% to 3.0% of victims elect to pay a ransom," Jarvis explains, "meaning attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom."

SecureWorks ascertain the largest operations are pulling in several million dollars per year. Which is hardly surprising when you consider, as Aaron Higbee, Phishme CTO & Co-Founder told us, that "93 percent of phishing emails delivered last quarter contained ransomware."

It's an attractive threat sector for many reasons. Number one, persistent attacks can be avoided. "Ransomware that encrypts all the data and destroys local backups before asking for a lump sum payout," Dave Venable, VP of cyber security at Masergy told SC, "lets hackers avoid the higher costs and labour of maintaining the infrastructure of persistent attacks."

Often, according to Daniel Miessler, director of advisory services for IOActive, these criminals will employ a build-once-deploy-often model to "leverage the modular nature of the cyber-crime ecosystem, while other groups continue to develop exploits based on new vulnerabilities to get their ransomware onto victims' machines."

It's made the servicing of the crime a very modular affair.

Then there's the anonymity factor to consider. Ransomware is popular because the malware can be monetised anonymously and quickly. "Through the use of bitcoin payment systems," explains Gunter Ollmann, CSO at Vectra Networks, "the criminal can force the victim to pay the ransom in a monetary unit that facilitates complete anonymity and can be trivially converted to cash." Gone are the days of requiring different and specialist criminal hands to both launder the data and anonymously monetise it.

Indeed, as Javvad Malik, security advocate at AlienVault, points out, the business model "assigns value to data where none previously existed". Your holiday pictures from a decade ago have no value on the dark market, but they are worth paying a ransom for if encrypted by an attacker.

"As an attacker," Malik says, "even if the variant I'm using is going to be cracked in 30 days and 80 percent of victims won't pay up, I'll probably still make a tidy return and go on to the next ransomware variant.”

As Ilia Kolochenko, CEO of High-Tech Bridge, concludes, "Ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing."