FBI 'alerts world' on cryptographic ransomware spread

News by Adrian Bridgwater

Criminal gangs and even ties to state actors can be behind ransomware, and the problem is growing, so ensure its factored in your information security plans.

The FBI's own Internet Crime Complaint Center (known as IC3) has highlighted what it calls the “continued spread” of cryptographic ransomware around the world.

As a strain of malware or ‘scareware', cryptographic ransomware works by delivering a ‘payload' (often carried via an innocuous looking email attachment or website advertisement for example) that is capable of encrypting a user's data files to render them useless.

The software itself is governed by a ‘key', which is held and managed by criminals on a remote server. Subsequent to infecting a victim's device, perpetrators will typically then look to extort monetary funds from the user so that they can recover their files.

CrytoWall of death

The FBI's alert points logically to the CrytoWall ransomware family that emerged in April 2014. Although this FBI-originated alert highlights threats to US individuals and businesses, the threats here are global in nature.

The insight from this FBI warning reminds users that the impact arising from ransomware goes beyond the ransom fee itself ie many victims incur additional costs associated with network mitigation, network counter-measures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.

Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totalling over £11.5 million.

Ransomware redemption prices vary, often ranging from a hundred £100 GBP or less, to more than £6,000, or even its bitcoin equivalent. 

According to Trend Micro's threat definition pages, it is important to note, however, that paying the ransom does not guarantee that users can eventually access the infected system.

“Once executed in the system, a ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with a password. In the first scenario, a ransomware shows a full-screen image or notification, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files,” reads Trend Micro's advice.

“Be under no illusion that state sponsored resources can be linked to these ransomware labs… and these are actual teams, where many of these threats are created. Whilst nation state agencies can examine and look to exploit or prosecute these organisations (these aren't script kiddies) the lack of jurisdictional power disables their ability to react and to take any form of immediate action,” said Richard Morrell, senior cloud security architect and evangelist at Red Hat and head of social media for the Cloud Security Alliance.

Stephen Newman, CTO at Damballa agrees, telling SC:“Once a device is infected, cyber-criminals engage in activity analogous to the stock exchange – buying and trading infected devices to future monetise them with new infections. Damballa's State of Infections report details this intricate malware lifecycle, demonstrating how a click-fraud infection morphed into CryptoWall within two hours – necessitating the need for continuous network security monitoring and profiling of device behaviour.”

Co-author and founder of web filtering and firewall company SmoothWall, Morrell spoke directly to SCMagazineUK.com today adding, “Windows clients are always going to be a massive fruitful playground for these coders, hence the ever increasing use of Chromebooks whose encrypted desktop and threat aware user-space built entirely protects the user from threats and blackmail.”

What if it happens to you?

The FBI's advice if you receive a ransomware popup or message on your device alerting you to an infection, is to immediately disconnect from the Internet to avoid any additional infections or data losses.

Gavin Reid, VP of threat intelligence at Lancope also spoke to SCMagazineUK.com to say, “Cryptographic malware like Cryptolocker and Cyryptowall are the latest in a long line of programs forced on to individuals PC's in order to monetise takeovers.  They often include a social engineering aspect to further convince users to pay (like warnings about illegitimate web surfing or software use) as well as real consequences for non-payment.”

Troy Gill, manager of security research at AppRiver adds:  “There have been multiple attempts to stop cyber-crime groups responsible for sending this malware but the technique, being successful as it is, has continued to be adopted by scammers on the internet. We have blocked millions of these infections that were attempting to be delivered via email over the past few years. Recently we saw the Cryptowall 3.0 malware being distributed through emails posing as a resume. They were very simple messages stating to please find the attached resume. These attachments contained an infected .svg file that would launch the malware. After the victims files were encrypted, the victim would then receive the following pop ups:”

He continues: “I do not anticipate this method of cyber-crime to subside any time soon since the technique has proven quite effective. One way businesses and individuals can minimise the impact is to keep multiple layers of security in place to block these threats in the first place and also keeping a robust back-up system that would minimise the fallout if an infection actually does occur”.

At the time of writing, the FBI's IC3 department confirms that it has been contacted by 992 victims of CryptoWall.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews