Blackhat EU: Vicious circles of ransomware

News by Max Metzger

Federico Maggi told audience members at Blackhat that ransomware presents a new intervention in cyber-criminality

Federico Maggi addressed BlackHat Europe 2016 this morning with a few thoughts about ransomware. Formerly an assistant professor at Milan Polytechnic and now a researcher for Trend Micro, Maggi has been working on the relatively new phenomenon of Mobile ransomware.

That said, ransomware in and of itself is quite new, only really becoming the looming threat that it was several years ago.

Mobile ransomware now makes up around 10 to 25 percent of all malware in certain areas like Australia and Singapore, according to Trend Micro's studies.

Maggi produced several examples of this burgeoning ransomware field. Some, don't require any encryption at all. SLocker, for example, the first android ransomware family, doesn't encrypt but hides files and screenlocks, hijacking the soft buttons on the phone.

Koler, another piece of mobile ransomware, pretends to be law enforcement. For a piece of ransomware that uses less than 0.05 percent encryption, it's had a lot of work on it too. The malware is localised in 60 languages, meaning that depending where you are the ransomware will masquerade as that country's local law enforcement. Its authors have apparently gone to great lengths to tailor the ransomware to tell the victim, disguised as the their own country's law enforcement, and under the pretext of breaking that specific country's laws, that they owe money.

"What you want to have from the bad guys perspective is something clear and threatening," said Maggi, "and of course, you want to have detailed payment instructions."

Ransomware marks a stark difference from other kinds of malware for many reasons. Chief in Maggi's mind the economic point.

Trend Micro surveyed 300 companies, asking them their posture on ransomware. Before infection, roughly three quarters said they wouldn't pay. After infection, that number dropped dramatically. In fact, 65 percent paid - "once you experience it, it changes everything" said Maggi.

Maggi gave three primary reasons why ransomware was such a stark intervention in cyber-crime.

First, the point is loud destruction. "If you think about malware simply five years ago, we didn't know that a malware could come in and break everything", said Maggi. Other types of malware do their best not to be noticed, but that is exactly what ransomware is there for: "if that noisy behaviour doesn't show up, then the ransomware has failed."

Second, the ransomware market is pure profit  - it's very cheap to get into it, and very expensive for your 'customers'.

Finally, it's a business model backed up by honesty. That is to say, if people don't get their data back after paying, then it's less likely that other victims will pay up: "the bad guys have to be honest in the majority of cases, otherwise their dishonesty will ruin the business."

These characteristics, said Maggi, have "created a vicious circle", in which expectations of payment has gotten so high, ransoms have grown with them.

Even security companies are starting to play the game. He cited, but did not name, one security company that advertised a guarantee, that if a customer has to pay a ransom, the security company will cover that cost. A line taken from the advertising of that particular company reads "it's time for security companies to back their technology and provide users with the financial assurance they deserve against ransomware attacks". This kind of behaviour, and these kinds of offerings merely serve as an "amplifier of these vicious circles".

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews