Cryptolocker successors evolving rapidly

News by Steve Gold

Ransomware evolving onto the Android platform - and using TOR to hide its communications.

The Cryptolocker family of ransomware may be a fading – and nasty - memory in the many thousands of companies worldwide whose files have been lost, but now there are several new kids on the block, including Cryptowall and Cryptodefence.

According to Anand Ajjan, a threat researcher with Sophos, both new pieces of ransomware have been popping up since April of this year.

Whilst Cryptowall has the same code structure as Cryptolocker, Ajjan says that cybercriminals are also now trying out new variations on the ransomware theme, including moving from Windows to mobile devices.

One file-encrypting piece of Android ransomware he has spotted is Simplelocker, which encrypts files and demands a ransom, while another `police locker' piece of Android malware called Koler threatens victims with arrest if they don't pay up.

Over at ESET, malware researcher Robert Lipovsky has also been looking into Simplelocker, which he says uses the TOR (The Onion Router) to obfuscate communications with the malware's command-and-control server.

Simplelocker also has a range of different `nag screens' which exhort the victim to pay money as a ransom, as well as displaying an image from the victim's digital cam to reinforce the personalisation aspect of the malware.

"We have, however, noticed a different dissemination trick that's worth mentioning – the use of a trojan-downloader component. Using trojan-downloaders to dynamically download additional malware into an infected system is common practice in the Windows malware world – and while this is not the first case we've seen – it is still noteworthy on Android," he says.

Lipovsky adds that using a trojan-downloader is a different strategy for smuggling malware into an Android device, compared to traditional social engineering.

"The reason why the trojan-downloader strategy has a greater chance of slipping under the radar of Android market application scanning (such as Bouncer on the official Google Play, for example) or even escaping the notice of a more careful Android user," he says, is because the application opens a URL outside the app, a process that - in itself - does not qualify as malicious behaviour.

According to Kevin O'Reilly, a senior consultant with Context Information Security, the evolution of ransomware beyond Cryptolocker - and over to the Android platform as well - is both interesting and concerning at the same time.

"But this is to be expected for anything that actually succeeds in making cybercriminals money. It's sobering to think that cash has been extracted from not only companies and individuals, but also police forces and other public serving institutions," he said.

O'Reilly went on to say that this evolution demonstrates the power of encryption when it is turned to malevolent purposes.

"However, one thing that is not evolving is the attack vector - this kind of crippling infection can only occur if the victim is duped into opening an infected attachment in an email,” he said.

“And in that regard people should take comfort as long as they are employing due caution. Not to mention that another defence that will render this malware moot is the oldest rule in the IT book: backup your files, then no ransomware can ever steal them from you," he explained.

Troy Gill, a senior security analyst with AppRiver, meanwhile, said that Cryptowall is being distributed via exploit kit, email and malvertising.

"The email campaigns in particular are especially interesting since the malware distributors have been utilising free cloud storage sites such as Dropbox and Cubby to host the Cryptowall malware for over two weeks now. We do not know what (if anything) these services - Dropbox and Cubby - are doing to combat this abuse of their services," he said.

"As far as the prevalence of this type of ransomware goes, I think we are just in the infancy of this sort of threat. Cryptolocker proved that this type of attack could be successful and the Cryptowall has picked up the ball and ran with it. Unfortunately, I think we will only see more and more cybercriminals embracing this approach in the future," he added.

Fraser Kyne, a principal systems engineer with Bromium, was equally gloomy with his predictions, saying that ransomware will continue to cause significant problems for many organisations simply because their IT security mechanisms fail to protect them.

"Modern threats need modern and innovative solutions. It not enough to go through a continual 'pay-up or wipe' loop as these attacks become ever more popular. We also need to ask ourselves this question: `If we have ransomware that is telling us we've been hit because it wants our money, what does that reveal about our vulnerability to more convert attacks too?'"

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews