Extortion on the cards

Feature by Tom Reeve

Ransomware is an attack unlike any other. Chances are you know about it pretty quickly after you've been infected but there is little you can do once you've been hit if you aren't prepared. Tom Reeve reports

The internet has created the perfect ecosystem for one of the oldest crimes in the book – extortion. 

In the classic extortion scenario, the attacker takes something of value to the victim, which could be private or embarrassing information, or a person close to the victim, and demands money for it. 

Whether it's blackmail or kidnap, the weaknesses in the classic extortion scenario are that the victim may already know who the attacker is or may find out their identity and location in the course of negotiating the ransom payment. Thus, the rewards had to be balanced against the risks of intervention by law enforcement and the criminal justice system or more personal – and painful – forms of retribution. 

On the internet, extortion has evolved into an office job through the science of ransomware, malicious software designed to lock you out of valuable information for the purpose of extorting money.

Striking back is nearly impossible because of the problem of identifying the attacker, and even if you do finger them, you may discover they are beyond your reach. 

A problem for you, a benefit for the crooks:  given the evidence, why would a rational criminal engage in kidnapping or blackmail when they can run riot on the wild, wild web? 

Rapid growth 

Ransomware is almost as old as the world wide web itself. In 1996, just five years after the launch of the web, Adam Young at Columbia University presented a paper called “Cryptovirology: Extortion-based security threats and countermeasures” at the IEEE's Security and Privacy symposium. In the paper, he described the first ransomware prototype using asymmetric encryption, painting a picture of what was to come. 

For years it remained just a concept because of the number of different elements which had to come together to create the ecosystem in which ransomware could operate. 

Despite the rapid growth of the internet and development of web technologies, it still took eight years for the first confirmed ransomware, Gpcode.ak, to appear in the wild. 

First identified in Russia in late 2004, it used a custom-made encryption algorithm which, according to Kaspersky Lab, was easy to crack. 

However, things soon moved up a gear with the appearance of a new variant that used a 56-bit RSA key followed by ever-stronger keys. As security researchers continued to crack the keys, the ransomware authors upped the ante. In 2006, Kaspersky proudly announced it had cracked a 660-bit key but it was clear that in the encryption/decryption arms race, the good guys were not going to win.

Today, it's standard for crypto malware to use 1024- and 2048-bit RSA encryption.


A key element of any ransomware attack is providing the victim with a method by which to pay the ransom and GPCode used the best methods available at the time, e-gold and Liberty Reserve. 

However, the subsequent shutdown of Liberty Reserve in 2013 following legal action by the US government revealed a fundamental flaw in these centralised payment systems, prompting a switch to a novel and relatively obscure type of online transaction known as crypto-currency. 

While Bitcoin is the most widely known of these currencies – there are more than 20 – it holds the title as the first decentralised digital currency. 

The emergence of crypto-currencies like Bitcoin, where every transaction is public but the ownership cloaked, provided the extortionists with another required tool in the ransomer's arsenal: true anonymity. The exponential growth in Bitcoin transactions since late 2012, which continues today, has created an underground currency market in which the criminals can collect ransom money. Not only that, they can redeem it for real world currencies and even buy goods and services from many mainstream brands including Overstock.com, Expedia, Dell and Microsoft. 

“These key features of Bitcoin and other similar crypto-currencies read like a wish list for a criminal transaction,” says Ryan Merritt, malware research lead at Trustwave. 

While there are techniques for breaking the anonymity of the service, the savvy criminal can get around these by creating separate Bitcoin wallets for each transaction and using a tumbler service to mix and further anonymise their ownership. 

In the back of every victim's mind has to be the question, if I pay the ransom, will I get my files back? A second question for the less tech savvy victims – and let's face it, ransomware tends to favour the naive – is, how on earth do I buy Bitcoins? 

In an irony that won't be lost on the IT industry, the criminals have set up their own tech support service, providing websites, videos and even Skype telephone support to guide their victims through the process. 

Three elements – unbreakable encryption, untraceable transactions and silky smooth “customer” support – has created a business model that is simple to follow and, for its ensnared victims, impossible to escape. 

Given this dangerous ecosystem in which we find ourselves, what can be done about ransomware? 

If you have been ensnared, you can either pay up or accept the loss of your data. The keys to avoiding that stark binary choice are preparation, remediation and education. 

The simplest and most common advice from the security community to dealing with ransomware is to backup your data. Given that this is the solution to many internet problems, it's something you should be doing anyway. However, modern ransomware will encrypt everything it has access to including external hard-drives and mounted network shares, says Stephen Newman, CTO at Damballa. “If the infected user/machine has write access to those areas, it's very possible that the backups can get encrypted along with the original files,” he says. 

Security experts will tell you that education is the key to avoiding ransomware infections. Despite all the technical advances in the malware, it still relies on phishing, malvertising and other social-engineering attacks to implant itself on the victim's computer. Training users to question every attachment, no matter how plausible it appears, is the standard advice, but despite years of education about the dangers of malware, people continue to fall for phishing attacks at an alarming rate. 

Solutions more sophisticated than backups and user education rely on an understanding of how modern ransomware works. 

The epitome of ransomware is CTB-Locker. According to McAfee Labs, part of Intel Security, it uses persistent cryptography based on elliptical curves to encrypt files with a unique RSA key. That's the “C” part of the name. It uses C&C servers on the Tor network to hide their location and uses Bitcoin for ransom payments. That's the “T” and the “B”. And “Locker” – that's what the ransomware game is all about. 

Its success comes down to the evasive techniques it uses to get around security technology and the quality of the phishing emails it uses as bait. Unlike many phishing campaigns, the antagonists behind CTB Locker appear to use writers who are literate and clever enough to create convincing copies of emails that people would actually expect to receive.  

What the experts say

In a further evolution of the ransomware model, the creators of CTB-Locker have created an affiliate programme in which they license the use of the malware in exchange for 20 percent of the ransom. Using their army of affiliates, they can quickly spread CTB-Locker as soon as an exploitable vulnerability is discovered.

McAfee Labs reports that one affiliate claims to make
£10K to £12k per month, with a net profit of £5k to £6k depending on how many victims pay and how much he had to pay for the exploit kit, custom-cryptors and traffic re-routers. According to the affiliate, the typical proportion of victims who choose to pay is seven percent.  The price of exploits can vary. 

With the malware growing in sophistication and the routes to exploitation getting more clever by the day, it might appear that getting ensnared in this quicksand trap is almost inevitable. What can you do? 

Firstly, ransomware is unique among malware because you cannot fix your computer simply by extracting the executable. In fact, if you remove the malware, you may find yourself reinstalling it so you can pay the ransom and decrypt the files. 

That is, if you choose to pay – with 93 percent of victims apparently not paying, the public appears to be heeding the official police advice. 

McAfee Labs recommends blocking unwanted and unnecessary traffic. Given that CTB-Locker needs Tor to communicate with its C&C servers, blocking Tor will prevent it getting the public RSA key. 

Another preventative measure is blocking executables running from the Temp folder, which can also help protect against other malware infections. 

Tim Stiller, an analytic response consultant at Rapid7, says organisations must take a layered approach to security – using proxies, firewalls, sandboxing and proper patch management will subvert many of these attacks. Additional layers of protection include keeping anti-virus up to date, using virtual machines and limiting permissions on non-admin accounts. 

In July, researchers from several universities and companies jointly published a paper called “Cutting the Gordian Knot: A look under the hood of ransomware attacks”. 

Controversially, they claimed that most ransomware is not as harmful as it's made out to be, amounting to little more than scareware. 

Researchers Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge and Engin Kirda claim that in 95 percent of cases, ransomware only attempts to lock the victim's computer or use superficial file encryption techniques.

Cyber-security experts were quick to refute this. Adam Tyler, chief innovation officer at CSID, criticised the research, saying that most of the samples they cited were obsolete. “As with most parts of the underground world, there is a huge focus on implementing new functionality on an ongoing basis, to both bypass the increasing growth of security applications as well as increase its ease of use and accessibility to new markets,” Tyler says. 

The researchers proposed a method for detecting the activity of ransomware by monitoring Windows API calls. “Unlike recent discussions in the security community about ransomware attacks, our analysis suggests that implementing practical defence mechanisms is still possible, if we effectively monitor the file system activity, for example the changes in Master File Table (MFT) or the types of I/O Request Packets (IRP) generated on behalf of processes to access the file system. We propose a general methodology that allows us to detect a significant number of ransomware attacks without making any assumptions on how samples attack users' files,” the researchers write in their paper.

However, as further evidence of the state of the ransomware debate, Kevin O'Reilly, senior consultant at Context Information Security said the focus on monitoring the file system to detect attacks wasn't novel or useful. “The reason this idea hasn't made it into actual security products is that it is too vague, intrusive and prone to false-positives,” he said. “Of course, security products have room to improve on their ability to detect and prevent such malware, but the way in which they will do so will be far more involved and nuanced than this paper might suggest.”

In a further sign that ransomware is harder to control and more pervasive than we might hope, a new attack methodology has been uncovered. Targeting websites, it subverts even the most careful planning by encrypting the site and its backup at the same time. 

Dubbed Ransomweb by High-Tech Bridge, the malware sits on the web server and encrypts a select set of data as it's written to the database. 

Discovered on the website of a small financial services company, the malware had been added to the server-side code. It had sat undetected for six months, encrypting only a few fields to ensure the load on the server was kept low. 

Ilia Kolochenko at High-Tech Bridge told us that it was only discovered when the encryption key, which had been stored on the server, was removed and the database started throwing errors. At the same time, the owners received an email demanding a ransom. 

By sitting on the server for such a long time, the attackers ensured that the malware not only encrypted the key fields in the database but that the backups had all been overwritten with corrupt data as well. The malware acted as a go-between, translating the encrypted data so the owners were none the wiser until it was too late.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews