Ease of Bitcoin payments driving growth in ransomware
Ease of Bitcoin payments driving growth in ransomware

Ransomware variants are up 122 percent and represent a growing threat, as ransomware continues to offer cyber-criminals a high return on investment, according to a new report published by Secureworks.

The report, titled State of Cybercrime 2017, said that in 2016 alone, the Counter Threat Unit at Secureworks saw 200 new ransomware variants, up 122 percent on the year before.

It said that ransomware variants generally fall into three categories. First, there are well-designed ones where hackers establish reliable distribution methods, for example spam or exploit kits and/or vibrant afiliate programmes. Much like legitimate software, this ransomware typically goes through multiple release iteration.

Second are poorly-designed ones from under-resourced and/or low-skilled hackers that attempt but are unable to establish long-term distribution.

Third are rebranded ransomware that hackers generate from kits they acquire through underground vendors or open source offerings. Each variant may have its own name or encrypted file extension, but it will function exactly like other variants developed from the same kit.

Mobile devices have not been immune to the growing threat of ransomware. In fact, Secureworks CTU researchers have identified several instances of malware for sale that are advertised as being capable of spying on all functions of an Android phone, encrypting  on the device and demanding payment. 

The firm said that when coupled with the rise of SMS phishing and advanced exploit kits, researchers predicted “a spate of attacks focused on encrypting Android phones and tablets, leaving users with no access to contacts, photos or the myriad of important “personal” functions provided by these ubiquitous devices”.

The report said that one reason ransomware activity has increased across the world is the ease with which ransom payments can be made in Bitcoin.

“By accepting victim payments in Bitcoin, criminals can reduce the need for money mules, lowering overhead and risk, particularly when the Bitcoin is “cleaned” through services like “tumbling,” “mixing” and “coin laundering',” said the report.

“These services have given criminal users of Bitcoin an additional layer of protection from identifcation, mixing funds obtained from crime with “clean” funds in order to obfuscate the source and break the trail to the end user. Numerous third parties advertise these services, and they are often only accessible through TOR.”

Mobiles are also under attack from banking malware. Researchers highlighted one such piece of malware called “Marcher,” or “Exobot,” which is a banking malware and spyware combination targeting Android.

“This malware is being distributed through SMS spam messages purporting to be from the recipient's telephone company. Victims are lured into following a link that then downloads a malicious Android application file,” said the report.

Once installed, Marcher has full access to the victim's Android device, stealing mobile banking credentials and harvesting credit card numbers where possible. Cyber-criminals can control Marcher through SMS messages sent to the handset and hidden from the victim's view.

Researchers said that Marcher is being used by an organised, experienced threat actor or organised cyber-criminal group due to its level of sophistication, the rapid, sustained distribution of the malware, and the increasing financial losses that victims are experiencing.

“The team expects to see an increase in the use of mobile malware, thanks to the success of Marcher and the increasing ease of obtaining and using such tools,” said the report.

Craig Parkin, associate partner at Citihub Consulting, told SC Media that Bitcoin (and other crypto currencies) are held in digital wallets on the devices targeted and with the recent resurgence of interest (and price) of crypto currencies, these are now much more attractive.

“Effective backup strategies exist for cryptocurrency wallets that protect against ransomware - these include cold storage and even paper based backups,” said Parkin.

Andrew Stuart, managing director, EMEA at Datto, told SC Media UK that Bitcoin is popular in lots of illicit applications because it offers a degree of anonymity. “We're likely to see increasing debate about regulating crypto-currencies for this reason,” he said.

Stuart added that organisations of all sizes need to educate users about the dangers of phishing emails – “which is the typical ransomware infection method – helping them to spot and contain malicious emails before outbreaks can spread.”

The report focus was the current situation thus did not cover potential future threats such as t the likelihood of Ransomware of things attacks and ransom of Cloud services.