While on-line ransoms are not necessarily a new phenomenon, the latest generation of ?ransomware? to evolve over the past 12 months may signify an alteration in the landscape of cyber crime. To understand how the evolution of ransomware may alter the digital underground, its mechanics must first be understood.
In essence, ransomware is typically a Trojan dropper that surreptitiously installs malware onto the victim?s computer. The installed malware either encrypts or obfuscates the data on the victim?s machine and leaves behind a set of instructions detailing how the victim can unencrypted or otherwise recover his hijacked files. The malware typically demands some form of electronic payment in return for the release of the ransomed files.
In the case of the Cryzip Trojan, the malware demanded that the victim pay $300 to any one of a handful of E-Gold on-line currency accounts. Specifically, the ransom note states, “If you really care about documents and information in encrypted files you can pay using electonic [sic] currency $300. Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours [sic] files back.”
In contrast, the Ransom.A Trojan demands the victim wire $10.99 to the attacker’s Western Union account or a file will be destroyed every 30 minutes. However, unlike the Cryzip Trojan, Ransom.A does not actually encrypt, obfuscate, or destroy the victim?s files. Rather, the attacker appears to rely on the victim?s sense of panic and ignorance of computer security in order to extort money.
Interestingly, the Archiveus Trojan obfuscates the victim’s files rather than encrypts them, and in an odd twist, the attacker demands the victims purchase pharmaceuticals from a Russian web site for $75 a bottle.
Finally, the GpCode.ac virus is a more sophisticated iteration of the malware mentioned above. The GpCode.ac virus is more sophisticated because it partially uses the RSA algorithm to encrypt the victim?s files. While the author of the GpCode.ac ransomware uses a less powerful 56-bit encryption key that Kapersky Virus Lab was ultimately able to crack, the use an industry-leading encryption scheme for ransomware signals an increased aggressiveness on behalf of cyber criminals.
The evolution and proliferation of ransomware is not a widespread danger to the average home user because a massive attack of ransomware would immediately draw the attention and cooperation of international law enforcement and antivirus vendors. Law enforcement would shut down the attacker’s on-line payment mechanism while the antivirus vendors would develop remedies and defenses to staunch the proliferation of the ransomware. Therefore, attackers would lose their revenue stream and be forced to create a strain of ransomware resistant to the defenses created by the antivirus vendors. However, ransomware still has its place in the cyber criminal?s arsenal as a tool used to carry out a targeted attack.
Interestingly, the goals of ransomware appear to be in contrast to the goals of a bot infection. The goal of a bot herder is to infect a network of vulnerable PCs and use that compromised network for a panoply of criminal misdeed such as spamming, phishing, pharming, and launching denial of service (DoS) attacks. The infection and administration of a successful botnet is necessarily a low profile operation. If a botnet draws too much attention from system administrators, ISPs, or law enforcement, it will likely be shut down and disrupt the bot herder?s revenue stream. Therefore, the bot herder typically attempts to infect silently and administer his bots so as not to draw the attention of the PC owner, ISP, system administrator, or law enforcement.
In contrast, the ransomware attacker immediately notifies the victim that his PC has been infected and seeks to extort revenue almost immediately. This evolution of cyber crime highlights an important trend. First, the increased use of ransomware suggests that cyber criminals are seeking to diversify their criminal portfolios. Quite simply, ransomware can be viewed as a tool that may reap short-term but unpredictable profits, as some victims may routinely back up their data and, therefore, not respond to the threat of data destruction. Conversely, bot nets can be viewed as a long-term and potentially more steady revenue stream.