A major threats to computer security is
malicious code. In fact, over the years, it has become one of the main causes
of security incidents, from the first viruses in 1986 to the most sophisticated
malware of today. And this particular type of malware, although it is not new,
has become increasingly troublesome for both businesses and home users.
Varieties of ransomware
Over the past year, cases of ransomware have gained
prominence in the field of computer security due to a notable growth in the
number of victims. This is, in turn, due to the significant profits that
cybercriminals can obtain from this type of malicious campaign.
This form of attack may seem innovative, but it is
not. In fact, the first widely-known case of ransomware goes back 25 years – the ‘AIDS trojan’ was malware that hid
directories and encrypted the names of all the files on the C drive, thus
making the system unusable. The victims were then requested to “renew their
license” with a payment of $189.
Since then, new programs seeking to extort money
from users have been identified which, unlike PC Cyborg’s symmetric encryption,
used asymmetric encryption algorithms with larger keys. In 2005, GPCoder and
its subsequent variants, requested a payment ranging from $100 to $200 to
recover files that had been encrypted with specific extensions.
However, this type of malicious code goes further
and, in fact, there are groups of cybercriminals offering this kind of malware
as a service. Ransomware as a Service (RaaS) has been discovered
through the prominence of tools to create ransomware automatically,
allowing criminals to create this type of malware automatically, regardless of
their technical expertise.
Similarly, with the recent news of the publication
of Hidden Tear, the first open source ransomware, a new
window has opened for the development of such malware and its variants, so we
predict the creation of increasingly sophisticated and massively prevalent
malware.
The increase in the number of variants
One of the highlights of ransomware evolution is
the growth in the number of variants seen in recent years, targeting various
platforms and technologies. The following chart shows that, as you might
expect, Windows-related families are the ones that have been showing
a year-on-year growth in terms of the number of detections.
But, in addition to Windows, variants have also
been designed for other operating systems. Such is the case with OS X since,
during 2015, variants of the families of Filecoders unique to these systems
were detected. Other technologies such as VBS, Python, BAT and PowerShell are
also used by cybercriminals to compromise users’ systems for profit.
Evolution of threats
Although, until now, operating systems for desktop
computers or laptops have been discussed, these are not the only platforms that
are exposed to this threat. Cases of ransomware have also been found to affect
mobile devices, particularly those running Android (which is the mobile
operating system with the most users worldwide).
The first Android-targeting families included fake
antivirus with the ability to lock the screens of the devices. In 2014 Simplocker,
the first ransomware for Android activated in Tor that encrypts user files
directly, was discovered by ESET. In fact, the number of malware families
detected during 2015 is 4% higher compared to the number detected during 2014.
A small percentage increase in malware families can represent a huge
increase in individual samples.
During 2015, ESET researchers discovered the first type of ransomware for Android to
lock the screen: this modifies the phone unlock code to prevent the
owner accessing his own device. This is a significant difference from the
first trojans to lock Android screens, which constantly puts up windows –
displaying the demand for ransom – in an infinite loop in the foreground.
As this mechanism was not technically very complex,
some informed users easily bypassed it. As a result, cybercriminals stepped up
their efforts and created new ransomware families intended to block access to
the device. These new families, such as the one detected by ESET as LockerPIN,
deprive users of an effective way to regain access to their devices without
root privileges or an already-installed security management solution.
However, Android is not the only platform on which
ransomware has evolved. In 2013, Cryptolocker rose to prominence due to the number of
infections generated in various countries. Among its key features is encryption
using RSA 2048-bit public key algorithms, targeting only files with certain
filename extensions, as well as communication with a command and control
(C&C) server through the anonymous network Tor.
“It seems that this type of
malicious code is here to stay and will surely continue mutating in the coming
years.”
In 2015, a new wave of ransomware was identified
with the appearance of CTB-Locker, downloaded to the victim’s computer using
a TrojanDownloader, as witnessed in January 2015 with Win32/ TrojanDownloader.Elenoocka.
Among its various versions, there was one with
messages and payment instructions targeting Spanish-speaking countries.
These developments lead us to believe that
ransomware has not yet found a limit as to the number of victims that
could be reached and the complexity that its code – and forms of attack – it
could attain. It seems that this type of malicious code is here to stay and
will surely continue mutating in the coming years.
From the computer to the TV
So far, the evolution of this threat is evident by
its large number of variants, with increasingly complex mechanisms that make it
almost impossible to retrieve the information unless payment is made to the
attacker – a practice that fosters criminality. It’s even possible that
the victim might pay without receiving a recovery key – or that there is
some kind of legitimate technical support that wouldn’t even be able to recover
the files, as it is not susceptible to a brute force attack.
“In the last months of
2015, there was a significant growth in ransomware that focuses on equipment
associated with the IoT.”
The threat has also diversified in terms of
approach and vector. In the last months of 2015, for example, there was
a significant growth in ransomware that focuses on equipment associated
with the Internet of Things (IoT). Various devices, such as smart watches or
smart televisions, are likely to be compromised by malicious software of this
type, mainly those that operate on Android.
But IoT encompasses more than watches and
televisions. Products ranging from automobiles to refrigerators already have
the ability to connect to the internet and all their operations are controlled
by some form of CPU.
In other words, they are computerized. While there
are many devices for which no threats have yet been found, their operation
involves a software or firmware component and an internet connection.
Attackers may therefore be attracted to them and may be able to misuse them in
order to obtain valuable information.
Proof-of-concept tests have already been performed
where, for example, control of an automobile has been successfully from a
remote location. For this reason, if the necessary precautions are not taken by
manufacturers and users, there is nothing to prevent an attacker from seizing
control of a device’s functionality and demanding money to return it.
Perhaps this is not a threat that we expect to see much of in the near
future, but we shouldn’t lose sight of it if we are to avoid serious problems
later.
Conclusion: The same goal for another threat
In recent years, the seizure of information stored
by users and companies on various platforms has become one of the most notable
trends. The impact it can have on users, by preventing them from accessing all
their information due to the action of malicious code, is of growing concern.
It is one of the most concerning types of security
incidents, as one, it takes full advantage of situations where a company’s
lack of an effective backup strategy and two, success of this
type of attack for cybercriminals has led them to extend it beyond the Windows
systems and mobile devices/ Its increasing impact has made it one of the
greatest current concerns of consumers and companies alike.
During 2015, we have seen large ransomware
campaigns in multiple languages, as was the case with CTB-Locker in January
2015, which must not be viewed as an isolated event.
Cybercriminals seek to convince users to accede to
their threats by encrypting their files and seizing their information, and this
is something that is likely to continue happening. As technology has evolved,
the protection mechanisms to counter threats such as ransomware have improved
based on experience, and they must be accompanied by user management and
education.
However, not all devices can be protected with a
security solution, and this threatens to become a future risk for consumers and
companies. Based on these points, by 2016, we expect to see more ransomware
campaigns trying to exploit new attack surfaces by prohibiting users from
accessing their information or services. The increasing trend toward more and
more devices being supplied with an internet connection provides cybercriminals
with a greater variety of devices that might be attacked.
“The challenge is not only
to detect and block or remove such attacks, but also to ensure the continuing
availability of information.”
From the security side, the challenge is not only
to detect and block or remove such attacks, but also to ensure the continuing
availability of information. In the near future, network security, the
prevention of exploits and the appropriate configuration of devices will take on
greater importance to prevent such attacks, so that users can enjoy the
technology.
We are on our way towards a fivefold increase
in the number of devices connected to internet over the next five years, thus
reaching 25 billion online devices, so the challenge is to protect them
properly against this type of attack.