Ransomware authors streamline attacks, infections rise

Security researchers spotted improved versions of ransomware programs for both Windows and Android

Ransomware authors continue improving file-encrypting programs and infection methods for Windows and Android, making these nightmarish attacks harder to avoid.

The biggest ransomware threat for Windows users is CryptoWall, a sophisticated malware program that encrypts a wide range of files and demands that victims pay a ransom in Bitcoin cryptocurrency to recover them.

CryptoWall uses uncrackable encryption algorithms and hides its control servers on the Tor and I2P anonymity networks, making it harder for security researchers and law enforcement to shut them down.

CryptoWall 3.0, the malicious program's latest version, was launched in January after a two-month break by its creators. One notable change: it no longer bundles local privilege escalation exploits, according to Cisco Systems.

Privilege escalation exploits allow attackers to execute malware programs with administrator or system-level privileges instead of using the victim's local user account, which might be restricted. CryptoWall needs this level of access to disable security features on the compromised systems, so the lack of privilege escalation exploits in its installer -- or dropper -- might be surprising at first.

In fact, this suggests that the CryptoWall authors plan to rely more on Web-based drive-by download attacks to infect systems, Cisco researchers said Monday in a blog post that includes a technical analysis of the new version.

Drive-by download attacks are launched from compromised websites or through malicious ads and usually exploit vulnerabilities in browser plug-ins like Flash Player, Java, Adobe Reader or Silverlight. The tools used for such attacks are known as exploit kits and they already have the functionality to achieve privilege escalation, according to the researchers.

Exploit kits can affect many users and can be hard to defend against, as highlighted by the recent malvertising attacks that exploited zero-day -- previously unknown -- vulnerabilities in Flash Player. They likely have a much higher success rate than other methods of malware distribution such as malicious email attachments.

That doesn't mean that ransomware pushers have abandoned email-based infection methods. Researchers from antivirus firm F-Secure reported Monday that they've observed a significant increase this month in infections with another file-encrypting ransomware program called CTB-Locker.

CTB-Locker is most commonly spread through emails with a malicious zip file attachment. The rogue zip file contains another zip file which houses a .scr or .cab executable file, the F-Secure researchers said in a blog post. Running any of those executable files will result in a CTB-Locker infection.

Like CryptoWall, CTB uses strong cryptography that makes it impossible for victims to recover their files without paying the ransom, if they don't have unaffected backups. The CTB ransom is 3 Bitcoins, or around US$650, higher than the $500 ransom asked by the CryptoWall gang.

Android users are not immune to such threats either. After producing the first file-encrypting ransomware program for Android, the creators of Simplocker became the laughingstock of the anti-malware industry when it was discovered that they used the same hardcoded encryption key on all infected devices, making it easy to recover the affected files.

But they're now back, researchers from antivirus firm Avast Software warn. And they've unfortunately corrected their error, with a new, more sophisticated variant of Simplocker that infected more than 5,000 unique users within days of being discovered.

"The reason why this variant is more dangerous than its predecessor is that it generates unique keys for each infected device, making it harder to decrypt infected devices," Avast researcher Nikolaos Chrysaidos said in a blog post Tuesday.

Simplocker is distributed through rogue ads on shady websites that tell users they need Flash Player to watch videos. The Flash Player app served by those ads is actually Simplocker.

By default, Android blocks the installation of apps that are not downloaded from Google Play. However, attackers often use social engineering to convince users to disable this protection and allow the installation of apps from unknown sources.

Once Simplocker is installed, it will display a fake message that claims to be from the FBI and alerts victims that illegal pornographic material was detected on their devices. The message demands that victims to pay $200 to have their phones unlocked.

Security researchers advise against paying such ransoms to cybercriminals, because there's no guarantee of getting the decryption key and because it encourages them to continue their scheme. However, there are many publicly reported cases of users, companies and even government organizations who gave in to the extortion and paid to recover their critical files.

Because of this, it's important to establish a backup routine. Files should be backed up to drives or network shares that are only temporarily connected to the computer or that require a username and password to be accessed. That's because ransomware programs will also encrypt files from folders accessible over the network if they can write to them.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cisco Systemssecurityf-secureencryptionExploits / vulnerabilitiesdata protectionmalwareAvast Software

More about AvastCiscoFBIF-SecureGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts