The rise of ransomware
Ransomware as a service (RaaS), a flavor of ransomware, has contributed to this phenomenal growth. Designed to be user-friendly, RaaS makes cybercrime more accessible. Advanced cybercriminals create malicious code and make it available to download for free or for a small charge, opting to take a cut of each ransom. Novice cybercriminals, using inexpensive do-it-yourself ransomware construction kits and the free code, can generate thousands in ransom payouts for a few dollars and virtually no coding skills.
“With recent, highly publicized ransomware attacks on several hospitals and health networks resulting in large payouts to retrieve critical files, cybercriminals are clearly beginning to recognize that holding the data hostage is often more lucrative than simply stealing the data and selling it on the black market," according to a Flashpoint report about the inner workings of a typical Russian ransomware-based crime ring. "Ransomware is clearly paying for Russian cybercriminals.”
Ransomware trends to watch
Researchers have identified several new ransomware techniques and why they stand out. Those include:
Fatboy. This malware, posted on a Russian cybercriminal forum earlier this summer, allows thieves to change the amount of money they charge victims based on where the victim lives. Those in areas with a higher cost of living—according to built-in geolocation reference tables based on the relative cost of a Big Mac across different countries—are charged more for their data to be decrypted.
Fatboy also offers customer support over the instant messaging service Jabber. This feature is part of a growing trend in ransomware toward improved customer service as another way to attract victims. In its first few months of operation, the author of the Fatboy RaaS has purportedly earned at least $5,321 for his efforts. Like many of the RaaS tools, attackers are immediately paid their share of the ransoms collected, too.
Ovidly Stealer. This tool is designed to steal user credentials. Ovidly Stealer targets primarily web browsers and is being marketed at Russian-speaking web forums for as cheap as $7. While most RaaS tools are more general-purpose, this one seems to be designed for a Russian-speaking audience, which is its innovation. Other features include "testimonials" from satisfied criminal customers and a variety of payment options to purchase the tool.
Hackshit. This phishing-as-a-service platform can help initiate a ransomware infection. It attracts new subscribers by offering them free trial accounts to review their limited set of hacking tutorials and tricks to make easy money. The website contains inline manuals, free tutorials, chat support, comments section, links/generator, logs, and a marketplace. The price starts at a mere $40 a week.
Cerber. This RaaS accounted for 25 percent of overall ransomware activity in December 2016 and January 2017, generating millions of dollars for criminals. The owners take 40 percent of the ransom payouts. Its main feature is that it works offline, so even if you disconnect an infected machine, it is too late.
Philadelphia. This tool adds a "no database" feature, so criminals don’t have to administer a dedicated server to collect keys and victims’ information. Its users can select a wide variety of infected file types to be deployed as well.
Satan. This tool provides additional services, such as tracking the progress of each individual user in terms of collecting their ransom cash. The tool also encrypts its code and contains a lot of anti-debugging and anti-analysis techniques to make dynamic and static analysis more difficult. The malware owner takes a 30 percent cut of any ransoms collected too. “Script kiddies with limited technical capabilities can easily begin spreading malware for profit,” according to Cylance analysts who have examined its operations. Its major innovation was adding a web-based graphical interface.
Satan’s web dashboard
Hostman. Some RaaS tools charge up front rather than use a percentage of the payouts, such as Hostman—which costs $50. It introduced auto-encryption, so the criminal doesn’t have to worry about providing a decryption key once the ransom is paid out.
Karmen. This RaaS variation is similar to Satan in that it uses a web-based control panel hosted on the Dark Web with a user-friendly graphical dashboard that allows buyers to configure a personalized version. It is based on the abandoned open source ransomware building toolkit dubbed Hidden Tear. Like Satan, it has anti-detection techniques built in and automatically deletes its decryptor if a sandbox environment or analysis software is detected on the victim's computer. It also comes with a dashboard that lets buyers keep a running tally of the number of infections and their profit in real time. It is being sold on Dark Web forums by a Russian-speaking hacker named DevBitox for $175. If you have any doubts about how to use it, Karmen comes with its own YouTube instructional video too. You get 100 percent of the ransoms because you purchase it.
Typically, payouts to criminals using the tools (versus the original malware software authors) are getting about two-thirds of the ransoms collected. In the list above, that percentage is common using Fatboy, Cerber, and Philadelphia.
Ransomware lessons learned
RaaS continues to be a moving target, technologically. New features are added to make the tools easier to use, more difficult to detect, and more infectious. All of those spell bad news for enterprise IT managers, but there are ways to reduce the chances for infections. Key suggestions include:
Improve phishing awareness training programs. Many ransomware infections start as a phished email to gain entry to your corporate network. The more you can educate users to recognize phishing attempts, the fewer chances you will deal with an attack. A number of vendors offer automated training tools that send test emails to keep users on their toes.
Do better backups. Test your backups and make sure you can recover critical files. Many PCs held hostage by ransomware contained data that was poorly or never backed up. Also, turn on versioning controls for critical content in cloud services, so you can recover files that might be overwritten after an attack.
Enforce data loss prevention policies to control how files and data move around your network or leave your corporate domain. While this won’t prevent an attack, you will be able to respond to one more quickly.
Enable the "view known file extensions" option on Windows systems. Many ransom attacks try to hide using unusual extensions that remain hidden without this option.
Use better threat defenses that deploy behavioral-based tools that go beyond signature detection. While most of the advanced anti-malware vendors claim this, some do a better job at detecting infections than others.
Deploy multifactor authentication and single-sign-on tools to protect sensitive internal data account logins. Many RaaS tools are designed to steal login credentials. Additional authentication factors or better password hygiene are both helpful here.
RaaS is very much a cat-and-mouse game, with escalations on both the criminal and protection sides as both improve their technologies. “We see an important growth in the RaaS model in the near future,” says Ilia Kolochenko, CEO for security vendor High-Tech Bridge. “Many cybercriminals don’t want or simply don’t have enough skills to do all the administrative work involved in ransomware: billing, support, and money laundering. With the RaaS model, even a kid can successfully receive payments from the victims without bothering about anything but hacking user machines.”