Ransomware That Went Straight for Victims Money

Ransomware That Went Straight for Victims Money
By Rik Ferguson

With all the media and security research attention in 2013 being focused on the targeted attack phenomenon and the growth in the numbers and type of organizations falling victim to these attacks, you could be thinking that traditional end-user level attack campaigns are on the wane. You’d be wrong, very wrong.

Cyber criminals are still following the money and they care very little whether they get to it through a targeted attack on a business or a more widespread spam campaign, seeding financial malware wherever they find fertile soil.

2013 saw the levels of banking malware in particular rise to levels not seen since 2002. Trend Micro intercepted almost 1 million instances of banking malware infections on our customer’s computers over the course of the year. That breaks down to between 113,000 and 220,000 for the first three quarters of 2013 and a whopping 537,000 in the final quarter. Criminals are not only increasing this barrage, they are also widening their firing range as we see sharp increases in countries such as Japan and Brazil among the top four, and the inclusion of newer national targets including Australia, France and Germany. Japan is not a country traditionally affected by large quantities of banking malware, nevertheless we saw large and widespread ZeuS campaigns there in the third and fourth quarters of 2013.

As well as exploring new “markets,” banking malware is also exploring new techniques. Brazil, in particular, saw a significant rise in the number of malicious .CPL files (Control Panel files for Microsoft Windows) embedded in .RTF documents, a departure from the more traditional delivery mechanisms of attached ZIP and RAR files with which we have become familiar.

It’s not all banking malware though and one area that did receive a lot of coverage last year was ransomware, and in particular Cryptolocker. The total volume of ransomware detections among our Trend Micro customers doubled year-on-year, averaging almost 22,000 detections every quarter. When you consider that each victim may have to pay as much as $300USD, or equivalent, to regain access to their data, this clearly represents a considerable potential income stream for online hostage-takers.

Cryptolocker itself represents an evolution of existing ransomware, refined with higher quality levels of encryption and more effective seek-and-encrypt routines. As well as rendering files on the local machine illegible, Cryptolocker also sought out files in network drives for encryption badness. No longer relying on a simple shared secret password to decrypt those files or systems held to ransom, Cryptolocker uses public key based encryption and very effective key-lengths to make recovery of encrypted files almost impossible. This is prompting far more victims to hand over their hard-won cash when faced with the loss of all that is digitally precious to them. Having an effective and regular backup solution, that takes these tactics into account, has never been more important.

It’s important to remember, amongst all the talk of the shift to mobile and the cloud; the headlines generated by targeted attacks and database hacks, that the average user on their home computer still represents a valid and attractive target for the online criminal of today. More users, in more countries than ever before are being targeted by criminal tools and techniques that have been refined over many years.

Keep your guard up and keep your backup.

Rik Ferguson, Vice President of Security Research at Trend Micro, is a Special Advisor to Europol EC3, project leader with the International Cyber Security Prevention Alliance (ICSPA), Vice Chair of the Centre for Strategic Cyberspace & Security Science and advisor to various UK government technology forums. In April 2011 Rik was inducted into the Infosecurity Hall of Fame.