Cyber Extortion through Malware Remains a Major Security Risk

By David Balaban
Contributor, InCyberDefense

Encryption-for-ransom cases proliferate. They are the most viable use for malware, harnessing the most advanced technologies while evolving and acquiring new properties.

Recent instances include NSA leaks used as an infection vector for news-making ransomware such as WannaCry and Petya. Obviously, the sums claimed by ransomware tend to increase as the sophistication of the encryption attack grows.

The First Steps of Cyber Extortion

The complexity of contemporary attacks originated in the simplicity of the first hacks. At its beginning, ransomware generated scary popups that pretended to lock the attacked devices. The first hacks date back to the release of the distributed by the BlackHole-based infection vector.

This ransomware prevented a user from opening any app on a hacked PC. Instead, the user saw a fake notification allegedly from the International Conference on Parallel Processing (ICPP), an organization that works to combat piracy. The notification claimed the user had to pay a fine of $100 for the copyright infringement.

The next stage in ransomware’s evolution engaged governmental bodies as hackers issued fraud reports in their names. Ransomware of this type even fooled the FBI and the Metropolitan British Police.

The hackers accused their victims of every possible data misuse, from child pornography distribution to unauthorized downloads of copyrighted content. The general message was pay the penalty or a court proceeding would be inevitable. The average amount demanded was $100 or its equivalent, depending on the victim’s location.

Early ransomware attacks did not pose a great challenge. Removal was easy. Victims had a choice of payment methods, including Ukash, PaySafeCard or MoneyPak. A victim would buy a prepaid code via the Internet or the nearest shop, and enter it over a ransom screen until after the hacker’s deadline expired.

Encryption to Attack, Cryptocurrency to Pay

The malware known as CryptoLocker has brought cyber extortion to a new level and simultaneously changed two pillars of the scam. CryptoLocker was the first ransomware to permanently encrypt the target’s data.

In addition, CryptoLocker demanded and processed ransom payments in digital currency. CryptoLocker still accepted ransom payments ranging from $200 to $400 from MoneyPak, Ukash and CashU.

The ransom could also be paid with two Bitcoins. However, Bitcoin prices increased drastically this year from $997.69 on January 1, 2017, to $6,750 as of November 1.

Bitcoin is the coin of the realm for all current ransom transactions. But there are exceptions, such as Kirk ransomware. This Star Trek-themed encryption Trojan demands a ransom of 50 XMR, an abbreviation which stands for Monero, another cryptocurrency. Converted to a common currency, 50 XMR amounts to $2,000.

The hackers behind encryption-for-ransom distinguish between private and corporate victims. Predictably, business and public users on average are ready to pay more than ordinary citizens because they have more data to protect than private individuals.

For example, L.A. Valley College paid hackers $28,000 in Bitcoins to decrypt the college’s network in January 2017. The biggest ransom ever paid was about $1 million (397.6 in Bitcoin) by the South Korean hosting provider Nayana.

Bargaining to Decrypt Ransomware

There is no evidence of a victim successfully beating a ransomware hacker. On the other hand, hackers have come up with a couple of tricks. The Spora encryption plague at the beginning of 2017 offered victims a weird deal: In exchange for rating the ransomware’s decryption service positively, victims would have their ransom reduced or its deadline extended.

In another trick, the Popcorn Time encryption-for-ransom hackers offered victims a chance to become their partners in crime. An infected victim was invited to compromise other users, presumably friends, and send proof to the hackers. As a reward, the ransomware holders would give the victim the decryptor for free.

Malware Encryption: Preventing, Avoiding, Withstanding, Recovering

A good way to thwart malicious ransomware is to have a reliable data backup. If you cannot afford the cost of, say, cloud backups of your bulk data, make sure to back up the essentials on an external hard drive with due frequency and security.

Malware researchers do not remain idle. They explore emerging ransomware and often publish a ransom-free solution for the strains they have examined.

To avoid a ransomware invasion, handle all content delivery with proper caution. Keep all devices guarded by trusted security software and update that software at the earliest opportunity to prevent malware from installing itself via unpatched flaws.

About the Author

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com website, which presents expert opinions on information security matters, social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.