Cybercriminals have fully embraced ransomware. This specific form of malware encrypts files and extorts money from victims, and is a favorite among criminals. Ransomware is easy to develop, simple to execute, and does a very good job of compelling victims to pay to regain access to their precious files or systems. Almost anyone and every business is a potential target. More important, people are paying. Even law enforcement organizations have fallen victim, only to concede defeat and pay the criminals to restore access to their digital files or computers.
In just the first half of 2015, the number of ransomware samples has exploded—with an almost 190% gain. Compare that to the 127% growth for the whole of 2014. We predicted a spike in such personal attacks for this year, but I am shocked at how fast code development has been accelerated by the criminals.
Total ransomware has quickly exceeded four million unique samples in the wild. If the trend continues, by the end of the year we will have more than five million types of this malware to deal with.
Cybercriminals have found a spectacular method of fleecing a broad community of potential victims. Ransomware uses proven technology to undermine security. Encryption, the long-time friend of cybersecurity professionals, can also be used by nefarious elements to cause harm. Encryption is just a tool. How it is wielded determines if it is beneficial or damaging. In this case, ransomware uses encryption to scramble selected data or critical systems files in a way recoverable only by a key the attacker possesses. The locked files never leave the system, but are unusable until decrypted. Attackers then offer to provide the key or an unlocking service for a fee. Normally in the hundreds of dollars, the fee is typically requested in the form of a cryptocurrency such as Bitcoin. This makes the payment transaction unrevocable and almost impossibly difficult to track attribution and know who is on the receiving end.
This type of an attack is very personal in nature and specific in its targets. It may lock treasured pictures, game accounts, financial records, legal documents, or work files. These are important to us personally or professionally and their loss provides a strong motivator to pay the criminals.
Payment simply encourages attackers to reuse this method and adds resources for their continued investment in new tools and techniques. The technical bar for entry into this criminal activity has fallen as malware writers are making this type of attack easier for anyone to attempt. In June, the author of the Tox variant offered ransomware as a service for other criminals to distribute. The variant handles all the back-end transactions and provides the author a 20% skim of ransoms being paid. Fortunately, the author was influenced to a better path after being exposed by McAfee. More recently, an open-source kit, Hidden Tear, was developed for novices to create their own fully functioning ransomware code. Although not too sophisticated, Hidden Tear marks a watershed moment—showing just how accessible this type of malware has become. I expect future open-source and software-as-a-service efforts to rapidly improve in quality, features, and availability.
Ransomware will continue to be a major problem. More sophisticated cybercriminals will begin to integrate with other exploitation techniques such as malvertizing ad services, malicious websites, bot uploads, fake software updates, waterhole attacks, spoofed emails, personalized phishing, signed Trojan downloads, etc. Ransomware will grow, more people and businesses will be affected, and it will become more difficult to recover without paying the ransom. The growth in new ransomware samples is an indication of things to come.