CyberLocker's success will fuel future copycats
- 05 March, 2014 20:50
Nothing spurs malware development like success and that's likely to be the case in the coming months with ransomware.
Ransomware has been around for around a decade, but it wasn't until last fall, with the introduction of CryptoLocker, that the malevolent potential of the bad app category was realized. In the last four months of 2013 alone, the malicious software raked in some $5 million, according to Dell SecureWorks. Previously, it took ransomware purveyors an entire year to haul in that kind of money.
So is it any wonder that the latest iteration of this form of digital extortion has attracted the attention of cyber criminals? A compromised personal computer for a botnet or Distributed Denial of Service attack is worth about a buck to a byte bandit, explained Johannes B. Ullrich, chief research officer at the SANS Institute. "With ransomware, the attacker can easily make $100 and more," he said.
What distinguishes CryptoLocker from past ransomware efforts is its use of strong encryption. Document and image files on machines infected with the Trojan are scrambled using AES 256-bit encryption, and the only way for a keyboard jockey to regain use of the files is to pay a ransom for a digital key to decrypt the data.
Nevertheless, the bad app is the result of an evolutionary process that can be traced back to the rogue anti-virus campaigns during the 2000s. Those campaigns used persistent pop-up windows alerting a user that their computer was infected. To clear up the infection, the user needed to buy the pop-up perpetrator's anti-virus software. "Of course, the people selling the software were the same people who infected your machine," explained Garth Bruen, a fellow with the Digital Citizens Alliance, a consumer safety group focused on online crime. "That became known as scareware."
Most of the time, users were just paying to make the pop-up windows go away. On some occasions, though, the "anti-virus" software was more malicious. "It would infect your machine, use it to relay spam and spread infections," Bruen said.
Eventually, through a combination of education, better distribution of legitimate anti-virus software and law-enforcement raids, scareware's popularity began to decline, and ransomware started gaining traction. "Instead of trying to deceive a consumer that their computer is infected, the attacker is telling them, 'We've locked your PC, and we won't unlock it until you pay us X number of dollars,'" Bruen noted.
Although the predators started demanding ransoms, they also continued their scare tactics. For example, the lockscreen for some forms of the malware would display an official warning -- similar to those shown at the beginning of DVD movies -- from a law enforcement agency accusing the user of some crime for which a fine must be paid before the computer is unlocked. "They'll scare you in some way," said Keith Jarvis, a security researcher at Dell SecureWorks. "They'll say you've downloaded pornography or pirated music files and you have to pay this ransom by this date or face prosecution."
"Some will stoop to a very low level," he continued, "where they'll display child pornography and other nasty images on a person's computer."
Ransomware, like Reveton, frightened consumers, but measures could be taken to foil them. "A lot of it was easy to get around," said Adam Kujawa, a malware intelligent analyst at Malwarebytes. "You could boot in Safe Mode or from a CD and remove it that way."
Removing malware like CryptoLocker doesn't solve the problem, he added. "Even if you remove the infection, the files are still encrypted," he said. "It's no longer about removing the actual infection. It's about getting those files back."
Ransomware writers experimented with encryption before CryptoLocker. In 2007, a strain of bad app called GPCode, or Sinowal, encrypted files on the machines it infected, but the encryption was weak and easily broken by crypto pros. Encryption was also part of the repertoire of a strain of Reveton that appeared early in 2013, but since the malware's author provided no way to decrypt the files, there was little incentive to pay the ransom after the infection was removed from a machine.
Those kinds of mistakes weren't made by CryptoLocker's crew. Moreover, they have managed to strike just the right balance for success. "They figured out the balance of money to charge, malware protection and spread," said Lysa Myers, a security researcher with Eset.
"If you spread too much, your malware is too easy to find and you can be shut down," she explained.
The CryptoLocker crew also know the value of maintaining good customer relations. "They're honoring people who do pay the ransom," said Jarvis, of SecureWorks.
"In most cases they're sending the decryption keys back to the computer once they receive payment successfully," he explained. "We don't know what the percentage of people who successfully do that is, but we know it's part of their business model not to lie to people and not do it."
Moreover, in November, they began offering support to victims who, for whatever reason, fail to meet the hijackers' ransom deadlines. By submitting a portion of an encrypted file to the bad actors at a black website and paying the ransom, a victim can receive a key to decrypt their files. "You have to reinfect yourself with the malware but once you do that, you can get a successful decryption," Jarvis explained.
CryptoLocker's perpetrators have also benefited from improvements intended to better protect data. Encryption has long been challenging for many organizations, but as cyber attacks increased, the security industry strived to change that. "Over the last few years, file encryption has become easier to do," said Kujawa, of Malwarebytes.
In the past using encryption involved higher level skills that were more than most malware writers were capable of handling. "Now it's just a matter of doing a few system calls and you're good to go," Kujawa explained. "That has played a role in making things like CryptoLocker possible."
Another contributor to CryptoLocker's growth may be the coming of age of digital money. "One of the key ingredients that has factored into CryptoLocker has been Bitcoin because it provides the people involved with a way to quickly cash out with the money they're collecting without being caught," said Tom Cross, director of security research at Lancope, a network security company.
Up to now, the CryptoLocker gang has been able to keep their brand under tight wraps, but security experts see that changing in the future. One malware author has already started to gain notoriety with a ransom app called PowerLocker. While still a work in progress, PowerLocker promises to be even nastier than CryptoLocker.
What's more, the author is intent on selling PowerLocker's code to anyone with the deep pockets to buy it. If history is any indicator, that could result in a ransomware epidemic. "When the makers of Zeus" -- a very malicious banking Trojan -- "began selling it on the market, anyone with $10,000 could buy it and infections with Zeus exploded," said Bitdefender Senior E-Threat Analyst Bogdan Botezatu. "It's one of the top ten infections we see every day."
Kevin Bocek, vice president of product marketing, for Venafi, maker of a platform to protect digital keys and certificates, added, "Just like ZeuS and SpyEye, PowerLocker will give thousands of cybercriminals the ransomware tools available today to only a select group of criminals."
Those criminals have proven their acumen in software design, but that won't be the case in the next generation of ransomware artists. "You're not going to have to understand cryptography very well or implement malware that works well in order to engage in this kind of crime," explained Cross, of Lancope. "All you'll have to do is buy this software from somebody, set it up and run it."
"The barrier to entry will be very low," he continued, "and that's one of the reasons why I think we're going to see a lot of activity like this over the next couple of years."
PowerLocker's potential for malignancy, however, is just that: potential -- potential that's still unproven. "We got an early copy of PowerLockeer, and it's a very primitive piece of malware," said Jarvis, of Secureworks. "If it shows up in the wild as it is, it would take a considerable amount of work to get it up to speed and even more work to get it up to the level of CryptoLocker."
Whether PowerLocker pioneers the next generation of ransomware or not, experts agree that a next generation of the malware with a broader base of perpetrators is inevitable. "If it isn't PowerLocker, someone else will put out a toolkit to do this," Cross noted. "Successful malware ends up becoming a toolkit. That's how the business functions today."
"It is inevitable that we will see a cryptographic ransomware toolkit," he added, "maybe even multiple toolkits because it's clear that there's a business opportunity here for criminals."
Moreover, that opportunity is likely to reach beyond the consumer realm and into the greener pastures of business. "Going after consumers is small fish," said Bruen, of the Digital Citizens Alliance. "The next step is to conduct ransom operations on major companies. This has already happened," he said.
"From an attacker's perspective, there's definitely a higher risk in getting caught because companies are going to throw more money at the problem than an ordinary consumer can," he continued, "but the payoff from one of these companies -- a Target or a Nieman Marcus -- will be much larger."
Current ransomware attacks involve encrypting select file types on a hard drive, but a business attack will likely choose a higher value target. "Cryptographic keys and digital certificates are ripe for ransom," Venafi's Bocek said.
"Whether it's taking out the key and certificate that secures all communications for a bank or the SSH keys that connect to cloud services for an online retailer, keys and certificates are a very attractive target," he observed.
"Criminals are ramping up their attacks on keys and certificates, and it's likely the purveyors of ransomware will do the same," he added.