“Your money or your data” seems to be the favored mantra these days as cybercriminals look for safer, more effective ways to fool victims into parting with their money.
It’s called ransomware. And it is on the rise, according to security experts interviewed by TECHtonics.
In some scenarios, victims are locked out of their cellphone or computer files. A message warns them that they need to pay ransom before their files are unlocked.
“It’s easier to kind of kidnap and hold hostage files than a person,” said Kevin Haley, Director of Product Management for Symantec Security Response. “You’re a lot less likely to be caught. You’ve got a lot better way to pay the ransom, a lot safer way and you don’t have to get somebody to stuff bills into a suitcase and throw it off a bridge or … leave it in a locker. So it’s got a lot of appeal to the bad guys.”
Part of the appeal is the prevalence of important data online. Australia-based cybersecurity expert Troy Hunt said as more important data become available online, there are “more and more attack vectors for online criminals to take advantage of.”
That happens in cases where people or even IT departments who have not implemented backup procedures correctly are reluctant to report the attack, said Kaspersky Lab’s Argentina-based security researcher Santiago Pontiroli. “So … some people [decide] to pay the cybercriminals.”
According to Pontiroli, ransomware attacks spiked in 2013 as cybercriminals adopted Bitcoin and other types of electronic payments to cover their tracks as they carry out criminal extortion.
Cryptocurrencies allow “a high degree of anonymity,” said Hunt, which “makes it easier for cybercriminals to receive money without compromising their identity.”
And they have perfected their payoff methods, said Haley.
“That was always the hang-up before,” he explained. “They could get on your machine and they could encrypt your files, but they didn’t have a good way for you to pay the ransom. So that’s changed and so we’re seeing this explosion.”
What hasn’t changed is that ransomware is ultimately a type of malicious software. “They usually disguise it as a Trojan,” said Pontiroli. “And when it gets to your system, it encrypts everything.”
So when some Apple iOS users got locked out of their files earlier this year in a ransomware attack, victims who had no sensitive data to worry about simply reset their phones or formatted their computer hard drives.
In that instance, Haley said attackers used the FindMyiPhone app to put up a screen on the device, saying they had encrypted it.
“They had simply phished the Apple ID and password from users and then used the Apple FindMyiPhone app to put a pin number on and then pop up the little message,” he said.
Not all ransomware attacks use this method. Others exploit websites with poor security practices to plant their malware, waiting to prey on visitors.
“First they have to find a website that they can break into to plant the malware,” said Haley. “And then they wait for people to visit and then try to make them vulnerable, try to exploit then when they get there.”
Together, website insecurity and unpatched vulnerabilities on users’ PCs, are an open invitation for trouble.
“In other words,” says Haley, “you just visit the site and only by visiting the site, the bad guys are able to load or download malware onto your computer. And that is taking advantage of a vulnerability that you haven’t patched on your computer.”
Haley says attack patterns are varied and random, sometimes using spam, email attachments or by offering links to trick individuals into installing malware. With corporations, he said attackers often look for ways to break in, either using spam or specific knowledge about their target.
Also, cybercriminals often resort to manipulation and social engineering to target victims, as with Koler, an Android ransomware that targets pornography sites. Koler flashes a message and images from police to tell victims that they did something illegal that will be reported to authorities unless they pay a certain amount of money.
“They try to scare you in order for you to pay quickly,” said Pontiroli. “And because … it’s kind of shameful, not many people report it.”
He says cybercriminals know that people respond if they scare them or offer them good deals or even prey on the kindness of those willing to lend a hand to a stranger in need.
Companies like Sony Pictures, which is struggling to recover from a recent attack, frequently are successfully attacked because of shortcomings within their organizations, says Hunt. He said there are a lot of things that should happen before an attacker is successful.
“If they have been infected by malware inside their internal organization, the question I’ll be asking is, ‘What was their position on things like anti-virus?’” he said. “Did they have a good process there? Did they have good processes in terms of checking their inbound email for phishing attacks or malicious attachments?”
Some companies have paid hefty sums of money for ransom. In 2007, Nokia paid ransomers millions of euros to stop the distribution of a stolen encryption key only to lose track of the money and the criminals.The case remains open today.
Hunt said victims who pay the ransom might get their kidnapped data back, but nothing is for certain.
“There is absolutely no guarantee that you will get anything back,” says Haley. “In some cases, you do because the ransomers want to have a good reputation so that other people will pay them as well. And in others, they just don’t care. They’re just ripping you off. And in fact in some cases, you may pay the ransom and they’ll try to extort even more money from you.”
Paying the ransom is not an option, said Pontiroli, because it means that you have to “trust the word of someone that is holding your files ransom.”
It also keeps the extortion business going.
Haley predicts that ransomware attacks will continue as long as there are people who are fooled, scared or cajoled into paying ransom.
“This is a scheme that is working well for cybercriminals,” added Pontiroli. “You learn about ransomware when you are a victim of it.”
Prevention is the best cure, he advised, both in terms of having the necessary security measures and the knowledge that this type of threat exists.