These attacks involve two-part schemes. First, a device is infected with malware that locks the user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device’s screen. The user is told he has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.
In recent weeks, three reports from security firms and researchers have noted new ransomware scheme trends that are making these attacks more difficult to thwart and detect.
As a result, experts say businesses need to focus more attention on employee education about how to avoid falling victim to these attacks and other socially engineered schemes.
On March 2, security firm FireEye warned that hundreds of websites may have been exposed to “malvertisements” – ads containing ransomware – via criminals’ abuse of ad networks that use real-time bidding.
“Real-time bidding is an ad sale and delivery system that allows for instant, autonomous ad auctions at the time the ads are served,” FireEye says. “A number of buyers set up bids ahead of time for a certain amount of ad impressions (i.e., page loads) on pre-selected sites and certain target demographic characteristics. When a user requests an ad, the ad exchange awards the highest bidder who has an active bid on advertising matching the incoming user’s demographic profile. As a result, the auction winner’s ad is displayed.”
In another recently released report, anti-virus provider Bitdefender noted that cybercriminals were using help files as a way of infecting devices with a variant of the ransomware known as CryptoWall. Attackers sent malicious emails with the subject “Incoming Fax Report” that contained help files with a compiled HTML extensions, Bitdefender noted. When users opened the files, they were presented with a help window that automatically downloaded CryptoWall in the background.
In a third report, released March 6, a French malware researcher known as Kafeine said he discovered what at first appeared to be a new version of the ransomware known as TorrentLocker, but was later determined to be new malware. This is concerning, researchers say, because it proves how quickly hackers are adapting by developing entirely new malware strains that evade current detection mechanisms.
The Evolution of Ransomware
“Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared,” says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro. “The most troubling evolution is the migration to mobile ransomware.
In May 2014, security researchers warned of a new type of ransomware attack taking aim at employees and customers of banking institutions in Europe. The attack was being spread to mobile devices through the banking Trojan known as Svpeng (see New Ransomware Targets Mobile).
Today, attacks waged against Windows and Android operating systems have continued to spread.
“There is a lot of momentum behind ransomware and we do expect it to be a continuing issue throughout the rest of this year and beyond,” says John Miller, manager of the Cyber Crime Threat Scape at cyber-intelligence firm iSIGHT Partners. “Law enforcement in different countries can help educate residents about the threats,” which are designed for targeted global markets based on language and payments habits, he explains.
But it’s up to individual companies to educate their own employees about how to identify a ransomware attack before becoming victimized, Miller adds.
Why Ransomware Is So Dangerous
Rather than targeting home-users’ files, as was common in 2012 and 2013, attacks emerging in late 2014 started targeting business assets by encrypting enterprise database files and shared storage systems, says Jeff Horne, vice president of the security firm Accuvant.