IET Networks Review Article Evolution of ransomware ISSN 2047-4954 Received on 20th September 2017 Revised 3rd February 2018 Accepted on 3rd May 2018 doi: 10.1049/iet-net.2017.0207 www.ietdl.org Philip O'Kane1 , Sakir Sezer1, Domhnall Carlin1 1Centre for Secure Information Technologies, Queen's University Belfast, Queen's Road, Queen's Island, Belfast BT3 9DT, UK E-mail: p.okane@qub.ac.uk Abstract: Cybercrime has long since transformed from a world of Maverick attackers to a criminal business. Ransomware is a malware that renders a victim's computer or data unusable and is increasingly being used by criminals to generate revenue through extortion. This study contributes to the authors’ knowledge by exploring the transition from the early-day scams, to extortion implemented by current ransomware. They examine the pathway from the first clumsy ransomware attempts to the present day sophisticated ransomware attack campaigns. This Crypto-warfare now accounts for estimated damages of $1 billion. Considering the fact that many Internet users appear to be unaware of ransomware and do little to protect themselves, they argue that this low-impact extortion, using highly automated methods, has proven very rewarding for the criminals. As criminals have been early adopters (or abusers) of Internet technology, they expect that ransomware will continue to evolve beyond the capability of present day defence solutions. 1 Introduction In the relatively short history of the Internet, a relationship has developed between crime and technology [1]. The benefits of technology development are all too apparent to both legitimate and illegitimate (criminal) users. While technology has evolved, many of the underlying crime schemes remain familiar. Traditional crimes such as blackmail, extortion and theft are not new, but with a highly automated environment (Internet), criminals can automate their attacks. They are no longer limited to single large targets with deep pockets such as banks or corporations, but now target millions of online users. This paradigm brought about by the automation of the attack process has made Internet crime ubiquitous. Ransomware is designed to disable the victim's computer or access to their data. The criminals then blackmail the victim for the recovery of the equipment or data. Ransomware displays a message about the terms of the ransom (ransom note), and in the early days, the criminals attempted to scare the victim by claiming they were law enforcements. Some ransomware would go to the extent of displaying illicit child abuse images (child porn) and highlight the devastation to the victim's life if prosecuted in open court. These scare techniques, designed to encourage the victims to pay, on occasions, served to drive individuals to take their own life. Joseph Popp, the founder of ransomware, created the ransomware program in 1989, called ‘AIDS’ (PC Cyborg) which was deployed as a Trojan. The AIDS Trojan was spread using floppy discs (state of the art in 1989). On inserting the floppy disc, the AIDS program encrypted the files on the C: drive and then demand a payment of $189 to a PO Box in Panama. The AIDS ransomware ultimately failed due to: (i) The low number of reachable victims. (ii) Infection method (5¼″ floppy disc). (iii) The encryption functionality was weak and easily reversed. (iv) Payment method. (v) The value of the asset (data). Recent years have seen an explosion in ransomware which now spans the globe, indiscriminately infecting victims, where it quickly encrypts data, leaving organisations and individuals locked out of their computers. The growth of ransomware has seen 600% increase in the number of ransomware families [2] such as Cerber, Locky and CryptoWall. Evolution of the Internet and cloud IET Netw. © The Institution of Engineering and Technology 2018 computing has provided a fertile breeding ground for ransomware such as: (i) The Internet is a highly connected network, serving millions of users and thereby creating a target-rich environment. (ii) Infection: The Internet is, in essence, a collection of communication protocols that supports the propagation and delivery of software, which includes ransomware. (iii) Encryption: Once the preserve of the intellectual few, now many tools and encryption libraries exist that lowers the skills entry level required to carry out an encryption attack. (iv) Payment: The launch of electronic currencies (such as Bitcoin) has enabled criminals to monetise their activities through an anonymous payment method. With more than 30 ransomware families using Bitcoin, victims can easily pay the ransom pseudo anonymously via a digital currency. (v) Asset: We now store important business and personal details electronically. 2 Attack landscape A complex infrastructure has grown to support ransomware as portrayed in Fig. 1. The sequence numbers annotated in Fig. 1 is not an exact narrative for all forms of ransomware. However, the progression is typical of many ransomware families and attack campaigns: (i) The attack includes social engineering tactics to increase engagement with the victims. In our laboratories, we have seen evidence of enhanced reconnaissance used to tailor phishing emails to lure the victim into engaging with the attack. (ii) Emails are often the initial attack vector and are a major weakness as many users lack the necessary knowledge to identify social engineering. (iii) After the user succumbs to the initial phase of the attack, they are either directed to a booby-trapped website (landing page) or an attachment downloads the ransomware automatically. (iv) The booby-trapped landing page contains malicious software known as an ‘Exploit Kit’ that scans the victim's computer looking for vulnerabilities and attempts to install (infect) the victim's computer with ransomware. (v) At this point, the payload (ransomware) is delivered to the victim via a compromised protocol. 1 (vi) After the infection, the ransomware calls out to its command and control (C&C) server to establish a link and retrieve necessary encryption keys to perform the data encryption. (vii) Over the years, the ransomware creators have attempted different encryption methods, but have mostly settled on RSA encryption to encrypt data on both the victim's computer and attached devices and local networks. (viii) At this point, the user is truly a victim and is crudely awakened to the fact that their data is encrypted by a threatening pop-up, demanding a ransom to regain access to their data. Many ransomware facilities also apply additional pressure on the victim to encourage payment such as accusing the victim of a crime or a time limit by which the victim can recover their data. (ix) Bitcoin is the dominant method of ransom payments and is usually ‘laundered’ to improve the anonymity of the attacker. (x) Ransomware is no longer a one-man business; it has grown into an underground business that requires the use of many different crime skills that have to be purchased. 3 Infection methods Today, the Internet serves 3.7 billion users worldwide. In Europe, 73.9% of the population use networked computers, and in North America, 89% of the population use the Internet, creating a targetrich environment for those criminals seeking to take advantage of unsuspecting users [3]. However, in 1989, with the Internet in its infancy and few interconnected computers, the only viable infection method available was a floppy disc, which Joseph Popp handed out or posted to his victims. He dispatched 20,000 discs to 90 countries in December of 1989 masquerading as AIDS education software. Shipping 20,000 discs must have been a logistical nightmare involving copying, packaging and posting. In today's interconnected world, a physical medium is no longer required to deliver malware. In the main, criminals opt to deliver their malware using the Internet communication protocols, which provide an efficient and cost-effective method of malware delivery. As researchers strive to improve the security of software, attack campaigns are increasingly using social engineering to snare a 2 victim and are frequently tailored to users, organisations or related topics. That said, they often follow one of the following forms: Emails: The victim receives an email with either an embedded uniform resource locator (URL) or attachment that contains a downloader. When a malicious email is opened, a downloader mechanism is triggered that downloads ransomware by connecting to a malicious website that hosts ransomware and triggers a ransomware download. According to a recent survey by McAfee Labs, 23% of recipients open phishing emails and 11% clicked on the email attachment [3]. In 2016, anti-phishing vendors reported large increases in phishing emails (6.3 million), coupled with a switch in attack strategy, from previously targeting victim's bank and credit card details to ransomware deployment [4]. At its peak, ransomware accounted for 51% (March 2016) of phishing emails. Waterhole attacks: The criminals hack popular websites and implant their malicious code (often JavaScript redirection code). When the user clicks on the desirable object, they are redirected to malicious or hacked servers and are prompted to install new software or an update (malware). Familiar examples are Adobe Flash Player update, an offer of free anti-virus software or fake competition giveaways. The choice of website or desirable object can be used to tailor the attack to specific individuals or organisations (spear phishing without the email). Trojans are malicious software programs that disguise themselves as useful tools, applications or games. Many users seek them out assuming they are harmless applications (apps). These apps contain two payloads, first some functionality to distract the user (the apps works) and a second payload such as a Dropper, which opens a connection to a malicious website and downloads more malware. Vulnerabilities are security holes in a user's computer application, which access the Internet and are exploited by the criminal to download ransomware. This type of attack performs a stealthy download and does not require the user to click or confirm the download action. These websites use obfuscated script/code, which redirects users to another server that hosts Exploit Kit software such as Nuclear, Angler etc. Nuclear can identify and exploit vulnerabilities in the user's browser, and if a vulnerability is discovered, ransomware is installed on the victim's computer. IET Netw. © The Institution of Engineering and Technology 2018 20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License Fig. 1 Attack landscape IET Netw. © The Institution of Engineering and Technology 2018 4 Ransomware Names Encryption is used to ensure the privacy of data during transmission and storage. Unfortunately, the criminals have adopted encryption for blackmail by encrypting the victim's data and only releasing their data after the victim has paid a ransom. The first demonstration of ransomware by Joseph Popp in 1989 used symmetric-key encryption to hijack victims’ hard drives and demand payment. Symmetric-key encryption is a single key system that uses the same key for both encryption and decryption, which has an inherent weakness, in that the encryption/decryption key is deployed with the ransomware. Therefore, Popp's ransomware (AIDS) could be analysed to determine the decryption key and produce a countermeasure to the encryption used by the AIDS ransomware. Fig. 2 shows the evolution of ransomware. The following description is not a comprehensive chronological narrative, but rather seeks to highlight key aspects of ransomware evolution. In 2005, criminals launched a ransomware attack (Gpcoder) that used symmetric encryption, which again was quickly mitigated by analysing Gpcoder ransomware and producing a countermeasure. Then in 2006, criminals adopted a more robust encryption method called asymmetric encryption. Asymmetric encryption employs two encryption keys (public and private keys) that are mathematically linked. The public key is used to encrypt the data and cannot be used to decrypt the data, and therefore the public key can be transmitted or shared without leaking any knowledge about the private key. The private key is used solely for data decryption and is kept hidden until the ransom is paid. Archievus was the first ransomware to use asymmetric encryption making it impossible to determine the decryption key from the ransomware. Archiveus encrypted the victims ‘My Documents’ directory and demanded the victim to purchase an item from specific Web sites to obtain the decryption key. In 2013, scareware arrived in the form of Reveton, which locked and prevented access to the infected device (known as a Locker). After locking the computer, the ransomware falsely alleged that the computer (and user) had engaged in unlawful activities and needed to pay a fine to unlock the computer. Reveton demanded payment via an anonymous prepaid voucher service. To encourage payment, Reveton displayed police enforcement warnings and in some strains, displayed webcam footage to enforce the illusion that the victim is the criminal. Reveton was followed by a spate of copycat ransomware (Urausy and Tohfy) claiming to be police enforcement and that a fine had to be paid to prevent further legal action. CryptoLocker (encryption based) arrived in 2013 and spread using multiple infection methods such as email attachments, compromised websites and in 2014 used the GameOver Zeus botnet infrastructure for distribution. CryptoLocker used Advanced Encryption Standard (AES)-256 file encryption and used 2048 bit RSA for their C&C on the TOR networks. 2014 heralded a new revolution in ransomware with the adoption of ransom payment via a TOR-based Bitcoin to ensure improved anonymity. In February, CryptoDefense used Windows’ built-in encryption libraries to perform RSA-2048 file encryption. However, using this method has a weakness; the Windows API creates the private key that needs to be transmitted back to the attacker's C&C server. CryptoDefense creators went on to develop an enhanced ransomware known as CryptoWall. CTB-Locker, CryptorBit, SimplLocker and CryptoWall have numerous similarities, but they are not believed to be related. However, CTB-Locker incorporated a direct C&C to a TOR server rather than the proxy-based and botnets infrastructures. In 2016, CTB-Locker changed tactic and started targeting websites. TeslaCrypt appeared in 2015 and encrypted files with AES-256 and used RSA-4096 to encrypt the AES-256 key. TeslaCrypt used a TOR-based C&C proxy server. In 2016, TeslaCrypt's creators unexpectedly wound down the TeslaCrypt infrastructure and made their master decryption public, putting an end to TeslaCrypt ransomware. Chimaera broke from the standard TOR-based C&C and implemented their own peer-to-peer (P2P) C&C messaging system (Bitmessage), based on public-key and private-key encryption. The 3 20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License WordPress sites (along with others) have been compromised and identified as a principal source of Nuclear and similar Exploit Kits [5]. Social engineering is a key part of the criminal's attack strategy and is typically combined with technology (malware/Exploit Kits) to form a blended attack. Social engineering is nothing new; it is a psychological technique (confidence trick) used to manipulate victims into performing unsafe actions, by exploiting human emotions such as fear, urgency, curiosity, sympathy etc. Blended attacks are on the increase with criminals using increasingly aggressive social engineering tactics to persuade the victim to pay. During the initial infection, social engineering is used to lure users to compromised websites or opening untrusted email attachments. Often criminals use ‘your invoice’, ‘package delivery details’ or topical events (news) to lure victims into visiting malicious websites or downloading dubious applications. In the final stage, they use scare tactics and deadlines to pressurise users into paying the ransom. Some ransomware authors have gone beyond simply encrypting the victim's files to force payment. They have employed scare tactics by impersonating law enforcement and claiming that the user (victim) is guilty of a crime, while others have gone further and downloaded and displayed child abuse images on victim's computer and highlighting the devastation to the victim's life if prosecuted in open court. Phishing emailing (spamming) is a widespread distribution method, with spear phishing used to target wealthy individuals and large organisations. Coupled with social engineering, spamming is a highly effective approach, despite the deployment of spam filters. Phishing (emails and waterholes) campaigns can be tuned to specific regions and timed to calendar events. These tricks are used to increase the likelihood of a user clicking on the malicious link. Examples of these are receiving an email about a package delivery at Christmas or a request for relief after a major crisis such as an earthquake. Exploit Kits are malicious software applications that scan and identify software vulnerabilities on client machines, with the intention of exploiting vulnerabilities to upload malware on the victim's computer. These Exploit Kits are a key part of the attack infrastructure and provide an effective means of delivering a myriad of threats including ransomware. They require less user action, for one, as they take advantage of unpatched vulnerabilities in common operating systems and software. At any given time, systems will have vulnerabilities, especially if they use legacy systems or software. Add to the mix, the inherent latency in the patch process, to identify the vulnerability, develop a fix, test the fix and deploy the patch results in a critical race against the criminals’ Exploit Kits. On an average, enterprises need 30 days to test and deploy the patch. These Exploit Kits are becoming increasingly sophisticated, gathering victims’ statistics and data on the effectiveness of attack methods. They also provide a graphical user interface that assists criminals with little programming skills (script kiddies) to configure an attack with little or no understanding of the vulnerability or exploit. Some Exploit Kits come with product support and updates, similar to commercial software. Exploit Kits are commonplace and are an integral part of the ransomware as a service (RaaS) paradigm. For the would-be attacker to establish an attack infrastructure, they simply rent an Exploit Kit through an underground criminal community. An Exploit Kit takes the form of a managed control panel, where the attacker can upload their payload (ransomware) and manage the attack and track the infection rates. While there are numerous Exploit Kits (Nuclear Neutrino and Magnitude), the most popular kit is Angler [5], which first appeared in 2013 and is now a valuable tool in the criminal's arsenal. Its success is due in part to its ability to evade detection by recognising analytical environments and customised communication protocols. Angler comes with the added benefit of an integrated TOR payment method. Angler sits such as a flytrap on servers (websites) waiting for victims. When a user accesses the website, Angler scans the user's computer for vulnerabilities and attempts to upload (infect) ransomware to the user's computer. Often a phishing campaign is used to drive the victim to the booby-trapped website (landing page). messages are broadcast to all clients, and only the intended client can decrypt the message using a private-key. Chimaera comes with a bogus threat of ‘doxing’. Doxing is a blackmail technique that threatens to release the victim's identity along with personal data. 7ev3n ransomware performed both file encryption and computer locking and threatened to release sensitive information if payment was not received. 7ev3n used a proprietary method of file encryption, referred to as R4A and R5A, named after the file extensions appended to the encrypted files. The R4A encryption algorithm was a simple ‘Exclusive OR’ function (XOR) with a hardcoded key. R5A was a more advanced XOR-based encryption that obfuscated the XOR key to impede reverse engineering. However, this type of encryption is breakable due to its reliance on an XOR key. CryptXXX uses RSA encryption and a proprietary P2P communication protocol along with a TOR-based payment system. Also, CryptXXX comes with an additional surprise in the form of dynamic-link libraries (Stiller.dll, StillerX.dll and StillerZZZ.dll) that steal account credentials. Early versions of CryptXXX used weak encryption and were reversed by security experts. However, the latest version of CryptXXX employs robust encryption that is immune to encryption cracking. Locky appeared in 2016, with speculation that it was derived from proof of concept source code ‘Hidden Tear’ made public by EDA2 [6]. The availability of ‘Hidden Tear’ source code led to a spate of copycat ransomware, the most infamous being Locky. Locky uses RSA-2048 and AES-1024 algorithms, almost the standard for ransomware and stores the private key on remote servers. Again, Locky uses custom encrypted communication over TOR and Bitcoin for payment. Samas was first reported in early 2016 and has adopted what has become the default configuration of AES file encryption, TOR C&C and payment via Bitcoin. Samas's creators did not carry out widespread campaigns, but instead, they targeted companies. Samas included a real-time communication channel so the criminals could contact their victims. KeRanger arrived in 2016 with the usual combination of ASEencryption and payment via Bitcoin. However, KeRanger heralded 4 revolution; it targeted the Apple OS X, which had been considered to have a high immunity to malware. The criminals had created a legitimate signed Trojan using a stolen update certificate. This valid certificate made the Trojan appear as an authorised update which installed without any warning. Petya (popular in 2016) was a departure from the standard encryption configuration. Petya chose to attack the low-level memory configuration of the computer by overwriting the master boot record with a malicious executable and then encrypting the master file table. Petya did not use any sophisticated privilege escalation techniques, and therefore Windows would prompt the user to grant administrator rights. Jigsaw used AES encryption similar to other ransomware. While previous ransomware attacks made false threats to delete files, Jigsaw was the first ransomware that deleted files during the attack to encourage payment and would delete 1000 files each time Jigsaw is restarted. ZCryptor (May 2016) is the first of its kind; a self-propagating ransomware that copies itself to other network devices. While ZCryptor initial distributed was via a spamming campaign, ZCryptor stealth propagation behaviour increases the infection penetration beyond that of the original attack campaign. Cerber (February 2016) uses AES encryption similar to other ransomware attacks. Cerber is geographically aware and does not carry out attacks in former Soviet Union countries and deletes itself without encrypting any files. Also, Cerber is traded as a service on an underground Russian forum (RaaS). Criminals have seised on the opportunity to maximise a ‘return on investment’, i.e. monetise their nefarious activities. Not surprisingly, many criminals have jumped on the bandwagon by adopting and evolving previous ransomware incarnations. Early ransomware was rudimentary, and their threats were greatly exaggerated as the data and device could often be easily recovered. Over the years, there have seen considerable advancements in ransomware with families such as Cerber, TeslaCrypt, CTB-Locker and CryptoWall proliferating the Internet. There have been numerous decryption tools deployed to undo the effects of ransomware, thanks to poor coding implementation, IET Netw. © The Institution of Engineering and Technology 2018 20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License Fig. 2 Evolution time line 5 Payment methods Ransomware is a profit-driven business that rewards online criminal activities. The criminals seek to generate income, and therefore a payment method (monetisation) is essential. As already mentioned, Joseph Popp's first ransom demand was via a PO Box, which is not anonymous as the police can monitor the physical location and act when collections occur. Over the years, criminals have adopted many payment techniques such as: • Short message service to premium rate numbers, which is a favourite of mobile phone lockers. • Gift vouchers: These gift vouchers are then resold on auction sites such as eBay, and the unfortunate buyer must deal with the consequences. • Payment services: YandexMoney (Russian website similar to PayPal) was among the first online payment service, where the victim deposited their payment into a Yandex account specified in the ransom note. Other popular services included payment to a Liberty Reserve account (Costa Rica) and the now failed EGold account (Canada). The criminals switched to more widely accessible methods such as Western Union and PayPal for payment. From a criminal's perspective, these services are not ideal as they are tied to bank accounts, and can be traced and possibly used to identify the perpetrators. • Prepaid services once were the predominant ransom payment method and used online payment systems such as Ukash, Paysafecard and Moneypak. These online payment methods are not directly tied to a bank account, and therefore limit the possibility to trace the ransom payment. The criminals have taken advantage of these systems in much the same way as gift vouchers by reselling the prepaid voucher online. • Digital currency (cryptocurrency) allows users to exchange credits for goods and services. Bitcoin has been adopted by the criminal to fuel their criminal ecosystem regarding ‘ransom payment’ and ‘paying fellow criminals for services’. Bitcoin has soared in popularity with an estimated 12 million bitcoins in circulation, despite not being affiliated with a bank and being perceived as a dubious currency by some. Bitcoin is a P2P payment system that operates without affiliations to financial institutions (banks) or centralised payment systems (such as PayPal). Therefore, to prevent duplicated transactions, all Bitcoin transactions (Blockchain) are held in a public ledger that links the sender and receiver addresses. However, Bitcoin does provide some anonymity as the sending and receiving addresses are generated by hashing the output of publickey encryption algorithms, which are linked to pseudonyms rather than a traditional account [7]. Bitcoin's reputation for anonymity (pseudonymous) is enticing for criminals and has become a key component of the ransomware ecosystem with many ransomware campaigns now demanding payment via Bitcoin. Bitcoin facilitates the immediate transfer of illicit funds, whereas other types of online crimes (such as data stealing), do not offer the advantage of direct fund transfer, as the stolen data needs to be monetised by selling the data on or using the information to launch another attack before the criminal can retrieve funds. 6 Market model Figures will research on the evolution of ransomware strongly supports the notion that ransomware has become a valuable business for criminals with an ecosystem that can extract substantial money from victims. A key advantage for the criminals IET Netw. © The Institution of Engineering and Technology 2018 is that once the victim is ensnared, they can demand payment within a few days, whereas other forms of online crime require the resale of stolen data or use the information to launch another attack. This constantly evolving criminal ecosystem consists of: • The creators of the ransomware who may not wish to get involved directly with the attack campaign and rather choose to sell their products as toolkits. These toolkits allow criminals with limited programming skills to build bespoke ransomware attack campaigns. • Distribution of ransomware takes the forms of Exploit Kits, Spam Emailing campaigns, malicious or compromised servers; all of which contain some aspects of social engineering to improve the infiltration rate. • RaaS has a very clear monetisation model through cryptocurrencies. In 2016, Kaspersky reported that 1.4 million users were attacked. While broad scope attack campaigns are still widespread, criminals have adopted new strategies that target organisations with a high reliance on data. Ransomware is a lucrative business, particularly when a wellchosen price point is coupled with robust encryption. Ransomware is no longer a one-man business; the attacker faces operating costs to support their attack campaigns. Ransomware is traded as a service on an underground Russian forum (RaaS). Both criminals enter into an agreement ‘ransomware developers’ and ‘attackers’. The developers supply the ransomware and the attackers execute the attack campaign. On each successful ransom payment, the developers may receive up to 70% of the ransom. Also, moneylaundering services are available (Mixers or Tumblers) that mix illegal payments with legitimate funds through the same Bitcoin wallet to hide the transaction. Hernandez-Castro et al. [8] estimate the fee for this service is typically 2.5% of the payment. 7 Market value In December 2013, ZDNet analysed four Bitcoin addresses relating to CryptoLocker ransom payments. ZDNet findings showed transactions of 41,928 Bitcoins over the period, 15 October to 18 December, which equates to $27 million [9]. In the USA, the Federal Bureau of Investigation (FBI) estimated the market worth of ransomware to be $200 m per annum [10], while in the UK an estimated £24 million in ransom was paid [11]. From April 2014 to June 2015, the FBI's Internet Crime Complaint Centre [9] recorded significant increases in ransomware infections, with CryptoWall being the most reported (1000 reported attacks). Over this period, the total losses (ransom and damages) amounting to $18 m. A report published by the Cyber Threat Alliance in 2015, claimed that CryptoWall was a global epidemic and was potentially netting criminals a yearly income of $325 m. Symantec quote an average ransom demand of $679 in 2016. However, with Bitcoin being the most widely used, results vary considerably due to fluctuation in the Bitcoin exchange rate. Individual strains and families demand different rates, for example, Bucbi demanded five Bitcoins ($6285) as of March 2017. CryptoWall has chosen to tailor their ransom demand based on a victim's country of origin and hence their ability to pay [10]. The amount of ransom demand varied between ransomware families with top six ransomware families demanding between 150 and $250. Popcorn Time malware offered to unlock files for one bitcoin ($772.67). Popcorn Time offered the victim a second option, to become part of the attack campaign by passing the infectious link to others, ‘If two or more people install this file and pay, we will decrypt your files for free’ [12]. A report by Symantec estimated that 2.9% of victims paid the ransom [13]. In another report in 2013, Dell SecureWorks estimated that 0.4% of victims had paid the ransom [14]. Following the takedown of the CryptoLocker distribution infrastructure, it was concluded that 1.3% of victims had paid the ransom. Nevertheless, the criminals extort an estimated $3 m [15]. 5 20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License weak randomisation and various other mistakes by the creators. However, recent ransomware has evolved into a robust encryption application that is resistant to analysis. With more than 60 ransomware families in existence, the last 12 months have seen an ever-increasing number of sophisticated attack campaigns. Ransomware is now a robust encryption application with a hidden C&C, coupled with increasingly sophisticated social engineering. 8 Data recovery 2017 saw ransomware continuing to wreak havoc on businesses and individuals alike. With this onslaught of extortion, users need to take action to prevent or mitigate the loss of private and commercially sensitive data. These criminals have shown a great deal of persistence and users need to look beyond prevention to identify a strategy to recover their data after an attack. Paying the Ransom: The general advice is ‘Don't pay the ransom’. However, when all else fails, some victims see a ransom of 200 or £300 as the most straightforward option to retrieve their irreplaceable data. Owing to the covert nature of ransomware, it is hard to verify the number of victims that pay the ransom, but a Twitter account set up to track the WannaCry Bitcoin wallets showed that many victims paid the ransom [16]. That said, when dealing with criminals, the victim has no guarantee of recovering all their data. Ransomware targets a wide range of users, many with a low-technical skill level, and therefore the ransomware creators have gone to great lengths to ensure that even the novice can pay the ransomware via Bitcoin [17, 18]. Decrypting tools and services: When a robust encryption algorithm is implemented in ransomware, data retrieval is intractable unless the victim has a backup system. That said, these ransomware creators are not infallible and poor decryption key management has led to investigations that have found these keys, which were then used to develop decrypting tools to reverse the ransomware. Users should not be relying on the weaknesses in the criminal's approach to ransomware key management, but need to establish a backup system that has been verified. A notable success in this battle against the criminals was the ‘Shade Ransomware Decryption Tool’ developed by McAfee and Kaspersky [19], working collaboratively with other security vendors and law enforcement, who were able to extract the decryption keys for the Shade ransomware [20]. Companies offering ‘Expert Services’ [21] offer data decryption solutions (often based on publicly available keys), but again their ability to decrypt data is limited to encryption keys that have been obtained and are made available. AVG [22] provides free decrypt tools for limited variances of ransomware, but the ransomware creators are fighting back by improving their key-management approach. These recovery methods are limited to a few ransomware attacks, and victims should not rely on this as a robust method of recovery. Backup strategy: A backup system is the best approach against ransomware attacks. As with any malware infection, user awareness and training have their limits and systems do eventually get compromised. Without a backup system in place, the victim is reliant on the criminals returning the data (after ransom payment) or relying on a bespoke/specialist tool to decrypt the data. When a comprehensive data backup plan is in place, especially one that includes automatic and continuous backups of data across servers, laptops and cloud applications will enable victims to easily recover their data after the initial ransomware infection is removed, and thereby neutralise the impact of ransomware. 9 Summary In recent years, ransomware has evolved into one of the biggest cyber security threats. From the criminal's perspective, the Internet is an enormous gift, not only for ransomware, but also for malware, in general. The Internet has created a criminal ecosystem that supports the development, deployment and financial mechanisms to support malware. The popularity of electronic currencies such as 6 Bitcoin has grown significantly and the existence of these anonymised payment mechanisms plays into the hands of cyber criminals and provides a more direct method of monetising their nefarious activities. Bitcoin is only the latest in a long line of technologies that have boosted the criminal underground. Ransomware has widely adopted the use of Bitcoin for ransom payments. As the criminals have strived to bulletproof their anonymity, they have used money-laundering services that have popped up as part of the criminal ecosystem. These moneylaundering services are also known as ‘mixing services’, where the ransom payment is passed through multiple Bitcoin wallets, performing money laundering, to further cover the criminals’ tracks. Owing to ransomware's covert nature, the profitability of the criminal endeavours is unclear, but what is certain, is that ransomware is booming. This Crypto-warfare now accounts for £ billions in losses and damages and is growing in both penetration and sophistication. Coupled with the shocking truth that most Internet users are not aware that threats such as ransomware even exist and so they are doing little to protect themselves. Originally, cyber criminals profited by stealing data and selling it on underground markets, but the price for stolen data has fallen significantly. The criminals have sought out new revenue sources in the form of ransomware, which is allegedly returning higher income. The criminals have expanded this source of revenue by developing RaaS, which has lowered the technology entry level into the ransomware criminal world. RaaS has enabled criminals with little programming skill (script kiddies) to participate and earn money from ransomware. As the criminal underworld strives to widen their grip on automated extortion, we expect to see advancements such as: (i) Increased stability and flexible configuration of attack vectors as many of the attackers will be novices (script kiddies) and will not have the skills to tweak and configure the ransomware. (ii) Improved refinement/tailoring of the ransom demand to maximise revenue as the ransomware will target a broad range of victims from individuals to large companies with valuable data. (iii) Sophisticated tailoring of second-wave attacks including trading of ransomware ‘suckers lists’ of vulnerable and gullible Internet users. (iv) Sophisticated evasion and anti-analysis techniques are already in use, but new mechanisms will appear that ensure novice criminals do not mistakenly render the ransomware open to analysis by anti-virus vendors. (v) As part of the RaaS, Exploit Kits are extensively used. However, they will become more sophisticated adapting data mining techniques to improve the social engineering aspect to circumvent malware detection. At the time of writing this paper, WannaCry crashed onto the ‘World Stage’ with a fanfare of devastation. WannaCry payload was nothing new, using RSA public–private-key encryption as so many before it. WannaCry used the Windows API encryption routines to generate the encryption keys and conceal the private key. It is still early days, with many researchers analysing WannaCry for weaknesses, but it appears there is little opportunity to recover the private key needed to decrypt the encrypted files. WannaCry uses two sets of keys, one for a small selection of files ‘demo decrypt files’ and a second for the main ransom files, thereby ensuring that releasing the ‘demo decrypt’ key will not enable the victim to decrypt the main encrypted files. However, the most effective aspect of the WannaCry campaign is probably the Exploit Kit that targeted the Windows vulnerability. It is widely believed that this exploit was derived from a toolset leaked from the National Security Agency named ExternalBlue. ExternalBlue targeted a known vulnerability that had been patched. Unfortunately, many users failed to pick up this patch and were left at the mercy of WannaCry. As seen with ExternalBlue, Exploit Kits play a key role in ransomware deployment, and along with RaaS are central to the Crypto-war as the criminals develop their underground ecosystem. Electronic currencies (Bitcoin wallets) will remain the key to IET Netw. © The Institution of Engineering and Technology 2018 20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License Owing to ransomware's covert nature, it is difficult to determine how lucrative ransomware is, but the criminals have shown no sign of slowing their attacks. Presently, ransomware uses unintelligent pricing models with fixed-pricing per-infection. In an attempt to encourage victims to pay, one possible approach by the criminals will be to introduce intelligent pricing (ransom demands) that applies pricing models based on the victim's willingness or ability to pay. A 1 BTC ransom may be substantial for an individual that has lost little data. On the other hand, for a company that has lost valuable data and has a high IT costs, 1 BTC is insignificant. [9] [10] [11] [12] [13] [14] 10 References [1] [2] [3] [4] [5] [6] [7] [8] Fitzpatrick, D., Griffin, D.: ‘Cyber-extortion losses skyrocket, says FBI’, CNNMoney, (15 April 2016). Available at http://money.cnn.com/2016/04/15/ technology/ransomware-cyber-security/, 2016, accessed 15 April 2017 Tuttle, H.: ‘Ransomware attacks pose growing threat. Risk management’, Risk Manage., New York, 2016, 63, (4), p. 4. Available at http:// search.proquest.com/docview/1792354247?pq-origsite=gscholar/, 2016, accessed 17 May 2017 McAfee Labs: ‘Understanding ransomware and strategies to defeat it (white paper)’. Available at https://www.mcafee.com/us/resources/white-papers/wpunderstanding-ransomware-strategies-defeat.pdf, 2017, accessed 17 May 2017 Richardson, R., North, M.: ‘Ransomware: evolution, mitigation and prevention’, Int. Manage. Rev., 2017, 13, (1), p. 10 Sato, Y., Nakamura, Y., Inamura, H., et al.: ‘A proposal of malicious URLs detection based on features generated by exploit kits’, 2016 Milena, D.: ‘Open-source ransomware based on hidden tear and EDA2 on the loose’, (25 August 2016). Available at https://sensorstechforum.com/opensource-ransomware-based-hidden-tear-eda2-loose/, 2016, accessed 17 May 2017 Reid, F., Harrigan, M.: ‘An analysis of anonymity in the Bitcoin system’, in ltshuler, Y., Elovici, Y., Cremers, A., et al. (Eds.): ‘Security and privacy in social networks’ (Springer, New York, NY, 2013), pp. 197–223 Hernandez-Castro, J., Cartwright, E., Stepanova, A.: ‘Economic analysis of ransomware’, (21 March 2017). Available at https://papers.ssrn.com/sol3/ papers.cfm?abstract_id=2937641, 2017, accessed 21 June 2017 IET Netw. © The Institution of Engineering and Technology 2018 [15] [16] [17] [18] [19] [20] [21] [22] FBI: ‘Criminals continue to defraud and extort funds from victims using CryptoWall ransomware schemes’, (23 June 2015), Alert Number: I-062315PSA. Available at https://www.ic3.gov/media/2015/150623.aspx, 2015, accessed 21 June 2017 ‘The secret behind CryptoWall's success’, Imperva. Available at www.imperva.com/docs/IMPERVA_HII_CryptoWall_report.pdf, 2016, accessed 21 June 2017 Turkel, D.: ‘Victims paid more than $24 million to ransomware criminals in 2015 — and that's just the beginning’, Business Insider (7 April 2016). Available at http://uk.businessinsider.com/doj-and-dhs-ransomware-attacksgovernment-2016-4, 2016, accessed 21 June 2017 Hern, A.: ‘New nasty ransomware encourages victims to attack other computers’, The Guardian (12 December 2016). Available at https:// www.theguardian.com/technology/2016/dec/12/new-ransomware-victimspopcorn-time-malware, 2016, accessed 15 Mar 2017 McDonald, G., O'Gorman, G.: ‘Ransomware: a growing menace’. Available at http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/ransomware-a-growing-menace.pdf, 2016, accessed 17 May 2017 Jarvis, K.: ‘Cryptolocker ransomware’, SecureWorks, (18 December 2013). Available at https://www.secureworks.com/research/cryptolockerransomware, Dec 2013, accessed 21 June 2017 Ward, M.: ‘Cryptolocker victims to get files back for free’, BBC News, (6 August 2014). Available at http://www.bbc.co.uk/news/technology-28661463, 2014, accessed 21 June 2017 ‘Actual ransom’, @collinskeith, (May 2017). Available at https://twitter.com/ actual_ransom?lang=en, May 2017, accessed 2 February 2018 ‘Bitcoin’. Available at https://bitcoin.org/en/choose-your-wallet, accessed February 2018 ‘How to pay with bitcoin guide’, Coinify. Available at https:// support.coinify.com/Knowledgebase/Article/View/165/5/how-to-pay-withbitcoin-guide, 30 Nov 2016, accessed 2 February 2018 ‘Shade ransomware decryption too’, McAfee. Available at https:// www.mcafee.com/hk/downloads/free-tools/shadedecrypt.aspx, accessed 2 February 2018 ‘NO MORE RANSOM!’. Available at https://www.nomoreransom.org/en/ index.html, accessed 2 February 2018 RedMosquito. Available at http://www.rm-ransomwarerecovery.com/? gclid=CjwKCAiAtdDTBRArEiwAPT4y-1v-5y_TzrPU0XRP788GO4IaxdcK 2-AdSEemOeS98e_8HHV5U8E69BoCv2cQAvD_BwE, accessed 2 February 2018 ‘Free ransomware decryption tools’, AVG. Available at https:// www.avg.com/en-gb/ransomware-decryption-tools, accessed 2 February 2018 7 20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License manage the division of funds between creators, distributors and the criminals that engage in the final stages of the ransomware attacks. As Web browsers and anti-virus companies sink-hole malicious URLs, criminals will phase out ‘carpet bombing’ approaches and opt for more targeted malware deployment. Just as the explosion of ransomware occurred with the first Internet revolution, we may see a second tidal wave of ransomware with the Cloud. As the Cloud emerges, the myriad of communication protocols may advance the spread of ransomware. We have already seen the early stages of cloud penetration with ransomware targeting cloud-based technologies such as Dropbox, Office 365 and Google Apps. Also, the Cloud's dynamic nature of resource management would support an increasingly flexible malware C&C infrastructure that would be difficult to monitor and implement kill switches (such as a sink hole).