Uploaded by Khalid Zirari

IET Networks - 2018 - O Kane - Evolution of ransomware

advertisement
IET Networks
Review Article
Evolution of ransomware
ISSN 2047-4954
Received on 20th September 2017
Revised 3rd February 2018
Accepted on 3rd May 2018
doi: 10.1049/iet-net.2017.0207
www.ietdl.org
Philip O'Kane1 , Sakir Sezer1, Domhnall Carlin1
1Centre
for Secure Information Technologies, Queen's University Belfast, Queen's Road, Queen's Island, Belfast BT3 9DT, UK
E-mail: p.okane@qub.ac.uk
Abstract: Cybercrime has long since transformed from a world of Maverick attackers to a criminal business. Ransomware is a
malware that renders a victim's computer or data unusable and is increasingly being used by criminals to generate revenue
through extortion. This study contributes to the authors’ knowledge by exploring the transition from the early-day scams, to
extortion implemented by current ransomware. They examine the pathway from the first clumsy ransomware attempts to the
present day sophisticated ransomware attack campaigns. This Crypto-warfare now accounts for estimated damages of $1
billion. Considering the fact that many Internet users appear to be unaware of ransomware and do little to protect themselves,
they argue that this low-impact extortion, using highly automated methods, has proven very rewarding for the criminals. As
criminals have been early adopters (or abusers) of Internet technology, they expect that ransomware will continue to evolve
beyond the capability of present day defence solutions.
1 Introduction
In the relatively short history of the Internet, a relationship has
developed between crime and technology [1]. The benefits of
technology development are all too apparent to both legitimate and
illegitimate (criminal) users. While technology has evolved, many
of the underlying crime schemes remain familiar. Traditional
crimes such as blackmail, extortion and theft are not new, but with
a highly automated environment (Internet), criminals can automate
their attacks. They are no longer limited to single large targets with
deep pockets such as banks or corporations, but now target millions
of online users. This paradigm brought about by the automation of
the attack process has made Internet crime ubiquitous.
Ransomware is designed to disable the victim's computer or access
to their data. The criminals then blackmail the victim for the
recovery of the equipment or data. Ransomware displays a
message about the terms of the ransom (ransom note), and in the
early days, the criminals attempted to scare the victim by claiming
they were law enforcements. Some ransomware would go to the
extent of displaying illicit child abuse images (child porn) and
highlight the devastation to the victim's life if prosecuted in open
court. These scare techniques, designed to encourage the victims to
pay, on occasions, served to drive individuals to take their own life.
Joseph Popp, the founder of ransomware, created the
ransomware program in 1989, called ‘AIDS’ (PC Cyborg) which
was deployed as a Trojan. The AIDS Trojan was spread using
floppy discs (state of the art in 1989). On inserting the floppy disc,
the AIDS program encrypted the files on the C: drive and then
demand a payment of $189 to a PO Box in Panama. The AIDS
ransomware ultimately failed due to:
(i) The low number of reachable victims.
(ii) Infection method (5¼″ floppy disc).
(iii) The encryption functionality was weak and easily reversed.
(iv) Payment method.
(v) The value of the asset (data).
Recent years have seen an explosion in ransomware which now
spans the globe, indiscriminately infecting victims, where it
quickly encrypts data, leaving organisations and individuals locked
out of their computers. The growth of ransomware has seen 600%
increase in the number of ransomware families [2] such as Cerber,
Locky and CryptoWall. Evolution of the Internet and cloud
IET Netw.
© The Institution of Engineering and Technology 2018
computing has provided a fertile breeding ground for ransomware
such as:
(i) The Internet is a highly connected network, serving millions of
users and thereby creating a target-rich environment.
(ii) Infection: The Internet is, in essence, a collection of
communication protocols that supports the propagation and
delivery of software, which includes ransomware.
(iii) Encryption: Once the preserve of the intellectual few, now
many tools and encryption libraries exist that lowers the skills
entry level required to carry out an encryption attack.
(iv) Payment: The launch of electronic currencies (such as Bitcoin)
has enabled criminals to monetise their activities through an
anonymous payment method. With more than 30 ransomware
families using Bitcoin, victims can easily pay the ransom pseudo
anonymously via a digital currency.
(v) Asset: We now store important business and personal details
electronically.
2 Attack landscape
A complex infrastructure has grown to support ransomware as
portrayed in Fig. 1. The sequence numbers annotated in Fig. 1 is
not an exact narrative for all forms of ransomware. However, the
progression is typical of many ransomware families and attack
campaigns:
(i) The attack includes social engineering tactics to increase
engagement with the victims. In our laboratories, we have seen
evidence of enhanced reconnaissance used to tailor phishing emails
to lure the victim into engaging with the attack.
(ii) Emails are often the initial attack vector and are a major
weakness as many users lack the necessary knowledge to identify
social engineering.
(iii) After the user succumbs to the initial phase of the attack, they
are either directed to a booby-trapped website (landing page) or an
attachment downloads the ransomware automatically.
(iv) The booby-trapped landing page contains malicious software
known as an ‘Exploit Kit’ that scans the victim's computer looking
for vulnerabilities and attempts to install (infect) the victim's
computer with ransomware.
(v) At this point, the payload (ransomware) is delivered to the
victim via a compromised protocol.
1
(vi) After the infection, the ransomware calls out to its command
and control (C&C) server to establish a link and retrieve necessary
encryption keys to perform the data encryption.
(vii) Over the years, the ransomware creators have attempted
different encryption methods, but have mostly settled on RSA
encryption to encrypt data on both the victim's computer and
attached devices and local networks.
(viii) At this point, the user is truly a victim and is crudely
awakened to the fact that their data is encrypted by a threatening
pop-up, demanding a ransom to regain access to their data. Many
ransomware facilities also apply additional pressure on the victim
to encourage payment such as accusing the victim of a crime or a
time limit by which the victim can recover their data.
(ix) Bitcoin is the dominant method of ransom payments and is
usually ‘laundered’ to improve the anonymity of the attacker.
(x) Ransomware is no longer a one-man business; it has grown into
an underground business that requires the use of many different
crime skills that have to be purchased.
3 Infection methods
Today, the Internet serves 3.7 billion users worldwide. In Europe,
73.9% of the population use networked computers, and in North
America, 89% of the population use the Internet, creating a targetrich environment for those criminals seeking to take advantage of
unsuspecting users [3]. However, in 1989, with the Internet in its
infancy and few interconnected computers, the only viable
infection method available was a floppy disc, which Joseph Popp
handed out or posted to his victims. He dispatched 20,000 discs to
90 countries in December of 1989 masquerading as AIDS
education software. Shipping 20,000 discs must have been a
logistical nightmare involving copying, packaging and posting. In
today's interconnected world, a physical medium is no longer
required to deliver malware. In the main, criminals opt to deliver
their malware using the Internet communication protocols, which
provide an efficient and cost-effective method of malware delivery.
As researchers strive to improve the security of software, attack
campaigns are increasingly using social engineering to snare a
2
victim and are frequently tailored to users, organisations or related
topics. That said, they often follow one of the following forms:
Emails: The victim receives an email with either an embedded
uniform resource locator (URL) or attachment that contains a
downloader. When a malicious email is opened, a downloader
mechanism is triggered that downloads ransomware by connecting
to a malicious website that hosts ransomware and triggers a
ransomware download. According to a recent survey by McAfee
Labs, 23% of recipients open phishing emails and 11% clicked on
the email attachment [3].
In 2016, anti-phishing vendors reported large increases in
phishing emails (6.3 million), coupled with a switch in attack
strategy, from previously targeting victim's bank and credit card
details to ransomware deployment [4]. At its peak, ransomware
accounted for 51% (March 2016) of phishing emails.
Waterhole attacks: The criminals hack popular websites and
implant their malicious code (often JavaScript redirection code).
When the user clicks on the desirable object, they are redirected to
malicious or hacked servers and are prompted to install new
software or an update (malware). Familiar examples are Adobe
Flash Player update, an offer of free anti-virus software or fake
competition giveaways. The choice of website or desirable object
can be used to tailor the attack to specific individuals or
organisations (spear phishing without the email).
Trojans are malicious software programs that disguise
themselves as useful tools, applications or games. Many users seek
them out assuming they are harmless applications (apps). These
apps contain two payloads, first some functionality to distract the
user (the apps works) and a second payload such as a Dropper,
which opens a connection to a malicious website and downloads
more malware.
Vulnerabilities are security holes in a user's computer
application, which access the Internet and are exploited by the
criminal to download ransomware. This type of attack performs a
stealthy download and does not require the user to click or confirm
the download action. These websites use obfuscated script/code,
which redirects users to another server that hosts Exploit Kit
software such as Nuclear, Angler etc. Nuclear can identify and
exploit vulnerabilities in the user's browser, and if a vulnerability is
discovered, ransomware is installed on the victim's computer.
IET Netw.
© The Institution of Engineering and Technology 2018
20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Fig. 1 Attack landscape
IET Netw.
© The Institution of Engineering and Technology 2018
4
Ransomware
Names Encryption is used to ensure the privacy of data during
transmission and storage. Unfortunately, the criminals have
adopted encryption for blackmail by encrypting the victim's data
and only releasing their data after the victim has paid a ransom.
The first demonstration of ransomware by Joseph Popp in 1989
used symmetric-key encryption to hijack victims’ hard drives and
demand payment. Symmetric-key encryption is a single key system
that uses the same key for both encryption and decryption, which
has an inherent weakness, in that the encryption/decryption key is
deployed with the ransomware. Therefore, Popp's ransomware
(AIDS) could be analysed to determine the decryption key and
produce a countermeasure to the encryption used by the AIDS
ransomware.
Fig. 2 shows the evolution of ransomware. The following
description is not a comprehensive chronological narrative, but
rather seeks to highlight key aspects of ransomware evolution. In
2005, criminals launched a ransomware attack (Gpcoder) that used
symmetric encryption, which again was quickly mitigated by
analysing Gpcoder ransomware and producing a countermeasure.
Then in 2006, criminals adopted a more robust encryption method
called asymmetric encryption. Asymmetric encryption employs
two encryption keys (public and private keys) that are
mathematically linked. The public key is used to encrypt the data
and cannot be used to decrypt the data, and therefore the public key
can be transmitted or shared without leaking any knowledge about
the private key. The private key is used solely for data decryption
and is kept hidden until the ransom is paid. Archievus was the first
ransomware to use asymmetric encryption making it impossible to
determine the decryption key from the ransomware. Archiveus
encrypted the victims ‘My Documents’ directory and demanded
the victim to purchase an item from specific Web sites to obtain the
decryption key.
In 2013, scareware arrived in the form of Reveton, which
locked and prevented access to the infected device (known as a
Locker). After locking the computer, the ransomware falsely
alleged that the computer (and user) had engaged in unlawful
activities and needed to pay a fine to unlock the computer. Reveton
demanded payment via an anonymous prepaid voucher service. To
encourage payment, Reveton displayed police enforcement
warnings and in some strains, displayed webcam footage to enforce
the illusion that the victim is the criminal. Reveton was followed
by a spate of copycat ransomware (Urausy and Tohfy) claiming to
be police enforcement and that a fine had to be paid to prevent
further legal action.
CryptoLocker (encryption based) arrived in 2013 and spread
using multiple infection methods such as email attachments,
compromised websites and in 2014 used the GameOver Zeus
botnet infrastructure for distribution. CryptoLocker used Advanced
Encryption Standard (AES)-256 file encryption and used 2048 bit
RSA for their C&C on the TOR networks.
2014 heralded a new revolution in ransomware with the
adoption of ransom payment via a TOR-based Bitcoin to ensure
improved anonymity. In February, CryptoDefense used Windows’
built-in encryption libraries to perform RSA-2048 file encryption.
However, using this method has a weakness; the Windows API
creates the private key that needs to be transmitted back to the
attacker's C&C server. CryptoDefense creators went on to develop
an enhanced ransomware known as CryptoWall.
CTB-Locker, CryptorBit, SimplLocker and CryptoWall have
numerous similarities, but they are not believed to be related.
However, CTB-Locker incorporated a direct C&C to a TOR server
rather than the proxy-based and botnets infrastructures. In 2016,
CTB-Locker changed tactic and started targeting websites.
TeslaCrypt appeared in 2015 and encrypted files with AES-256
and used RSA-4096 to encrypt the AES-256 key. TeslaCrypt used a
TOR-based C&C proxy server. In 2016, TeslaCrypt's creators
unexpectedly wound down the TeslaCrypt infrastructure and made
their master decryption public, putting an end to TeslaCrypt
ransomware.
Chimaera broke from the standard TOR-based C&C and
implemented their own peer-to-peer (P2P) C&C messaging system
(Bitmessage), based on public-key and private-key encryption. The
3
20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
WordPress sites (along with others) have been compromised and
identified as a principal source of Nuclear and similar Exploit Kits
[5].
Social engineering is a key part of the criminal's attack strategy
and is typically combined with technology (malware/Exploit Kits)
to form a blended attack. Social engineering is nothing new; it is a
psychological technique (confidence trick) used to manipulate
victims into performing unsafe actions, by exploiting human
emotions such as fear, urgency, curiosity, sympathy etc. Blended
attacks are on the increase with criminals using increasingly
aggressive social engineering tactics to persuade the victim to pay.
During the initial infection, social engineering is used to lure
users to compromised websites or opening untrusted email
attachments. Often criminals use ‘your invoice’, ‘package delivery
details’ or topical events (news) to lure victims into visiting
malicious websites or downloading dubious applications. In the
final stage, they use scare tactics and deadlines to pressurise users
into paying the ransom. Some ransomware authors have gone
beyond simply encrypting the victim's files to force payment. They
have employed scare tactics by impersonating law enforcement and
claiming that the user (victim) is guilty of a crime, while others
have gone further and downloaded and displayed child abuse
images on victim's computer and highlighting the devastation to
the victim's life if prosecuted in open court. Phishing emailing
(spamming) is a widespread distribution method, with spear
phishing used to target wealthy individuals and large organisations.
Coupled with social engineering, spamming is a highly effective
approach, despite the deployment of spam filters. Phishing (emails
and waterholes) campaigns can be tuned to specific regions and
timed to calendar events. These tricks are used to increase the
likelihood of a user clicking on the malicious link. Examples of
these are receiving an email about a package delivery at Christmas
or a request for relief after a major crisis such as an earthquake.
Exploit Kits are malicious software applications that scan and
identify software vulnerabilities on client machines, with the
intention of exploiting vulnerabilities to upload malware on the
victim's computer. These Exploit Kits are a key part of the attack
infrastructure and provide an effective means of delivering a
myriad of threats including ransomware. They require less user
action, for one, as they take advantage of unpatched vulnerabilities
in common operating systems and software. At any given time,
systems will have vulnerabilities, especially if they use legacy
systems or software. Add to the mix, the inherent latency in the
patch process, to identify the vulnerability, develop a fix, test the
fix and deploy the patch results in a critical race against the
criminals’ Exploit Kits. On an average, enterprises need 30 days to
test and deploy the patch. These Exploit Kits are becoming
increasingly sophisticated, gathering victims’ statistics and data on
the effectiveness of attack methods. They also provide a graphical
user interface that assists criminals with little programming skills
(script kiddies) to configure an attack with little or no
understanding of the vulnerability or exploit. Some Exploit Kits
come with product support and updates, similar to commercial
software.
Exploit Kits are commonplace and are an integral part of the
ransomware as a service (RaaS) paradigm. For the would-be
attacker to establish an attack infrastructure, they simply rent an
Exploit Kit through an underground criminal community. An
Exploit Kit takes the form of a managed control panel, where the
attacker can upload their payload (ransomware) and manage the
attack and track the infection rates. While there are numerous
Exploit Kits (Nuclear Neutrino and Magnitude), the most popular
kit is Angler [5], which first appeared in 2013 and is now a
valuable tool in the criminal's arsenal. Its success is due in part to
its ability to evade detection by recognising analytical
environments and customised communication protocols. Angler
comes with the added benefit of an integrated TOR payment
method. Angler sits such as a flytrap on servers (websites) waiting
for victims. When a user accesses the website, Angler scans the
user's computer for vulnerabilities and attempts to upload (infect)
ransomware to the user's computer. Often a phishing campaign is
used to drive the victim to the booby-trapped website (landing
page).
messages are broadcast to all clients, and only the intended client
can decrypt the message using a private-key. Chimaera comes with
a bogus threat of ‘doxing’. Doxing is a blackmail technique that
threatens to release the victim's identity along with personal data.
7ev3n ransomware performed both file encryption and
computer locking and threatened to release sensitive information if
payment was not received. 7ev3n used a proprietary method of file
encryption, referred to as R4A and R5A, named after the file
extensions appended to the encrypted files. The R4A encryption
algorithm was a simple ‘Exclusive OR’ function (XOR) with a
hardcoded key. R5A was a more advanced XOR-based encryption
that obfuscated the XOR key to impede reverse engineering.
However, this type of encryption is breakable due to its reliance on
an XOR key.
CryptXXX uses RSA encryption and a proprietary P2P
communication protocol along with a TOR-based payment system.
Also, CryptXXX comes with an additional surprise in the form of
dynamic-link libraries (Stiller.dll, StillerX.dll and StillerZZZ.dll)
that steal account credentials. Early versions of CryptXXX used
weak encryption and were reversed by security experts. However,
the latest version of CryptXXX employs robust encryption that is
immune to encryption cracking.
Locky appeared in 2016, with speculation that it was derived
from proof of concept source code ‘Hidden Tear’ made public by
EDA2 [6]. The availability of ‘Hidden Tear’ source code led to a
spate of copycat ransomware, the most infamous being Locky.
Locky uses RSA-2048 and AES-1024 algorithms, almost the
standard for ransomware and stores the private key on remote
servers. Again, Locky uses custom encrypted communication over
TOR and Bitcoin for payment.
Samas was first reported in early 2016 and has adopted what
has become the default configuration of AES file encryption, TOR
C&C and payment via Bitcoin. Samas's creators did not carry out
widespread campaigns, but instead, they targeted companies.
Samas included a real-time communication channel so the
criminals could contact their victims.
KeRanger arrived in 2016 with the usual combination of ASEencryption and payment via Bitcoin. However, KeRanger heralded
4
revolution; it targeted the Apple OS X, which had been considered
to have a high immunity to malware. The criminals had created a
legitimate signed Trojan using a stolen update certificate. This
valid certificate made the Trojan appear as an authorised update
which installed without any warning.
Petya (popular in 2016) was a departure from the standard
encryption configuration. Petya chose to attack the low-level
memory configuration of the computer by overwriting the master
boot record with a malicious executable and then encrypting the
master file table. Petya did not use any sophisticated privilege
escalation techniques, and therefore Windows would prompt the
user to grant administrator rights.
Jigsaw used AES encryption similar to other ransomware.
While previous ransomware attacks made false threats to delete
files, Jigsaw was the first ransomware that deleted files during the
attack to encourage payment and would delete 1000 files each time
Jigsaw is restarted.
ZCryptor (May 2016) is the first of its kind; a self-propagating
ransomware that copies itself to other network devices. While
ZCryptor initial distributed was via a spamming campaign,
ZCryptor stealth propagation behaviour increases the infection
penetration beyond that of the original attack campaign.
Cerber (February 2016) uses AES encryption similar to other
ransomware attacks. Cerber is geographically aware and does not
carry out attacks in former Soviet Union countries and deletes itself
without encrypting any files. Also, Cerber is traded as a service on
an underground Russian forum (RaaS).
Criminals have seised on the opportunity to maximise a ‘return
on investment’, i.e. monetise their nefarious activities. Not
surprisingly, many criminals have jumped on the bandwagon by
adopting and evolving previous ransomware incarnations.
Early ransomware was rudimentary, and their threats were
greatly exaggerated as the data and device could often be easily
recovered. Over the years, there have seen considerable
advancements in ransomware with families such as Cerber,
TeslaCrypt, CTB-Locker and CryptoWall proliferating the Internet.
There have been numerous decryption tools deployed to undo the
effects of ransomware, thanks to poor coding implementation,
IET Netw.
© The Institution of Engineering and Technology 2018
20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Fig. 2 Evolution time line
5 Payment methods
Ransomware is a profit-driven business that rewards online
criminal activities. The criminals seek to generate income, and
therefore a payment method (monetisation) is essential. As already
mentioned, Joseph Popp's first ransom demand was via a PO Box,
which is not anonymous as the police can monitor the physical
location and act when collections occur. Over the years, criminals
have adopted many payment techniques such as:
• Short message service to premium rate numbers, which is a
favourite of mobile phone lockers.
• Gift vouchers: These gift vouchers are then resold on auction
sites such as eBay, and the unfortunate buyer must deal with the
consequences.
• Payment services: YandexMoney (Russian website similar to
PayPal) was among the first online payment service, where the
victim deposited their payment into a Yandex account specified
in the ransom note. Other popular services included payment to
a Liberty Reserve account (Costa Rica) and the now failed EGold account (Canada). The criminals switched to more widely
accessible methods such as Western Union and PayPal for
payment. From a criminal's perspective, these services are not
ideal as they are tied to bank accounts, and can be traced and
possibly used to identify the perpetrators.
• Prepaid services once were the predominant ransom payment
method and used online payment systems such as Ukash,
Paysafecard and Moneypak. These online payment methods are
not directly tied to a bank account, and therefore limit the
possibility to trace the ransom payment. The criminals have
taken advantage of these systems in much the same way as gift
vouchers by reselling the prepaid voucher online.
• Digital currency (cryptocurrency) allows users to exchange
credits for goods and services. Bitcoin has been adopted by the
criminal to fuel their criminal ecosystem regarding ‘ransom
payment’ and ‘paying fellow criminals for services’.
Bitcoin has soared in popularity with an estimated 12 million
bitcoins in circulation, despite not being affiliated with a bank and
being perceived as a dubious currency by some.
Bitcoin is a P2P payment system that operates without
affiliations to financial institutions (banks) or centralised payment
systems (such as PayPal). Therefore, to prevent duplicated
transactions, all Bitcoin transactions (Blockchain) are held in a
public ledger that links the sender and receiver addresses.
However, Bitcoin does provide some anonymity as the sending and
receiving addresses are generated by hashing the output of publickey encryption algorithms, which are linked to pseudonyms rather
than a traditional account [7].
Bitcoin's reputation for anonymity (pseudonymous) is enticing
for criminals and has become a key component of the ransomware
ecosystem with many ransomware campaigns now demanding
payment via Bitcoin. Bitcoin facilitates the immediate transfer of
illicit funds, whereas other types of online crimes (such as data
stealing), do not offer the advantage of direct fund transfer, as the
stolen data needs to be monetised by selling the data on or using
the information to launch another attack before the criminal can
retrieve funds.
6 Market model
Figures will research on the evolution of ransomware strongly
supports the notion that ransomware has become a valuable
business for criminals with an ecosystem that can extract
substantial money from victims. A key advantage for the criminals
IET Netw.
© The Institution of Engineering and Technology 2018
is that once the victim is ensnared, they can demand payment
within a few days, whereas other forms of online crime require the
resale of stolen data or use the information to launch another
attack. This constantly evolving criminal ecosystem consists of:
• The creators of the ransomware who may not wish to get
involved directly with the attack campaign and rather choose to
sell their products as toolkits. These toolkits allow criminals
with limited programming skills to build bespoke ransomware
attack campaigns.
• Distribution of ransomware takes the forms of Exploit Kits,
Spam Emailing campaigns, malicious or compromised servers;
all of which contain some aspects of social engineering to
improve the infiltration rate.
• RaaS has a very clear monetisation model through
cryptocurrencies.
In 2016, Kaspersky reported that 1.4 million users were
attacked. While broad scope attack campaigns are still widespread,
criminals have adopted new strategies that target organisations with
a high reliance on data.
Ransomware is a lucrative business, particularly when a wellchosen price point is coupled with robust encryption. Ransomware
is no longer a one-man business; the attacker faces operating costs
to support their attack campaigns. Ransomware is traded as a
service on an underground Russian forum (RaaS). Both criminals
enter into an agreement ‘ransomware developers’ and ‘attackers’.
The developers supply the ransomware and the attackers execute
the attack campaign. On each successful ransom payment, the
developers may receive up to 70% of the ransom. Also, moneylaundering services are available (Mixers or Tumblers) that mix
illegal payments with legitimate funds through the same Bitcoin
wallet to hide the transaction. Hernandez-Castro et al. [8] estimate
the fee for this service is typically 2.5% of the payment.
7
Market value
In December 2013, ZDNet analysed four Bitcoin addresses relating
to CryptoLocker ransom payments. ZDNet findings showed
transactions of 41,928 Bitcoins over the period, 15 October to 18
December, which equates to $27 million [9].
In the USA, the Federal Bureau of Investigation (FBI)
estimated the market worth of ransomware to be $200 m per
annum [10], while in the UK an estimated £24 million in ransom
was paid [11]. From April 2014 to June 2015, the FBI's Internet
Crime Complaint Centre [9] recorded significant increases in
ransomware infections, with CryptoWall being the most reported
(1000 reported attacks). Over this period, the total losses (ransom
and damages) amounting to $18 m. A report published by the
Cyber Threat Alliance in 2015, claimed that CryptoWall was a
global epidemic and was potentially netting criminals a yearly
income of $325 m.
Symantec quote an average ransom demand of $679 in 2016.
However, with Bitcoin being the most widely used, results vary
considerably due to fluctuation in the Bitcoin exchange rate.
Individual strains and families demand different rates, for example,
Bucbi demanded five Bitcoins ($6285) as of March 2017.
CryptoWall has chosen to tailor their ransom demand based on a
victim's country of origin and hence their ability to pay [10]. The
amount of ransom demand varied between ransomware families
with top six ransomware families demanding between 150 and
$250. Popcorn Time malware offered to unlock files for one bitcoin
($772.67). Popcorn Time offered the victim a second option, to
become part of the attack campaign by passing the infectious link
to others, ‘If two or more people install this file and pay, we will
decrypt your files for free’ [12].
A report by Symantec estimated that 2.9% of victims paid the
ransom [13]. In another report in 2013, Dell SecureWorks
estimated that 0.4% of victims had paid the ransom [14]. Following
the takedown of the CryptoLocker distribution infrastructure, it
was concluded that 1.3% of victims had paid the ransom.
Nevertheless, the criminals extort an estimated $3 m [15].
5
20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
weak randomisation and various other mistakes by the creators.
However, recent ransomware has evolved into a robust encryption
application that is resistant to analysis. With more than 60
ransomware families in existence, the last 12 months have seen an
ever-increasing number of sophisticated attack campaigns.
Ransomware is now a robust encryption application with a hidden
C&C, coupled with increasingly sophisticated social engineering.
8 Data recovery
2017 saw ransomware continuing to wreak havoc on businesses
and individuals alike. With this onslaught of extortion, users need
to take action to prevent or mitigate the loss of private and
commercially sensitive data. These criminals have shown a great
deal of persistence and users need to look beyond prevention to
identify a strategy to recover their data after an attack.
Paying the Ransom: The general advice is ‘Don't pay the
ransom’. However, when all else fails, some victims see a ransom
of 200 or £300 as the most straightforward option to retrieve their
irreplaceable data. Owing to the covert nature of ransomware, it is
hard to verify the number of victims that pay the ransom, but a
Twitter account set up to track the WannaCry Bitcoin wallets
showed that many victims paid the ransom [16]. That said, when
dealing with criminals, the victim has no guarantee of recovering
all their data. Ransomware targets a wide range of users, many
with a low-technical skill level, and therefore the ransomware
creators have gone to great lengths to ensure that even the novice
can pay the ransomware via Bitcoin [17, 18].
Decrypting tools and services: When a robust encryption
algorithm is implemented in ransomware, data retrieval is
intractable unless the victim has a backup system. That said, these
ransomware creators are not infallible and poor decryption key
management has led to investigations that have found these keys,
which were then used to develop decrypting tools to reverse the
ransomware. Users should not be relying on the weaknesses in the
criminal's approach to ransomware key management, but need to
establish a backup system that has been verified.
A notable success in this battle against the criminals was the
‘Shade Ransomware Decryption Tool’ developed by McAfee and
Kaspersky [19], working collaboratively with other security
vendors and law enforcement, who were able to extract the
decryption keys for the Shade ransomware [20].
Companies offering ‘Expert Services’ [21] offer data decryption
solutions (often based on publicly available keys), but again their
ability to decrypt data is limited to encryption keys that have been
obtained and are made available.
AVG [22] provides free decrypt tools for limited variances of
ransomware, but the ransomware creators are fighting back by
improving their key-management approach. These recovery
methods are limited to a few ransomware attacks, and victims
should not rely on this as a robust method of recovery.
Backup strategy: A backup system is the best approach against
ransomware attacks. As with any malware infection, user
awareness and training have their limits and systems do eventually
get compromised. Without a backup system in place, the victim is
reliant on the criminals returning the data (after ransom payment)
or relying on a bespoke/specialist tool to decrypt the data. When a
comprehensive data backup plan is in place, especially one that
includes automatic and continuous backups of data across servers,
laptops and cloud applications will enable victims to easily recover
their data after the initial ransomware infection is removed, and
thereby neutralise the impact of ransomware.
9
Summary
In recent years, ransomware has evolved into one of the biggest
cyber security threats. From the criminal's perspective, the Internet
is an enormous gift, not only for ransomware, but also for malware,
in general. The Internet has created a criminal ecosystem that
supports the development, deployment and financial mechanisms
to support malware. The popularity of electronic currencies such as
6
Bitcoin has grown significantly and the existence of these
anonymised payment mechanisms plays into the hands of cyber
criminals and provides a more direct method of monetising their
nefarious activities. Bitcoin is only the latest in a long line of
technologies that have boosted the criminal underground.
Ransomware has widely adopted the use of Bitcoin for ransom
payments. As the criminals have strived to bulletproof their
anonymity, they have used money-laundering services that have
popped up as part of the criminal ecosystem. These moneylaundering services are also known as ‘mixing services’, where the
ransom payment is passed through multiple Bitcoin wallets,
performing money laundering, to further cover the criminals’
tracks.
Owing to ransomware's covert nature, the profitability of the
criminal endeavours is unclear, but what is certain, is that
ransomware is booming. This Crypto-warfare now accounts for £
billions in losses and damages and is growing in both penetration
and sophistication. Coupled with the shocking truth that most
Internet users are not aware that threats such as ransomware even
exist and so they are doing little to protect themselves.
Originally, cyber criminals profited by stealing data and selling
it on underground markets, but the price for stolen data has fallen
significantly. The criminals have sought out new revenue sources
in the form of ransomware, which is allegedly returning higher
income. The criminals have expanded this source of revenue by
developing RaaS, which has lowered the technology entry level
into the ransomware criminal world. RaaS has enabled criminals
with little programming skill (script kiddies) to participate and earn
money from ransomware.
As the criminal underworld strives to widen their grip on
automated extortion, we expect to see advancements such as:
(i) Increased stability and flexible configuration of attack vectors as
many of the attackers will be novices (script kiddies) and will not
have the skills to tweak and configure the ransomware.
(ii) Improved refinement/tailoring of the ransom demand to
maximise revenue as the ransomware will target a broad range of
victims from individuals to large companies with valuable data.
(iii) Sophisticated tailoring of second-wave attacks including
trading of ransomware ‘suckers lists’ of vulnerable and gullible
Internet users.
(iv) Sophisticated evasion and anti-analysis techniques are already
in use, but new mechanisms will appear that ensure novice
criminals do not mistakenly render the ransomware open to
analysis by anti-virus vendors.
(v) As part of the RaaS, Exploit Kits are extensively used.
However, they will become more sophisticated adapting data
mining techniques to improve the social engineering aspect to
circumvent malware detection.
At the time of writing this paper, WannaCry crashed onto the
‘World Stage’ with a fanfare of devastation. WannaCry payload
was nothing new, using RSA public–private-key encryption as so
many before it. WannaCry used the Windows API encryption
routines to generate the encryption keys and conceal the private
key. It is still early days, with many researchers analysing
WannaCry for weaknesses, but it appears there is little opportunity
to recover the private key needed to decrypt the encrypted files.
WannaCry uses two sets of keys, one for a small selection of files
‘demo decrypt files’ and a second for the main ransom files,
thereby ensuring that releasing the ‘demo decrypt’ key will not
enable the victim to decrypt the main encrypted files. However, the
most effective aspect of the WannaCry campaign is probably the
Exploit Kit that targeted the Windows vulnerability. It is widely
believed that this exploit was derived from a toolset leaked from
the National Security Agency named ExternalBlue. ExternalBlue
targeted a known vulnerability that had been patched.
Unfortunately, many users failed to pick up this patch and were left
at the mercy of WannaCry.
As seen with ExternalBlue, Exploit Kits play a key role in
ransomware deployment, and along with RaaS are central to the
Crypto-war as the criminals develop their underground ecosystem.
Electronic currencies (Bitcoin wallets) will remain the key to
IET Netw.
© The Institution of Engineering and Technology 2018
20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Owing to ransomware's covert nature, it is difficult to determine
how lucrative ransomware is, but the criminals have shown no sign
of slowing their attacks. Presently, ransomware uses unintelligent
pricing models with fixed-pricing per-infection. In an attempt to
encourage victims to pay, one possible approach by the criminals
will be to introduce intelligent pricing (ransom demands) that
applies pricing models based on the victim's willingness or ability
to pay. A 1 BTC ransom may be substantial for an individual that
has lost little data. On the other hand, for a company that has lost
valuable data and has a high IT costs, 1 BTC is insignificant.
[9]
[10]
[11]
[12]
[13]
[14]
10 References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
Fitzpatrick, D., Griffin, D.: ‘Cyber-extortion losses skyrocket, says FBI’,
CNNMoney, (15 April 2016). Available at http://money.cnn.com/2016/04/15/
technology/ransomware-cyber-security/, 2016, accessed 15 April 2017
Tuttle, H.: ‘Ransomware attacks pose growing threat. Risk management’, Risk
Manage., New York, 2016, 63, (4), p. 4. Available at http://
search.proquest.com/docview/1792354247?pq-origsite=gscholar/,
2016,
accessed 17 May 2017
McAfee Labs: ‘Understanding ransomware and strategies to defeat it (white
paper)’. Available at https://www.mcafee.com/us/resources/white-papers/wpunderstanding-ransomware-strategies-defeat.pdf, 2017, accessed 17 May
2017
Richardson, R., North, M.: ‘Ransomware: evolution, mitigation and
prevention’, Int. Manage. Rev., 2017, 13, (1), p. 10
Sato, Y., Nakamura, Y., Inamura, H., et al.: ‘A proposal of malicious URLs
detection based on features generated by exploit kits’, 2016
Milena, D.: ‘Open-source ransomware based on hidden tear and EDA2 on the
loose’, (25 August 2016). Available at https://sensorstechforum.com/opensource-ransomware-based-hidden-tear-eda2-loose/, 2016, accessed 17 May
2017
Reid, F., Harrigan, M.: ‘An analysis of anonymity in the Bitcoin system’, in
ltshuler, Y., Elovici, Y., Cremers, A., et al. (Eds.): ‘Security and privacy in
social networks’ (Springer, New York, NY, 2013), pp. 197–223
Hernandez-Castro, J., Cartwright, E., Stepanova, A.: ‘Economic analysis of
ransomware’, (21 March 2017). Available at https://papers.ssrn.com/sol3/
papers.cfm?abstract_id=2937641, 2017, accessed 21 June 2017
IET Netw.
© The Institution of Engineering and Technology 2018
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
FBI: ‘Criminals continue to defraud and extort funds from victims using
CryptoWall ransomware schemes’, (23 June 2015), Alert Number: I-062315PSA. Available at https://www.ic3.gov/media/2015/150623.aspx, 2015,
accessed 21 June 2017
‘The secret behind CryptoWall's success’, Imperva. Available at
www.imperva.com/docs/IMPERVA_HII_CryptoWall_report.pdf,
2016,
accessed 21 June 2017
Turkel, D.: ‘Victims paid more than $24 million to ransomware criminals in
2015 — and that's just the beginning’, Business Insider (7 April 2016).
Available at http://uk.businessinsider.com/doj-and-dhs-ransomware-attacksgovernment-2016-4, 2016, accessed 21 June 2017
Hern, A.: ‘New nasty ransomware encourages victims to attack other
computers’, The Guardian (12 December 2016). Available at https://
www.theguardian.com/technology/2016/dec/12/new-ransomware-victimspopcorn-time-malware, 2016, accessed 15 Mar 2017
McDonald, G., O'Gorman, G.: ‘Ransomware: a growing menace’. Available
at
http://www.symantec.com/content/en/us/enterprise/media/
security_response/whitepapers/ransomware-a-growing-menace.pdf,
2016,
accessed 17 May 2017
Jarvis, K.: ‘Cryptolocker ransomware’, SecureWorks, (18 December 2013).
Available
at
https://www.secureworks.com/research/cryptolockerransomware, Dec 2013, accessed 21 June 2017
Ward, M.: ‘Cryptolocker victims to get files back for free’, BBC News, (6
August 2014). Available at http://www.bbc.co.uk/news/technology-28661463,
2014, accessed 21 June 2017
‘Actual ransom’, @collinskeith, (May 2017). Available at https://twitter.com/
actual_ransom?lang=en, May 2017, accessed 2 February 2018
‘Bitcoin’. Available at https://bitcoin.org/en/choose-your-wallet, accessed
February 2018
‘How to pay with bitcoin guide’, Coinify. Available at https://
support.coinify.com/Knowledgebase/Article/View/165/5/how-to-pay-withbitcoin-guide, 30 Nov 2016, accessed 2 February 2018
‘Shade ransomware decryption too’, McAfee. Available at https://
www.mcafee.com/hk/downloads/free-tools/shadedecrypt.aspx, accessed 2
February 2018
‘NO MORE RANSOM!’. Available at https://www.nomoreransom.org/en/
index.html, accessed 2 February 2018
RedMosquito. Available at http://www.rm-ransomwarerecovery.com/?
gclid=CjwKCAiAtdDTBRArEiwAPT4y-1v-5y_TzrPU0XRP788GO4IaxdcK
2-AdSEemOeS98e_8HHV5U8E69BoCv2cQAvD_BwE, accessed 2 February
2018
‘Free ransomware decryption tools’, AVG. Available at https://
www.avg.com/en-gb/ransomware-decryption-tools, accessed 2 February 2018
7
20474962, 2018, 5, Downloaded from https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/iet-net.2017.0207 by Morocco Hinari NPL, Wiley Online Library on [25/03/2023]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
manage the division of funds between creators, distributors and the
criminals that engage in the final stages of the ransomware attacks.
As Web browsers and anti-virus companies sink-hole malicious
URLs, criminals will phase out ‘carpet bombing’ approaches and
opt for more targeted malware deployment.
Just as the explosion of ransomware occurred with the first
Internet revolution, we may see a second tidal wave of ransomware
with the Cloud. As the Cloud emerges, the myriad of
communication protocols may advance the spread of ransomware.
We have already seen the early stages of cloud penetration with
ransomware targeting cloud-based technologies such as Dropbox,
Office 365 and Google Apps. Also, the Cloud's dynamic nature of
resource management would support an increasingly flexible
malware C&C infrastructure that would be difficult to monitor and
implement kill switches (such as a sink hole).
Download