Fighting ransomware: 13 new ways to compromise your dataThursday, December 22, 2016
Ransomware has been a concerning feature of 2016, and this breakdown of just one strain (Locky) reveals just how intensively criminals have been working to compromise their victims.
Ransomware has been one of the standout security threats of 2016, by anyone’s measure. There’s been plenty of media chatter, plenty of Fear, Uncertainty and Doubt around, and some pretty big figures to boot. One analysis based on ransomware payments made by businesses reckons that the total cost to businesses will have hit $1 billion for all of 2016.
As we’ve mentioned before, the Locky strain of ransomware has been central to this uptick, first spotted in Feb 2016, then hitting such high volumes that it graced the top three list of malware by volume in September.
In a separate study, it was discovered that of all the email-disseminated malicious documents in Q3 2016, Locky was in 97 per cent of them - a 64 per cent from Q1. In short, the criminals behind Locky have had a very busy - if profitable year. However, new research into their updates has unveiled just how busy, with at least 13 major updates to the malware being made in 10 months.
According to Forcepoint the timeline of adaptations throughout the year has included enhanced anti-analysis trickery (unsurprisingly), wider language support, and also a range of encryption upgrades, such as ‘support’ for offline encryption using embedded RSA keys, and payload encryption: “The payloads were now encrypted with unique keys which were decrypted and run by the JS downloaders. The payloads themselves also began to require a command line argument in order to execute properly. Both of these tricks were designed to trip up automated security tools,” explained the security researchers.
An interesting feature released in June was the ability to detect the presence of a virtual machine (VM), by calculating how long it takes to perform two Windows API calls, GetProcessHeap() and CloseHandle(). “This is then compared to a known ratio of at least 1:10 that is more likely to indicate a real machine rather than a VM. On a real system, CloseHandle() should be at least 10 times quicker on average to execute when compared with GetProcessHeap()”, said the researchers.
Another strategy used by Locky in the last month to infect social media users involves the so-called "ImageGate" attack vector, which exploits a misconfiguration in social media sites, allowing attackers to embed the ransomware code into image files that they then post. By clicking on and downloading these image files, the malware is triggered. Full details are not yet available, as the CheckPoint researchers are awaiting fixes from LinkedIn and Facebook before disclosing the technical details.
Clearly a fair chunk of that potential $1bn Ransomware revenue in 2016 has gone Locky’s way, given the sheer prevalence of the malware, and the level of sophistication evident in these updates. Whether the same rate of adaptation will continue in 2017 is anyone’s guess, but one thing is certain, and that is that ransomware as a whole will continue to pose a serious issue.
Ilia Kolochenko, CEO of High-Tech Bridge said: "Ransomware is a very serious problem actually. Unlike other exaggerated trends, such as APT or IoT, ransomware is a fundamental economic problem. Cybercriminals understood that they can easily and safely make quick-money on extortion, and started leveraging this approach everywhere: from hard drives to websites and even smart TVs.
“I wouldn't be surprised if, in the future, attackers particularly target voting systems, hospitals or nuclear plants, and that governments will come to accept paying them any amount to get back access to life-critical systems. Ransomware phenomena will appear everywhere. Therefore, we cannot just solve a "problem of ransomware", we need instead to solve the global problem of cyber insecurity, such as vulnerable systems and missing backups.”