Ransomware payments: Funding the business of cybercrime

Source: Veeam

If you were considering becoming a cybercriminal or were perhaps a traditional villain looking to upgrade your skills for the 21st century, I’m sure your business model of choice would be running a ransomware operation. You would, thanks to the simplicity of platforms like Ransomware as a Service and the willingness of victims to pay ransomware fees, be running a very successful business — albeit an illegal business — in a matter of days or weeks. Such is the ongoing success of ransomware as a means of extorting money from victims.

The main reason for the runaway success of ransomware as a malware attack vector is its effectiveness and ability to generate money for cybercriminals. Anonymous payment services like Bitcoin make ransomware payment simple for victims and risk free for the ransomware’s owners. Companies are even starting to keep a Bitcoin ransom ready in the event that they are affected and cannot recover from the attack.

Bitcoin isn’t the only ransomware payment method available. Cybercriminals offer flexibility when it comes to settling your bill. Early ransomware and Lockerware (the old screen-locking style of malware) were primitive in terms of demanding payment: Premium rate SMS message extortion was common, as was the use of the now defunct Ukash voucher scheme. Today, Bitcoin remains the most popular payment method, but other cryptocurrencies like the more sophisticated Ethereum and less well known Litecoin and Dogecoin are also options. The latter two currencies trail behind Bitcoin in terms of transactions, but all of these cryptocurrencies can be easily laundered through the darknet, allowing the cashing out of funds easily and anonymously.

Recent research carried out by Google, Chainalysis, UC San Diego and the NYU Tandon School of Engineering found that ransomware has generated an income of more than $25 million over the last two years. Looking at 34 different types of ransomware and then tracking their ransomware payment methods through blockchain ledger entries, they were able to track and analyze the flow of Bitcoin ransom paid by victims. One of the most successful variants of ransomware is Locky, which is said to have earned its owners over $7 million.

If you’ve ever been affected by ransomware, you know the ransom demanded to gain access to your data is generally quite small. On average, the ransom is around $700, although it peaks at about $1,500. This low-pricing strategy is designed to make sure you can afford to pay the ransom rather than seeking likely more expensive recovery alternatives. Paying the ransom is designed by the malware authors to be the easiest option for you on purpose, so they can maximize their profits. There is solid economic theory here: Price elasticity of demand for one, but also the notion that low price, low input and high volume will be an easier payday for the ransomware owner over the higher priced and potentially higher risk alternative.

Reports of ransomware being able to alter its price based on the geographic location of the victim’s computer back up the economics of ransomware too. The Fatboy Ransomware as a Service platform is said to use The Economist’s Big Mac index to offer its victims an affordable way out of their predicament. The Big Mac index measures the differences in purchasing-power parity between global currencies to adjust the price of a burger. It is now utilized by ransomware authors to ensure that wherever their malware strikes, the price you see to regain access to your data is within your means relative to your location and currency.

It is important to note that we also see the price of ransomware set deliberately high in certain market segments, usually where there is a significant risk of not acting on the outcome of the attack. Hospitals, for example, have noted higher ransom payment demands when key or life-critical medical systems are affected. The morals of these ransomware attackers are clearly non-existent.

Paying the ransom, whether it’s by Bitcoin or another method, is always going to appear to be the easiest way out of the problem, but it’s never a guarantee that you’ll be able to resume normal operations. Firstly, the ransomware is unlikely to decrypt all of your data. You should expect about 80% of it back at most. Secondly, the ransomware is still resident on your system and could lead to further breaches or problems. And thirdly, understand that by paying the ransom, you are effectively negotiating with terrorists and helping to fund the darkest, most sinister parts of human nature, such as terrorism, human trafficking, money laundering, drug running, prostitution and every type of criminal activity.

Of course, I understand that there may be times when you have no backup or no means of recovery from a ransomware attack, so you may have no choice but to pay the ransom. In enterprise environments, however, you have a choice and, therefore, no excuse. DO NOT PAY the ransom. Instead, rely on your protection and preparedness.

Stay safe out there.

The post Ransomware payments: Funding the business of cybercrime appeared first on Veeam Software Official Blog.

Ransomware payments: Funding the business of cybercrime

5 Top ransomware exploits that you should know

Source: Veeam

We used to call the Internet the “information super-highway” back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the ‘highway’ has remained, like a bad smell, one that has come back to haunt us in 2017… The highway robber!

The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat –– ”your money or your life” –– reinforced of course with the trademark flintlock pistol and sabre.

Today’s highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.

Of course, I’m talking now about ransomware, the threat that’s been in the news almost every day for the past couple of months. The tool of choice for the modern highway robber has become headline news around the world with variants such as WannaCry and the more recent Popcorn Time. Organizations around the world have been affected by this ransomware, from the UK National Health Service, through to the Russian Postal Service in the last few weeks.

Interestingly, WannaCry leverages a previously known vulnerability in the Windows operating system, which is alleged to have been hoarded by a national security agency of the USA. In this case a vulnerability which allowed the ransomware to be especially successful in both current and older versions of Windows, such as XP and Windows 7, by using a weakness in their inbuilt SMB networking functionality. Even when out of support, there are still organisations using Windows XP and putting themselves at risk.

Luckily however an enterprising security researcher managed to find a kill switch written into some variants of WannaCry, in the form of a phone-home domain which hadn’t been registered by the malware’s author. Registering the domain seemed to give these variants of the malware the dead letter box it was looking for in order to shut down, thus halting the attack.

After intense examination of WannaCry’s tactics by the security community, we now know the infection spread within organizations by means of leveraging SMB connections. And, while patching the known vulnerability (as the patch had been out for over a month) helps sqelch WannaCry’s ability to spread, there are a broad range of ransomware sources through which you can get infected, such as:

  • Trojans – Perhaps the most common and the ransomware attack source we read the most about. Email attachments that contain malicious macro attachments are the chosen method here.
  • Removable media – Perhaps the most likely ransomware source of infection for the majority of malware in an enterprise, whether it’s ransomware or something more nefarious. Especially for those organisations that don’t lock down their USB ports. USB sticks and removable media are a very simple way to infect a PC as users generally trust those devices. A study by Google and two US universities showed that dropping USB sticks in public places was a simple and effective way to trigger human curiosity, with a full 49% of the ‘bait USBs’ being plugged into a computer by people who found them. Imagine if those had been malicious?
  • Malvertising – Malver-what-now? A portmanteau of malicious advertising. Where attackers compromise the weak infrastructure of an online ad network that serves adverts to legitimate websites. Therefore, when users view those adds, usually on well-known news websites, they can be used to trick browsers into downloading malware through the page display ads. Exploit kits such as Angler and Neutrino are often used as the initial dropper of the malware, which often then allows cyber criminals complete control of the infected endpoint. Ransomware is just one of the common outcomes of these watering-hole or drive-by attacks.
  • Social media and SMS – The prevalence of shortened links used on social media platforms and in SMS text messages gives attackers a superb mechanism to deliver ransomware and malware. Users rarely, if ever, check the destination of shortened links in social media, SMS or even email and attackers know this. Security solutions that ‘link-follow’ are increasing in popularity, but not fast enough. Ransomware delivered through shortened links is also often JavaScript based and requires little action on the users’ part, other than to click the link.
  • Ransomware-as-a-Service – RaaS? Yes, it does exist, as one of the many ‘Crime-as-a-Service’ networks. (Yes, those exist too). RaaS allows criminals of any variety to become instant cyber criminals, to the extent we’re seeing a drop off in classic crime like burglary, as RaaS is far a less risky ransomware source for them. RaaS and CraaS have given rise to vast affiliate networks too, where ransomware is easy to deploy and manage for almost anyone and where the earning potential is significant. I use this example to demonstrate the sophistication and motivation of the cybercriminals behind ransomware. Ignore them at your peril.

Of course, we’re used to thinking of ransomware as an email-specific or Trojan-based attack and that’s certainly the most common route it takes, but we should note that once ransomware makes its way into your business, ransomware creators will attempt to take as many routes possible to ensure as widespread an infection as is possible.

What all of these attacks and the breadth of ransomware sources show us is that it’s a live and hostile environment on the information super-highway and that for all the good we do, there are still people intent on exploiting, stealing, violating and pillaging our assets. Don’t be under any illusion they’re not motivated either; ransomware is a great money earner for them so don’t expect the attacks to die down anytime soon. Technologically not doing your best is not an option either. Sitting back hoping Windows XP or 7 will “struggle on for a little longer” or that those patches you didn’t deploy don’t matter is not a sensible strategy. Remember there are books written about hope not being a strategy, so don’t fall into that trap.

Patch your stuff, back up your valuables and keep an eye out for the highway robbers.

Stay safe out there.

What can you do with Veeam to stay resilient against ransomware? Check out our ransomware series content.

Read more:

The post 5 Top ransomware exploits that you should know appeared first on Veeam Software Official Blog.

5 Top ransomware exploits that you should know