Have you heard of BadBlock, Bart and Booyah? What about VenusLocker, WonderCrypter and Zyklon?
Those are just some of the many different ransomware families that have been cataloged by the ID Ransomware service, launched in March by the security researchers known as MalwareHunterTeam. The researchers’ site allows victims to upload ransom notes or encrypted files to help them identify the ransomware that’s encrypted their data.
“Sad such a milestone was hit so quickly”
This week, in an unfortunate cybercrime milestone, the number of ransomware families counted by the service reached 200.
The increasing number of ransomware families – and their virulence – shows attackers are continuing to refine their art. Similarly, the emergence of what almost seem like joke strains of ransomware – named after horror films or given the Pokémon treatment, for example – demonstrates the increasing commoditization of crypto-locking attack tools and the need for developers to attempt to differentiate their wares in what’s become an increasingly crowded marketplace.
Whew! ID #Ransomware can now identify 200 ransomware families. Sad such a milestone was hit so quickly… pic.twitter.com/c4jynvMbpI
— Michael Gillespie (@demonslay335) October 17, 2016
Disruption Efforts Continue
The increasing number of ransomware families – to say nothing of what can be many different variants or strains of each, evolving over time – also complicates attempts to disrupt these attacks. Indeed, security firm Kaspersky Lab estimates that between April 2015 and March 2016, there were more than 715,000 ransomware victims worldwide, or an increase of 5.5 times over the preceding 12-month period.
Disruption efforts, however, are ongoing. The public-private No More Ransom project, which launched in July, reports this week that at least 2,500 ransomware victims were able to download the portal’s free decryptor tools – mainly for CoinVault, WildFire and Shade – and recover their data, avoiding paying more than $1 million in ransoms, project organizers say. But that amounts to just 0.35 percent of the total number of ransomware victims seen from April 2015 to March of this year.
No More Ransom launched as a joint venture between the Dutch National Police and Europol, as well as security firms Kaspersky Lab and Intel Security, a.k.a. McAfee. Since then, law enforcement agencies from these 13 countries have also signed up: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.
From a law enforcement standpoint, more is more, says Steven Wilson, head of Europol’s European Cybercrime Center. “Europol is fully committed to supporting the enlargement of the No More Ransom project within the EU and internationally to respond to ransomware in an effective and concerted manner,” Wilson says in a statement. “Despite the increasing challenges, the initiative has demonstrated that a coordinated approach by EU law enforcement that includes all relevant partners can result in significant successes in fighting this type of crime, focusing on the important areas of prevention and awareness.”
https://t.co/3HIV2MNttQ was launched by @Europol +Dutch @politie+@IntelSecurity+@kaspersky to help victims of #ransomware in July 2016 pic.twitter.com/sTf2rhB2XG
— Europol (@Europol) October 17, 2016
Focus: Prevention, Awareness
The focus on prevention and awareness is also the strategy that’s been adopted by the FBI, which urges organizations to create “a solid business continuity plan” that includes the ability to restore backups in the event that systems get infected by crypto-locking malware.
That’s because neither technology nor law enforcement – and arrests – will stop ransomware. The malware is easy to create and distribute, and it succeeds whenever it encounters a PC that a user has failed to prepare. The “skyrocketing” of ransomware attacks, as Kaspersky Lab CEO Eugene Kaspersky puts it, illustrates attackers’ success.
Furthermore, criminals continue to refine their campaigns. Some attacks – often utilizing Locky – are being highly targeted, and they crypto-lock time-sensitive records inside organizations, leaving them with little choice but to pay.
In other cases – such as with the widespread CTB-Locker ransomware – attackers are tapping affiliate programs to distribute the malware. CTB-Locker is also part of an emerging trend; the ransomware can crypto-lock not just PCs but also web servers. Petya ransomware, meanwhile, now includes full-disk encryption – not just encrypting files – and encrypts the file system table, thus disabling a victim’s ability to even boot their PC.
Prepare or Pay
Occasionally, ransomware developers feel guilty and spill their crypto schemes, or law enforcement agencies gain access to their malicious infrastructure, allowing them to crack attackers’ crypto. Other times, developers fumble their crypto implementation, enabling security experts to build decryptors for victims.
No More Ransom, for example, was recently updated with a decryptor for Polyglot ransomware, a.k.a. MarsJoke, which has been designed to mimic CTB-Locker ransomware – apparently to make victims believe they were infected with an especially virulent type of ransomware, Kaspersky Lab says. But unlike CTB-Locker, Polyglot used “a weak encryption key generator,” allowing its crypto to be cracked, using a standard PC, in less than 60 seconds, the security firm says.
So far, however, being able to decrypt ransomware for free remains the exception. For most ransomware victims, the paradigm remains depressingly familiar: Prepare, or be prepared to pay the consequences.
October 18, 2016