• Posted on 24 Mar 11:15
  • By Nicholas Carlton

Nick FitzGerald, Senior Research Fellow, ESET Asia Pacific | March 16, 2016

Over the past year, cybersecurity professionals have been facing more and more cases of ransomware. This type of attack has rapidly gained ground and it seems that there is no end in sight to its growth.

So what is ransomware? Put simply, it is a type of malware that prevents or limits users from accessing their systems or data. Ransomware forces its victims to pay a monetary ransom, usually through anonymous online payment methods, to regain access to their systems or data. There have also been cases where victims have paid up without receiving a recovery key or have otherwise been unable to recover their files.

This type of malware is not new. The first widely known case of ransomware, the 'AIDS Trojan', dates back over 25 years! However, like most cyber threats we see today, ransomware is fast becoming more sophisticated and therefore, more troublesome for both businesses and consumers.

Ransomware has caught the attention of cybersecurity professionals recently due to growth in both the number of victims, as well as the profits that cybercriminals have obtained from this type of malicious campaign. High profile news has similarly made ransomware a larger topic of conversation, including the recent case of the Hollywood Presbyterian Medical Centre in Los Angeles, which was made to pay a ransom of US$17,000 by hackers in order to regain access to its computer systems.

According to recent ESET research, crypto-ransomware detections have been prevalent in regions like Latin America and Europe, but recently there has been a spike in incidences outside of these territories. According to the Internet Organised Crime Threat Assessment 2015 report by Europol, Japan has the second highest global detection rate for ransomware. The country is also one of the top three countries in Asia where European Union law enforcement investigations have identified perpetrators or criminal infrastructure. According to the report, Japan, South Korea and the Philippines are identified as the most prominent countries in East and South East Asia, from which commercial extortion campaigns originate. 

Rapidly mutating threat

Ransomware has evolved over the years and over a period of time this malware has upgraded itself, increasing the number of attacks worldwide. In fact, today we are even seeing some cybercriminals offering this kind of malware as a service.

'Ransomware as a Service' (RaaS), is a worrying trend, with more and more tools being discovered that have been specifically designed to help even the most unsophisticated criminal create this type of malware, regardless of their level of technical expertise. Further still, ransomware has also evolved to target operating systems not only for desktop, but also for mobile. Cases of ransomware have been found to affect mobile devices, especially those running Android, the most popular mobile operating system worldwide. The group behind the Reveton ransomware program, for example, has ported the malware to Android, distributing it through pornography sites where it is disguised as a video player.

The threat of ransomware has also diversified in terms of approach and vector. Initially, only the Windows families of such malware were showing year-on-year growth in terms of the number of detections. Now this malware has extended to other operating systems such as OS X and even Linux. And the technologies used to deliver ransomware are evolving too. In the early days, drive-by-downloads and spammed links or executables were the common delivery mechanisms, but this now includes spam with attachments such as Office documents with macros, BAT, CHM, JavaScript and LNK files, and the payloads delivered from these downloader components include more than just binary executables, such as various script platforms, including PowerShell.

Will the Internet of Things (IoT) be next?

Throughout 2015 there was significant interest in the possibility of malware focusing on equipment associated with the Internet of Things (IoT). The increasing number of devices connected to the internet, and their often woeful security stance, provide cybercriminals with a greater number of points-of-attack. This puts devices such as smartwatches, smart televisions, wearables, driverless cars and a whole host of other devices at risk.

An early example of such an attack is the Linux/Moose worm that has commandeered SOHO routers for social media fraud. Other security researchers have considered the possibilities of wearables, smart televisions and so on being targeted by malware, and in some cases they have even provided proof-of-concept demonstrations. Given ransomware's apparent profitability, it seems likely that some e-criminals must be thinking along the same lines.

These key developments lead us to believe that ransomware is here to stay and will surely continue mutating in the coming years. From the security side, the challenge is not only to detect and block or remove such attacks, but also to ensure the continuing availability of information for enterprises and consumers.

So, what can we do to protect ourselves?

As technology has evolved, the protective mechanisms to counter threats such as ransomware have improved based on experience. However, they must be accompanied by user management and education. Prevention is better than the cure and this applies to end users of technology today. Keeping devices well protected is the single biggest and most effective step that will defeat ransomware. In addition, keeping data adequately backed up is key to ensuring that if an attack takes place, the victim isn't strong-armed into paying up.

According to Gartner, we are gearing up towards a fivefold increase in the number of devices connected to the Internet over the next five years, reaching 25 billion online devices. The challenge we are going to face is protecting more of these devices against ever more sophisticated malicious code. Network security, the prevention of exploits and the appropriate configuration of devices will take on greater importance to prevent such attacks, helping users enjoy safer technology.