As a malware type, ransomware has proven to be exceptionally effective.

It is targeted, it has purpose and it has potency. Working covertly and using polymorphic approaches, it was the first truly problematic piece of malware to tackle, at least of the malware types whose presence becomes immediately apparent.

When the original Cryptolocker infrastructure was removed last year, we projected that the next logical step for cyber criminals would be smaller, more agile attacks, which would better elude a takedown.

That presumption was correct, but cyber criminals improved ransomware to achieve much more than just that.

The evolution of ransomware, Symantec

Source: The evolution of ransomware, Symantec

Ransomware creators have recently developed their production to the latest version of Cryptowall 4.0, which features Tor infrastructure, improved exploit targeting as an attack vector, more extensive spam messaging campaigns and shrewder antivirus avoidance mechanisms.

Since ransomware is now effectively an industry of its own, we would not expect the development to stop here. Cyber criminals are smart and they want to develop their business as any company would.

new ransomware McAfee Labs Threats Report, May 2015

Source: McAfee Labs Threats Report, May 2015

Ransomware, when it comes to the nuts and bolts, is just like marketing and sales:

1. First, a good product is required.
2. Then you need a customer base.
3. Afterwards you will have to reach the audience.
4. You need to convey an interesting message and include a call to action.
5. And last, but not least, you need the ability to monetize the product.

1. The “good” product will be improved

If we look at the list above, we have to give ransomware makers credit for engineering a very good product. Encryption is so strong that it’s virtually impossible to break – unless you have the algorithm itself. This is why law enforcement have put an effort into intercepting the infrastructure itself, so that those codes can be reverse engineered.

With that in mind, we can definitely expect that ransomware makers will go to further lengths to ensure that their operations remain untouched.

A good guess about their future strategies is that they’d include a more “mobile” and diversified infrastructure, with keys built across the Internet on RAID-like storage platforms, so that keys are only partially stored on each location.
Another guess is that they’ll improve the infrastructure, so that, if intercepted, keys will be more difficult to break on each storage location. This could be done by running encryption from the encryption key servers and even from the botnets participating in the delivery network, which we will touch on later.

new samples of prominent ransomware families McAfee Labs Threats Report, May 2015

Source: McAfee Labs Threats Report, May 2015

2. The customer base

There is no doubt that there is a very large customer base for ransomware on the Windows platform. And, with recent Android evolutions, the ransomware the market is large enough to “accommodate” even more.

The natural evolution here is that the customer base will be further extended to target IOS and Mac OSX devices. But this is a smaller market than Windows and Android – and much more difficult to attack, so less commercially viable for cyber criminals.

mobile malware McAfee Labs Threats Report, May 2015

Source: McAfee Labs Threats Report, May 2015

3. Reaching the audience

Reaching the audience has never been a problem for ransomware makers so far. Two methods proved to be especially effective: the distribution of spam emails and using hacked websites to deliver payloads.

Going beyond spam campaigns, ransomware creators are now using large companies as malware-delivery fronts.

anatomy of a cryptowall 3.0 attack CryptoWall Version 3 Threat, Cyber Threat Alliance

Source: CryptoWall Version 3 Threat, Cyber Threat Alliance

The latest evolvement in spam campaigns, outside the ransomware scope, have been to use large companies as fronts to deliver malware. Cyber criminals find companies that have a lower protection on their email service and exploit their lack of DMARC implementation to target customers. They do so by using a persuasive and trustworthy message that appears to come from global companies people know.

A logical development for ransomware would be to replicate these steps into their “message delivery” process to get a broader audience reach. That’s because sending spam from trustworthy domains means fewer emails are considered malicious by spam filters, so more potential victims are reached.

Also going forward, this would allow attackers to scale down from multinational companies to more local, more targeted campaigns. They can do so by compromising local companies and using them to target local user groups.

Another very logical evolvement will be the automation of payload delivery via malvertizing. In this case, compromised websites are used to deliver marketing banners which contain exploit codes to make payload dropping easier.

top countries hosting spam domains McAfee Labs Threats Report, May 2015

Source: McAfee Labs Threats Report, May 2015

Today, the malvertizing approach is a bit manual for cyber criminals, just as building a spam campaign. Scanning websites for vulnerabilities and feeding those security holes with revised content in an automated way will therefore be a good, quick enhancement to deliver a credible image.

Just as the initial Cryptolocker, this will be, no doubt, a challenge in the beginning – but it is technically doable. With a scanner, attackers would be able to see what type of service is used to host website content. This is just one of the many targetable services, and, from there, cyber criminals would just need to gather the capabilities of replacing or taking over that service.

4. The message and call to action

The delivery of the spam campaigns can be a critical part of the trust-building process, as we just covered. Receiving a credible mail from a big, international hotel booking website that we all use is more trustworthy than Paul Robinson having sent you an email.

But other factors play into that email or banner message delivery process.

The spelling is a very practical part of the message delivery that cyber criminals have already improved over the last year. The wording, spelling and grammar as a whole is often close to perfect.

The next level of logical evolution here is going to be the graphic aspect, including the use of plausible urgent messages and a well thought call to action.

5. Monetization

Harvesting finances from existing ransomware campaigns is already proving very efficient for cyber criminals. Using the Bitcoin infrastructure to extract funds is a good way of digitally obtaining funds and converting them into real cash – in a covert manner.

One of the things that legal agencies target today is the extraction point for the digital cash. The Bitcoin account owner to be more precise. So a logical improvement for cyber criminals would be to have a diversified account structure built into the ransomware itself.

Conclusion – Are Cryptowall 5 and 6 right around the corner?

I would personally be afraid that the answer to this question is “yes”, and that they will be vastly enhanced with every release. As we just covered in a recent article, ransomware makers are now turning their business into a software company.

To pre-empt these moves, cyber security companies will need to try and enhance products to make sure that they stack up against the listed possible routes to improvement. But large website owners or large email sending companies have pre-emptive responsibilities as well, as they also need to make it more difficult for cyber criminals to deliver these campaigns.

Ransomware Distribution: How One Infection Can Go Network-Wide

Security Alert: Angler Exploit Kit Spread In New Drive-by Campaigns

Security Alert: New Ransomware Campaign Has 0% Detection


Leave a Reply

Your email address will not be published. Required fields are marked *