Extortion through crypto ransomware is the most prolific cybercrime model to date. Even now that this epidemic seems to have reached its peak in terms of attack sophistication, the evolution of these perpetrating programs is underway and ransom Trojans keep assuming new characteristics. The recent WannaCry virus outbreak harnessing NSA exploits clearly demonstrates this despicable progress. Meanwhile, fluctuations of ransom amounts align with the state of this malicious ecosystem.
Ransoms at the Dawn of the Plague
Screen-locking ransomware was the prototype of contemporary crypto hoaxes. These threats took root in 2010 with the onset of the Reveton Trojan that propagated via an exploit kit dubbed BlackHole. This infection would block access to an infected computer while impersonating ICPP Foundation, a pseudo anti-piracy association. It accused victims of violating copyright and instructed them to pay a penalty of $100 as a pre-trial settlement.
The Reveton campaign morphed into a new type of fraud in 2012. A slew of screen lockers allegedly emanating from various local law enforcement agencies went on a rampage. The most notorious threats from this category included the FBI Locker and the Metropolitan British Police ransomware. While blaming victims for various cyber felonies, such as the storage and dissemination of prohibited adult content, these baddies would instruct them to pay a fine so that the fictional case wouldn’t go to court. The size of the penalty amounted to 100 USD or EUR, depending on the plagued user’s location derived from their IP address.
Fortunately, early screen lockers were easy to remove. They used commonplace payment systems, such as MoneyPak, PaySafeCard or Ukash. Victims were supposed to purchase a prepaid card online or in a retail location nearby and then enter its code in the payment form of the lock screen. This was a primitive take on handling ransoms that’s almost extinct these days.
Cryptocurrency as a Game Changer
Cybercrooks broke new ground with the emergence of file-encrypting ransomware called CryptoLocker in 2013. This strain was the first one to actually encrypt victims’ data and leverage what’s called Digital Cash for ransoms. The use of Bitcoin for this purpose became a significant enhancement of the extortionists’ OPSEC. It tangled attacker attribution because such transactions are difficult to track, especially if they are scattered over multiple Bitcoin wallets. CryptoLocker also accepted payments via prepaid services, including MoneyPak, Ukash, and CashU. The size of the ransom amounted to $200-400, or alternatively 2 BTC. For the record, 1 BTC was worth about $200 back then.
Most of the modern ransom Trojans follow suit, but not all. The Star Trek themed Kirk ransomware, which took root in late March 2017, uses a different cryptocurrency called Monero. It asks for 50 XMR for data recovery, which is currently worth about $2,000.
Incidentally, the value of Bitcoin has increased substantially over the past four years. Some researchers blame it on the steadily growing ransomware market, which has been causing an incremental demand for digital cash. The price of 1 Bitcoin has gone from $200 up to $2,400 since the above-mentioned CryptoLocker made an appearance back in 2013. Therefore, the average ransom of 0.5-1 BTC now equals $1,200-2,400, which is a much heftier amount to pay than it was at the onset of the epidemic.
Biggest Ransoms Paid to Date
Predictably enough, online extortionists treat home users and enterprises differently in terms of the ransoms. The biggest reported payouts to date were made by organizations, including educational establishments, hotels and healthcare institutions. For instance, the Los Angeles Valley College ended up submitting a Bitcoin equivalent of $28,000 USD in a ransomware incident that took place in January this year. The government of Madison County, Indiana, had to pay $21,000 USD in November 2016 to restore hostage records. The LA-based Hollywood Presbyterian Medical Center was forced to cough up $17,000 in February 2016. The University of Calgary-based in Canada lost $14,700 as a result of yet another newsmaking ransomware attack in June 2016.
Negotiating with the Criminals
The Spora ransomware outbreak that occurred in early 2017 introduced unprecedented customer support. The crooks would offer victims a bizarre deal: to leave good feedback about their decryption service’ and get a ransom discount or extended payment deadline in return. Another strain called the Popcorn Time ransomware went a much more cynical route. It offered victims to get the decryption key for free if they agreed to infect a friend by sending them a booby-trapped referral hyperlink. Either way, a lower or revoked ransom is cold comfort.
How to Stay Safe against Ransomware?
The rule of thumb is to maintain data backups. At least prioritize your files and back up the ones you cannot afford to lose. If infected, never pay up right away. Security researchers are constantly coming up with new free decryptors supporting different ransomware families, so first identify the strain and look for a fix online. To steer clear of file-encrypting malware, refrain from opening dubious email attachments, use a reliable antivirus suite, and apply software patches as soon as they are rolled out.
Editor’s Note:
From time to time, SensorsTechForum features guest articles by cyber security and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.
David Balaban (Guest Blogger)
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Follow Me:
