Malware-makers are broadening their horizons. Beyond the basic traits of sneaking onto victim systems, locking all files and demanding payment for decryption, cybercriminals are now getting creative and adding their own unique spin on otherwise unremarkable code.
That’s the case with new ransomware variant Smrss32. It’s not the catchiest name, but according to Softpedia, the creator is swinging for the fences by targeting more than 6,600 file extensions. With most ransomware opting for 50 to 500 file types, this is a big increase — but is this malware really that much of a risk?
An Expanding Market
Historically, ransomware existed as a niche category of malware at large, but the recent uptick of always-connected devices and cryptocurrency adoption has led to an ideal market for cybercriminals: Users store entire virtual lives on their laptops and smartphones, and many are willing to fork over bitcoin if their files are threatened.
Now, ransomware-makers need little more than the drive to commit cybercrime and access to the Dark Web to obtain the basic code they need. This expanding market has led to some interesting developments: As noted by Bank Info Security, for example, threats such as Hitler and El Gato ransomware display pictures of the Nazi leader and cute cats, respectively, while users are prompted to pay up if they want their files back.
Geek.com, meanwhile, described a ransomware variant that allows actors to take control of connected thermostats and then crank up the heat or freeze out victims until they agree to pay. The attack requires physical access and isn’t the most practical application of ransom code, but remains a worrying proof of concept.
Not the Sharpest Tool
While the number of files targeted by Smrss32 is staggering, Softpedia noted that the code itself isn’t particularly sophisticated. Experts pointed out that it would have been “easier to whitelist what not to encrypt than using this approach,” while others noted that the attackers didn’t seem to understand that file types are case insensitive — meaning they didn’t need to duplicate .PNG and .png and could have saved a significant amount of time.
Still, there’s some reason for concern, since the ransomware variant won’t ruin core Windows files and leverages unsecured RDP connections to manually infect machines. So far, at least 15 victims have paid the 1 bitcoin ($590) ransom, but security researchers are working on a decryption tool that should finish off this file encryptor once and for all.
Ramsomware Variant Targets Big Companies
On its own, the Smrss32 ransomware isn’t a substantial threat. Just like malware filled with kitten pictures or 20th-century villains, it’s more a nuisance than unnerving.
As noted by Business Insider, however, the widening market for ransomware is driving a shift toward corporate rather than personal attacks. That’s prompting big banks to stock up on cryptocurrency in case they’re targeted and their files are compromised.
According to a recent Malwarebytes survey, 54 percent of companies came under threat of ransomware in the last year. Unlike individuals who may not have access to bitcoin or deem it worth the cost to recover photos or personal documents, financial institutions or health care agencies can’t risk the reputational damage of a data breach or the recovery costs of deleted files. As a result, they’re much more likely to pay up immediately, and malware targeting more than 6,600 file types would spur most businesses to reach for their wallets rather than wait for a fix.
Smrss32 isn’t the sharpest malware tool in the box, but it represents a sea change in the ransomware market at large: Unique characteristics layered over common base code to create quick-and-dirty attacks that may spook individuals but prompt bigger companies to shell out in hopes of keeping data secure.