May 24, 2016 By Larry Loeb 4 min read

It’s been a tough year so far for security professionals: A malware outbreak led to a record high for ransomware in the first quarter of 2016.

Eldon Sprickerhoff, founder and chief security strategist at eSentire, told Security Intelligence in an email that “malware evolution seems to be as rapid and cutthroat as any jungle environment, where survival and propagation go hand in hand. Authors have frequently co-opted functionality from different malware strains into the next generation of code — regularly sampling the efficacy and profitability of each generation.”

Security vendor Kaspersky Lab noted a 30 percent increase in ransomware victims this quarter compared to the one before. It even said the number of attacks may be higher than these statistics reflect since they only include signature-based and heuristic detections. Some ransomware exploits are blocked by software because of their profile and behaviors alone, and as a result are not included in the reported statistics.

Why Ransomware?

Why this growth in ransomware specifically? What is it that makes it so attractive to cybercriminals? The simple answer, of course, is the money that it can produce and the direct path to profit it provides.

Let’s say a cyberattacker infiltrates a system and exfiltrates some sort of sensitive information, such as credit card numbers. The attacker is still faced with the task of monetizing that information. This involves identifying a market for it, gaining entry and then possibly offering information to unknown parties — some of whom may well be white-hat security workers. Sellers are possibly exposing themselves to authorities by the very act of participating in such a marketplace.

A ransomware exploit is a more direct way to payment. The victim uses a relatively anonymous digital currency to pay the ransom, as well as using a slightly less obvious Tor browser to connect to the criminal.

That is not to say this is a foolproof scheme by any means. Tor is not an anonymity panacea; it can be defeated by countermeasures, which can lead to the unveiling of the criminal’s identity.

The bitcoin payment avenue is also open to law enforcement efforts. For example, on May 7, the founder of an online underworld bank that had allegedly laundered billions of dollars for criminals from 2005 to 2013 was sentenced to 20 years in prison, SecurityWeek reported. Such banks may work for a time, but their continued operation often leads to prosecution.

How Big Is the Problem?

While the current statistics show a rise in ransomware, it may be a surprise to learn that it is not yet the most common form of malware.

Enigma Software reported that after staying steady for the last six months of 2015, ransomware detection began to climb: February saw a 19 percent increase over January, while March had almost a 10 percent increase over February.

Then, in April, infections more than doubled — so the future Q2 report may not be much better than Q1. To add insult to injury, the percentage of overall infections attributed to ransomware was the highest of any other month in the last three years.

I spoke with Ryan Gerding of Enigma Software about this. “It’s still infinitesimal compared to the other infections out there. Good old-fashioned adware — the kind that messes with your toolbar — as well as rogue anti-spyware are by far more prevalent than ransomware with about a 40 percent detection rate,” he said.

“Ransomware makes up less than one percent — 0.75 [percent], actually — of all of the infections that were detected on our customers’ computers. Nuisance infections — the kind that make your computer run more slowly — are far more prevalent at a 20 percent detection. But because they don’t steal and extort, they get a lot less attention.”

Gerdling also offered advice on dealing with the malware:”Don’t ever pay the ransom, for a couple of reasons: First, it proves to the bad guys that this mode of tricking you works. Second, there is no guarantee that you will get your files back. The best defense is to regularly back up your data. The other advice we offer to anyone — individual users or businesses — is to think about that link before you click on it. It’s the main way that criminals are getting these infections onto your computer.”

Avoiding Another Record High for Ransomware

Another characteristic of ransomware, as Gerling alluded to, is that it depends on the victim not having an effective backup strategy. Having one means the entire ransomware strategy can be easily defeated. Cybercriminals assume that the discipline needed for such a strategy is not there, and too many times they are right.

The crisis that is a ransomware attack is but one reason a backup and restoration policy has to be in place. Computers are machines, and therefore are subject to the hardware mishaps that inevitably occur. Without a way to respond to failure and protect against threats, data will be lost — regardless if the cause is ransomware or a hard disk crash. Ransomware just highlights the perils of not having this effort present.

Ransomware is a dramatic attack, replete with splash screens flouting the skull-and-crossbones and ransom notes. But it can be defeated by any user who carries out what should be done in any case: by having a reliable backup and restore method active.

Download the complete Ransomware Response Guide from IBM Security

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today