By Byron Acohido
In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer and then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.
Until now, most attacks have targeted consumers, and to a lesser extent businesses, working on Windows platforms.
That’s about to change. Small- and medium-size business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools, security experts caution.
Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients
Many of the malicious campaigns likely will be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets, experts say.
Estimates about the cost to victims from the more widely used ransomware tools like CryptoWall and CryptoLocker range from tens of millions to hundreds of millions of dollars.
Now analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Earlier this month, researchers at security vendor Emsisoft analyzed a malware tool dubbed Ransom32 that many believe is a harbinger of things to come on the ransomware front.
Fewer are immune to attack
Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.
Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Menlo Security chief technology officer
Unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system, says Kowsik Guruswamy, chief technology officer at Menlo Security.
“Ransom32 is one of a kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”
Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.
The malware does not require any specific skills to operate and comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and to take a 25 percent cut from the total.
DIY kit for bad guys
Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was a malware tool dubbed Tox, discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.
“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”
Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.
Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves, the experts say.
Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.
SMBs have limited defenses
“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”
One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. In such situations, it is just a matter of time before an attacker stumbles upon a critical server and hijacks it for ransom, Wosar says.
Since the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and become virtually undetectable in the process. “All that is left behind is usually a note that informs the admin about the hack with a means of communication to negotiate the price.”
There already has been an increased interest from cyber criminals in specifically targeting companies, because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.
“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”
Byron Acohido is editor-in-chief of ThirdCertainty.com, where this article originally appeared.