"I saw it was CryptoLocker and I knew we were hosed. Our critical stuff was locked up and I just told the boss to pay up and pay now.”
The system administrator for one of Australia’s biggest hotel chains had little choice but to pay the ransom when financial data and operational critical files were last year encrypted by the most dangerous variant of ransomware.
“It cost the company $8,000 – chickenfeed in terms of its cash flow and probably less than the hit to daily operations, but it shook the executives to their core. The administrator, speaking to CRN under the condition of anonymity, says the attackers got lucky and phished the company’s human resources manager who had access to the most sensitive data.
Soon after the Bitcoin ransom was paid, the company received the decryption key to unscramble their critical data. “They were relieved,” says the sysadmin.
They always are relieved. The victims of high-end CryptoLocker attacks are more akin to unwilling clients of this well-oiled, ultra-sophisticated sprawling criminal enterprise, which took the world by storm and in just five short years has become an industry worth tens of millions of dollars.
What’s helping ransomware spread so voraciously is something CRN readers hold dear: a channel model. The authors who write the malicious code are often not the same criminals who deploy the malware; instead developers make money from licence payments or clipping the ticket on subscriptions. By doing so, they distance themselves from the crime, while also creating a scalable model.
Rise of the colossus
The concept of ransomware was first hatched in 1989 when the trojan known as AIDS began locking up users’ files. The ancestor to the modern-day menaces was spread via a floppy disk posted out to subscribers of an online mailing list. It used weak symmetric encryption to lock up the subscribers’ files before demanding they send US$189 to a post office box in Panama. Once the cash was received, a decryption key was sent back.
The author, Dr Joseph Popp – who was identified by the antivirus industry and later arrested – says he intended the cash to go to AIDS research. Dr Popp was associated with medical organisations including the Flying Doctors and the World Health Organization. He was soon released without standing trial and his ransomware was cracked with the antidote program CLEARAID, which removed the encryption.
The unknown authors of CryptoLocker have no such misplaced goodwill. The FBI puts the damages from victims – who have paid after being unable to crack CryptoLocker’s watertight encryption – at some US$18 million in the States alone. That number is certain to blow out considering the estimates, which vary by time and type, and suggests North America represents between 40-60 percent of the global victim base. But Americans are not alone; Aussies are also in the crosshairs.
“Australia is disproportionately represented in ransomware,” says Bradley Marden, coordinator of Interpol’s Digital Crime Centre. “Australia is actually disproportionately represented in almost every financially motivated cyber crime.”
The near-30-year veteran of the Australian Federal Police moved to Interpol’s Singapore office in January to take his cyber crime fighting efforts to the global stage. He has seen the carnage of ransomware first hand and has the criminals firmly in his sights.
Marden says CryptoLocker stands out as the most damaging among the variants of ransomware. It belongs to his category of ‘strong ransomware’, sharing podium space with the likes of Cryptowall and Torrentlocker.
Oh Sieng Chye, threat researcher at infosec vendor ESET, finds similar damage down under. “There were some 8,000 infections in Australia in the first half of this year of various forms of ransomware,” the Singapore security bod says. “We receive calls from infected customers on a weekly basis.”
Oh says ransomware should be considered in the top three online threats to organisations and individuals.
Android-based ransomware is also enjoying a rise in sophistication and profits. BitDefender’s most recent statistics from July say infection rates rocketed this year from a paltry 6 percent to 25 percent of all reported mobile malware in April and May.
“Android ransomware has drastically changed from being a small benign application that used to trick and scare users into thinking they have been infected, to actively seizing control over their devices and preventing users from uninstalling the malicious application,” says Bogdan Botezatu, senior threat researcher at BitDefender. “While at first ransomware could have been removed by simply uninstalling the app, today’s versions require a bit more technical expertise to ‘flush’ the application from a users’ Android device.”
Next: The dark channel