Four Leaders in the Ransomeware Game
by Kenneth May-Swift Chip
You’ve heard of CryptoLocker, right? Sure, it’s the media favorite, but there are a lot of other players these days that are worth more than an honorable mention. As an MSP, you know how important it is to stay current on the sheer breadth and depth of these types of threats—not to mention their individual characteristics—in order to keep clients protected. Let’s take a look at the lineup.
1. CryptoWall 4.0
The CryptoWall family seems to turn out a winner with every generation. Like its predecessor, the 4.0 version of CryptoWall uses phishing emails to distribute. This should come as no surprise, since phishing remains the single most effective way to deliver a payload. But this latest iteration doesn’t play by the old rules; not only are the victim’s files encrypted, the names of the files are randomized so the victim no longer knows which file is which. By creating so much confusion about how much file damage there really is, the new CryptoWall increases the chances that victims will pay out.
CryptoWall 4.0 also includes a free decrypt demo, which convinces victims that the decryption routine they need to get their files back is easy, and that paying the ransom will actually get their files back.
- Phishing email attachment is source of payload
- Randomizes victim’s filenames to create confusion
- Offers free decrypt demo to add credibility
What sets this new ransomware apart from the pack is its willingness to interact with the public; PadCrypt includes a chat interface embedded into the product. The process of getting a Bitcoin wallet address, filling it with coins, and sending payment securely can be complicated, so this chat feature adds a more human support element, helping the perpetrators ensure that their victims remit ransom payments promptly. (Isn’t that nice?)
- First ransomware with chat support
- Communicates via Darknet to avoid being traced
- “Helps” even less savvy victims pay up
TeslaCrypt was something of an up-and-comer, specifically targeting gamers by encrypting the files they need for their games. This included saves, any mods, and profiles like DayZ. Because TeslaCrypt was being sold on the Darknet by non-authors, the original authors chose to release its master key to the public to permanently diffuse the threat. As diverse and competitive as the ransomware sphere seems to be, however, we might end up seeing this player again next season.
- Accounted for ~11% of distributed ransomware
- Attacked over 200 extensions on newer variants
- Specifically targeted gamers (Valve, Bethesda, Unreal Engine files)
- Got around 3rd party defense to deliver polymorphic payloads at root level
4. RaaS (Ransomware-as-a-Service)
RaaS isn’t really a player, per se, but it was created for criminals by criminals to open the playing field to hackers of all skill levels. With RaaS, almost anyone can design encrypting ransomware payloads and then distribute them from their existing botnets. Hackers pay for this service by handing off a cut of their spoils to the RaaS author.
- Enables almost anyone to make ransomware
- Portal for malware generation is exclusively in Darknet (typically invite-only)
- Intended for less-skilled cybercriminals who rent botnets
- The malware author who created the portal takes a commission
Although the number of players keeps growing, and their skills and strategies keep getting more advanced, there are steps that we can take to maximize defense and help clients win hands down. Educating yourself and your customers about the various offensive strategies and types of exploits favored by today’s ransomware is key—as well as setting up a winning defense with next-generation endpoint protection that utilizes collective threat intelligence to hit hard and proactively protect against constantly-evolving malware.