The rise of 'crimeware as a service': Ransomware, 1989 to now

Dr Malcolm Murphy of Infoblox discusses the rise of ransomware

This is a contributed piece by Dr Malcolm Murphy, Technology Director of Western Europe at Infoblox


Over the past few months, barely a week has gone by without news of a high profile ransomware attack, a new campaign, or new string of this particularly debilitating malware.

Healthcare organisations in particular, with the wealth of essential and sensitive information that they hold, have become prime targets for ransomware attacks. In February this year, Hollywood Presbyterian Medical Center paid over $17,000 to the “data kidnappers” who took control of its systems, with similar cases also reported in two other Californian hospitals, as well as in Kentucky and Maryland.

But ransomware isn’t limited to large-scale, high profile operations. Earlier this summer, millions of Microsoft Office 365 users were exposed to a colossal zero-day ransomware attack, which not only issued a ransom note but also gave an audio warning to victims informing them that their files had been encrypted.

Indeed, there has been a massive rise in the creation of malicious domains worldwide during the first three months of 2016, reported by the Infoblox DNS Threat Index. While a 3,500 per cent increase in domains that either hosted or communicated with malicious ransomware downloads was recorded in the first quarter of the year.


The risk to reward ratio

Independent researchers have indicated that there are now more than 120 families of ransomware which, like many forms of malware, gain access to networks using phishing or spear phishing attacks, which lead the user to download an email attachment or click through to a malicious domain. Malvertising, where malware is spread across online advertising networks, is also growing in popularity, enabling cybercriminals to target users of “clean” websites.

Ransomware is no new technique, having been first documented in 1989 when users were forced to pay $189 to obtain a repair tool for “PC Cyborg”. However, there has been a massive boom in popularity in recent years, as ever-more areas of our work and personal lives are dependent on access to the digital world.

And this trend isn’t subsiding: a further spike was documented at the beginning of this year, with the 35-fold increase in ransomware-related domains recorded in the first quarter of 2016 accounting for 60 per cent of all observed malware.

The size of reward has undoubtedly been another factor in the growth of ransomware. Whereas previously it had been used to scam consumers out of small amounts of money, it is now increasingly used to carry out larger, more lucrative attacks on businesses.

The ubiquitous nature of crypto currencies, such as Bitcoin, has also enabled cybercriminals to reduce the risk of exposure when receiving payment from their victims. The real-world transfer mechanisms which were previously relied upon, such as PayPal, were largely straightforward for the authorities to track, whereas complete anonymity can now be assured when amassing the ransom.


The commoditisation of cybercrime

If the reduced risk and increased profitability weren’t making ransomware attractive enough, it has now become far easier for people to launch ransomware attacks. Cybercrime toolkits, for example, offer the novice criminal services including spamming, hosting and targeting, and have spurred the creation of the industrial-scale market for “crimeware as a service”.

Scaling up these attacks has been facilitated further by the great wealth of data which is readily available on many potential targets, enabling cybercriminals to simultaneously target potential victims. In some cases, the crypto malware itself can provide some sort of information on a criminal’s potential victim, enabling them to pick and choose who to target. This supports cybercriminals in targeting high-value victims, such as hospitals, accountants, or SMBs, where the data which is being held on the targeted computer and/or network is of such a significant value that attackers can demand a higher ransom.  

As such a high reward and well-facilitated attack vector, ransomware attacks are likely to continue in the foreseeable future, especially as they become easier to carry out at scale. And with the relatively low cost of malicious infrastructure, from a criminal’s perspective, scaling up these activities is likely to produce a sizeable return on investment.


Putting up defences

As with much of the malware family, a relatively straightforward defensive strategy can help businesses protect themselves against ransomware. Ensuring that security measures are as tight as possible is key: from having all software patched and up to date, and deploying DNS effectively as an enforcement point to block ransomware, to making sure users observe best practice. It is also essential to check that all data is clean, secured and regularly backed-up. Without a clean, back-up copy, an organisation’s data is perpetually at risk.

Low risk, lucrative and easy to use – it is unlikely that the ransomware threat will be going away any time soon and we’re sure to see further instances of successful ransomware attacks in the headlines in the coming months, which will undoubtedly, in turn, fan the flames of its popularity.

Only when organisations universally take the necessary steps to secure and back-up their data, reducing the impact of encrypting the primary network, will we see a decrease in ransomware. Taking these essential defensive steps will not only help businesses prevent attacks against their own organisation, but also reduce the potential reward for attackers and stem the growth of this vicious trend.


Also read:
Love your mobile? It can hold you to ransom