2016 has proven to be a banner year for Ransomware. The year kicked off with a series of ransomware attacks on a trio of hospitals including the well-publicized incident at Hollywood Presbyterian Medical Center which forced its IT staff to shut down the network while coerced administration officials agreed to pay a $17,000 bitcoin ransom. The year is culminating in dramatic fashion as well as thousands of San Francisco commuters got to ride for free as a result of a ransomware attack on the San Francisco Municipal Transportation Agency which infected 2,112 computers and took its light rail transit system offline for more than 24 hours.
The idea of altering the files of a computer system through some sort of malware is nothing new. It was not uncommon back in the 90’s to get infected with some sort of virus that would delete your files. It was hard to understand the motivation for such types of attacks other than mere nefarious degenerate behavior by some obnoxious individuals with coding skills. Today however, the alteration of files is big business, and as the saying goes, money changes everything.
The statistics say it all:
- There has been a 172% increase in new ransomware families discovered in the first half of 2016 alone
- Nearly 50% of U.S. companies have reported some type of ransomware attack over the past year
- Ransomware will cost enterprises an estimated $209K in the latter half of 2016
- Marcin Kleczynski, CEO at Malwarebytes, stated that the threat to financial institutions is so serious and tense that banks are piling up on bitcoins to be prepared in case of a ransomware attack
The exponential growth of ransomware is fueled by more than just the allure of money. It is being stimulated through prepackaged distribution models that allow any cyber criminal wannabe the ability to be a malware entrepreneur. It is called Ransomware as a Service or RaaS and the premise behind it is simple – make its implementation so user-friendly that just about anyone can do it. Anyone brave enough to venture out onto the Dark Web can simply download the complete package. Yes, for a nominal investment as low as $39, you can ring the bitcoin cash register by starting your own cyber extortion business, all without having any coding skills at all.
So why would the creators of these malware packages charge so little? It’s simple, they get a cut of every ransom that is paid. Purchasers are the “downline” which is the essential aspect of every multi-level marketing organization (MLM). Distribution channels are organized by a boss or kingpin. The structure is then organized in a tiered hierarchy of 10-15 affiliates per boss. Current estimates are that bosses can earn about $90K on an average annual basis while affiliates take in an average of $7,200 annually. Yes, the Internet affiliate model which initially worked so well for companies such as Amazon is now helping to encourage the proliferation of ransomware conglomerates.
This business style approach to ransomware is becoming evident in other aspects as well. Just as simplifying the implementation of ransomware has lined the pockets of its creators with easy money, cyber criminals are learning that it pays to make the payment process simpler as well. The fact is that many people have no idea what a bitcoin is or how to obtain one if they wanted to. Recently, hackers have been adding support pages on their sites to victims for the Cryptolocker and CryptoWall versions. The underlying purpose is to help guide the customer or victim through the confusing payment process which also makes things very businesslike. This is highly important because ransomware masterminds who have a long term approach to things want to promote the idea and instill the reputation that if the individual or organization does pay, they will get the encryption key and be on their way to retrieving their data intact. A recent businessinsider.com article quoted one ransomware developer as stating, “I try to be as much of a gentleman thief as my position allows me to be.” It has even been reported that at least one ransomware developer has a call center where victims can phone in and get guidance on how to get back their files. One can only imagine being on hold after a large malware attack wave and hearing, “Please hold, a customer service representative will be with you momentarily. Your call is appreciated.”
Another example of the normalization of ransomware is Ransoc, another extortion based malware scam which once downloaded, conducts a scan of your local drives and shares for items such as pirated music or movies or pornography materials. At the same time, Ransoc does a search for all social media accounts such as Facebook, Linkedin and Skype. Ransoc then creates a blackmail message. The message informs the victim that the discovered materials will be published on their social media accounts unless payment is made. What makes this take so unusual is the fact that Ransoc criminals are willing to accept ransom payment through bank or credit card transfers.
However fascinating all of this is, it is evident that the threat of ransomware is only going to grow more daunting. Let’s face it, Ransomware is the new Amway.
Are you prepared for a cyber security incident? Assess your incident response readiness. We can help if you have a security incident to help minimize the impact.
Incident Response Hotline: 800-925-0559
By Erik Leach
