Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files until a ransom is paid. More modern ransomware families, collectively categorized as cryptoransomware, encrypt certain file types on infected systems and force users to pay the ransom through certain online payment methods to get a decryption key.
Ransom prices vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoin. Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system or hostaged files.
Users might encounter this threat through a variety of means. Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload that is either dropped or downloaded by other malware. Some ransomware are delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.
Once executed in the system, ransomware can either lock the computer screen or, in the case of cryptoransomware, encrypt predetermined files. In the first scenario, a full-screen image or notification is displayed on an infected system's screen, which prevents a victim from using their system. This notification also details instructions on how a user can pay the ransom. In the second scenario, ransomware prevents access to potentially critical or valuable files like documents and spreadsheets.
Ransomware is considered "scareware" as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to FakeAV malware, but instead of capturing the infected system or encrypting files, FakeAV shows fake antimalware scanning results to coax users into purchasing bogus antimalware software.
Cases of ransomware infection were first seen in Russia between 2005 and 2006. Trend Micro published a report on a case in 2006 that involved a ransomware variant (detected as TROJ_CRYZIP.A) that zipped certain file types before overwriting the original files, leaving only the password-protected zip files in the user’s system. It also created a text file that acted as the ransom note informing users that the files can be retrieved in exchange for US$300.
In its earlier years, ransomware typically encrypted particular file types such as .doc, .xls, .jpg, .zip, .pdf, and other commonly used file extensions.
In 2011, Trend Micro published a report on an SMS ransomware threat that asked users of infected systems to dial a premium SMS number. Detected as TROJ_RANSOM.QOWA, this variant repeatedly displayed a ransomware page to users until they paid the ransom by dialing a certain premium number.
Another notable report involved a ransomware type that infects the Master Boot Record (MBR) of a vulnerable system, preventing the operating system from loading. To do this, the malware copies the original MBR and overwrites it with malicious code. It then forces the system to restart so that the infection takes effect and displays the notification (in Russian) once the system restarts.
Ransomware infections were initially limited to Russia, but due to ransomware’s popularity and profitable business model, it soon found its way to other countries across Europe. By March 2012, Trend Micro observed a continuous spread of ransomware infections across Europe and North America. Similar to TROJ_RANSOM.BOV, this new wave of ransomware displayed a notification page (supposedly from the victim’s local police agency) instead of the typical ransom note (discussed more thoroughly in the section titled “The Rise of Reveton and Police Ransomware”).
During this period, different tactics were used to spread ransomware. A case in 2012 involved the website of a popular French confectionary that was compromised to serve TROJ_RANSOM.BOV. This watering hole tactic resulted in widespread infections both in France and Japan, where the shop also had significant fan bases. It is also worth noting that instead of the usual ransom note, TROJ_RANSOM.BOV displayed a fake notice from the French police agency, Gendarmerie Nationale.
Reveton is a ransomware type that impersonates law enforcement agencies. Known as “police ransomware” or “police trojans,” these malware are notable for showing a notification page purportedly from the victim’s local law enforcement agency. This page informs them that they were caught doing an illegal or malicious activity online.
To know which local enforcement agency is applicable to users, Reveton variants track the geographical location of their victims. Thus, affected users living in the US receive a notification from the FBI, while those located in France are shown a notice from the Gendarmerie Nationale.
Reveton variants also employ a different payment method compared to early ransomware attacks. Once a system is infected with a Reveton variant, users are prompted to pay through UKash, PaySafeCard, or MoneyPak. These payment methods afford ransomware perpetrators their anonymity, as both Ukash and PaySafeCard have a faint money trail.
In 2012, different types of Reveton variants were seen exhibiting new techniques. In the latter part of the same year, Trend Micro reported on variants that played an audio recording using the victim’s native language, as well as another variant that used a fake digital certificate.
In late 2013, a new type of ransomware that encrypted files aside from locking a system emerged. The encrypted files ensured that victims were forced to still pay the ransom even if the malware itself was deleted. Due to its new behavior, it was dubbed as “CryptoLocker.” Like previous ransomware types, cryptoransomware demands payment from affected users in exchange, this time, for a decryption key to unlock the encrypted files.
Although the ransom note in CryptoLocker only specifies “RSA-2048” as the encryption method used, analysis shows that the malware uses AES + RSA encryption.
RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data (one key, called the public key, is made available to any outside party; the other is kept by the user and is called the private key.) AES uses symmetric keys, which means that it uses the same key to encrypt and decrypt information.
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files that are encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.
Further research revealed that a spam campaign was behind the CryptoLocker infections. The spammed messages contained malicious attachments that belonged to TROJ_UPATRE, a malware family characterized by its small file size and simple downloading function — it downloads a ZBOT variant, which then downloads the CryptoLocker malware.
Near the end of 2013, a new variant of CryptoLocker emerged — this time, with propagation routines. This variant, detected as WORM_CRILOCK.A, can spread via removable drives, a routine unheard of in other CRILOCK variants. This means that the malware can easily spread compared to other variants. Additionally, it does not rely on downloader malware like CRILOCK to infect systems; rather, it pretends to be an activator for software used on peer-to-peer (P2P) file-sharing sites. Technical differences have led some researchers to believe that this malware was produced by a copycat.
Afterward, another file-encrypting ransomware type soon came into the picture. The cryptoransomware known as CryptoDefense or CryptorBit (detected as TROJ_CRYPTRBIT.H) encrypts database, web, office, video, image, script, text, and other non-binary files. It also deletes backup files to prevent the restoration of encrypted files and demands payment for a decryption key for the locked files.
Ransomware soon began to incorporate yet another element: cryptocurrency (such as bitcoin) theft. In 2014, Trend Micro saw two variants of a new malware called BitCrypt. The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and displays a ransom note in English. The second variant, TROJ_CRIBIT.B, appends the file name with “.bitcrypt 2″ and uses a multilingual ransom note in 10 languages. CRIBIT variants use the encryption algorithms RSA(426)-AES and RSA(1024)-AES to encrypt the files and specifies that the payment for unlocking files be made in bitcoins.
It was also discovered that a variant of the Fareit information stealing malware, TSPY_FAREIT.BB, downloads TROJ_CRIBIT.B. This Fareit variant can steal information from various cryptocurrency wallets, including wallet.dat (Bitcoin), electrum.dat (Electrum), and .wallet (MultiBit). These files contain important information such as transaction records, user preferences, and accounts.
In 2015, the Angler exploit kit was one of the more popular exploit kits used to spread ransomware, and it was notably used in a series of malvertisment attacks through popular media such as news websites and localized sites. Angler was constantly updated to include a number of Flash exploits and was known for being used in notable campaigns such as the Hacking Team leak and Pawn Storm. Because of its easy integration, Angler remains a prevalent choice as a means to spread ransomware.
A new variant of ransomware and CryptoLocker threats that surfaced leverages the Windows PowerShell feature to encrypt files. Trend Micro detects this as TROJ_POSHCODER.A. Windows PowerShell is a built-in feature in Windows 7 and higher. Cybercriminals often abuse this feature to make threats that are undetectable on the system and/or network.
POSHCODER uses AES encryption and an RSA 4096 public key to encrypt the said AES key. Once all files on the infected system are encrypted, it displays the following image:
While cryptoransomware might have become popular with cybercriminals, this doesn’t mean that other types of ransomware have disappeared from the threat landscape. For instance, police ransomware has still been observed locking the screens of infected computers:
Notably, what makes this particular ransomware different from other police ransomware is that it rides on patched malware to infect systems. Patched malware is any legitimate file that has been modified (via addition or injection) with malicious code. Modifying a legitimate file can be advantageous to cybercriminals as the rate of execution of malicious code will depend on the infected file’s frequency of use.
This ransomware is also notable for infecting user32.dll, a known critical file. Infecting a critical file can be considered as an evasion technique since it can help prevent detection through behavioral monitoring tools due to safelisting. Additionally, cleaning critical files such as user32.dll requires extra care as one misstep can crash a system, which could be seen as a possible obstacle for cleaning tools.
The infected user32.dll performs a chain of routines that ends with the ransomware being loaded. It also locks the infected computer's screen and projects a “ransom” image, similar to previous police ransomware messages.
Within a couple of years, ransomware has evolved from a threat that targeted only Russian users to an attack that spread to several European and North American countries as well. With a profitable business model and a payment scheme that affords anonymity for its operators, ransomware development is expected to accelerate over the coming years. Thus, it is crucial for users to know how ransomware works and how to best protect themselves from this threat.
Earlier cryptoransomware types targeted .doc, .xls, .jpg, .zip, .pdf, and other commonly used files to encrypt them. Cybercriminals have since included a number of other file types that are critical to businesses, like database files, website files, SQL files, tax-related files, CAD files, and virtual desktop files.
When the ransomware as a service (RaaS) model entered the picture, it made it easier for a variety of attackers, even those who have little technical knowledge, to wield ransomware against targets. RaaS involves selling or renting ransomware to buyers who are called affiliates, and this model can be credited as one of the primary reasons why ransomware attacks have been proliferating rapidly.
Comparison of direct ransomware operations (left) and RaaS operators (right)
The RaaS-operating criminal group first needs to develop or acquire the ransomware software and infrastructure. They then proceed to recruit affiliates through online forums, Telegram channels, or personal connections, with some operators investing as much as US$1 billion for recruitment efforts. Once enlisted, affiliates can then launch their own attacks. RaaS provides a win-win situation and a high payout for both operators and affiliates. Affiliates can earn payouts without having to develop the ransomware themselves, while operators can directly make a profit from their affiliates. The payouts are normally organized using a revenue model for RaaS subscriptions. The possible revenue models besides subscription are one-time payments, profit sharing, and affiliate marketing.
After the shift to cryptoransomware, extortion malware has continued to evolve, adding features such as countdown timers, ransom amounts that increase over time, and infection routines that enable them to spread across networks and servers. Threat actors continue experimenting with new features, such as offering alternative payment platforms to make ransom payments easier, routines that threaten to cause potentially crippling damage to non-paying victims, or new distribution methods.
Targeted Ransomware and Double Extortion
These developments eventually lead to the appearance of targeted ransomware. Targeted ransomware is also known as big-game hunting and human-operated attacks. By taking a targeted approach, threat actors have found a new way of revitalizing ransomware variants. As with targeted attacks, modern ransomware variants are tailored for specific victims and take more preparation and research. This means that threat actors have had to narrow down their targets to entities that are more likely to lead to bigger payoffs if attacked.
Present iterations of targeted ransomware have the added challenge of double extortion. Through their targeted approach, threat actors come to know which data is most valuable to their targets. By adding double extortion to their attacks, they coerce their victims into complying with their demands. Threat actors force victims into compliance not only by encrypting files but also by threatening to publicize stolen sensitive data if their demands are not met.
The following are some of the most notable targeted ransomware families seen in 2020.
Ryuk (Ransom.Win32.RYUK.SMTH). Ryuk was among the first ransomware to take a targeted approach. First encountered in 2018, it created a new standard for future ransomware variants. Ryuk is notable for its choice in high-profile targets, which included the fatigued healthcare industry in 2020.
Sodinokibi (Ransom.Win32.SODINOKIBI.AUWTL). Sodinokibi is a notable ransomware in 2020 that first appeared in 2019. It has been linked to the now-defunct GandCrab family. Sodinokibi is an example of a ransomware type that uses double extortion in its campaigns. It also has data exfiltration capabilities for stealing information used for coercing its targets into paying their demanded ransom
Nefilim (Ransom.Win32.NEFILIM.A). Nefilim was discovered early into 2020. Like many ransomware variants of that year, it used double extortion tactics and had data exfiltration capabilities. What’s notable about Nefilim is its use of living-of-the-land techniques to stay hidden in its victims’ systems.
RansomExx (Ransom.Linux.EXX.YAAK-A). RansomExx was linked to the cybercriminal group Gold Dupont and was behind several high-profile attacks in 2020. Notably, it used an arsenal of trojanized tools. RansomEXX saw considerable development in 2020, with a Linux variant discovered in November of that year.
Though ransomware routines are not altogether new, they still work and so are still used by operators. Case in point: The ransomware variant WannaCry (aka WCry), which originally spread via malicious Dropbox URLs embedded in spam, took an unexpected turn in May 2017, when it began exploiting a recently patched vulnerability in the Server Message Block (SMB). In turn, this has led to the biggest ransomware attack to date and, in 2020, WannaCry remained one of the most detected ransomware families across the globe.
Even before WannaCry reared its ugly head, companies and individuals worldwide had already been suffering the dire consequences of such threats. We document all of this in our report titled, “Ransomware: Past, Present, and Future.”
Were ransomware to change in a few years, it would not be surprising. In terms of potential, they can evolve into malware that disable entire infrastructures until a ransom is paid. It is worth emphasizing that these infrastructures could be critical not only to a business’s operation, but also to that of a city or even a nation. Cybercriminals might also soon further develop attacks on industrial control systems (ICSs) and other critical infrastructures to paralyze not just networks but also ecosystems. At present, ransomware campaigns are already taking on high-profile and critical targets in the healthcare, transportation, and government sectors.
Organizations need to be prepared for the possibility of more threat actors or groups shifting to and joining the ransomware bandwagon. The theme of double extortion seems to indicate how ransomware operators will continue to find new ways of increasing the stakes for their victims and cornering them into meeting their demands instead of just walking away. Legitimate tools or living-of-the-land components will likely continue to be part of attacks in the future, with threat actors choosing key components based on the profile of their targets.
With enough preparation and by using the techniques of targeted attacks, cybercriminals might aim for even bigger targets, like the industrial robots that are widely used in the manufacturing sector, or the infrastructures that connect and run today’s smart cities. Online extortion is bound to develop from taking computers and servers hostage to eventually doing the same to any type of insufficiently protected connected device, including smart devices and critical infrastructures. The return on investment (ROI) and opportunities for development that the targeted approach has opened will ensure that it continues in the future.
With the exception of some ransomware families that demand high amounts, ransomware variants typically ask for 0.5 to 5 bitcoins (as of 2016) in exchange for a decryption key. This is important to note for two reasons: First, some variants increase the ransom the more time lapses that it remains unpaid. Secondly, the Bitcoin exchange rate is on the rise. In January 2016, one bitcoin was worth US$431. Bitcoin's value has risen dramatically since then, topping out at US$1,082.55 at the end of March 2017.
Although there is no silver bullet with regard to stopping ransomware, a multilayered approach that prevents it from reaching networks and systems is the best way to minimize the risk.
For enterprises, email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and Trend Micro™ InterScan™ Web Security prevent ransomware from reaching end users. At the endpoint level, Trend Micro Smart Protection Suites features behavior monitoring and application control, as well as vulnerability shielding to minimize the risk of getting infected by ransomware threats. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro™ Deep Security stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud.
Organizations can also consider Trend Micro Cloud One™ – Workload Security, which has a virtual patching feature that can protect the system from exploits. Since some of the malware’s techniques can bypass signature-based security agents, technologies like Trend Micro Behavior Monitoring and Machine Learning (ML) can be used to prevent and block those threats.
Enterprises can also take advantage of Trend Micro XDR, which collects and correlates data across endpoints, emails, cloud workloads, and networks, providing better context and enabling investigation in one place. This, in turn, allows teams to respond to similar threats faster and detect advanced and targeted threats earlier.
For small and medium-sized businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Trend Micro™ Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and a real-time web reputation service that detects and blocks ransomware.
For home users, Trend Micro Security 10 provides robust protection from ransomware by blocking malicious websites, emails, and files associated with this threat.
To protect yourself and your system from ransomware, follow these recommended steps:
Organizations can also mitigate the effects of public shaming dealt by the conditions of ransomware’s double extortion scheme by being responsible and taking the following steps:
Trend Micro offers free tools such as the Machine Learning Assessment Tool that provides endpoint security preventing threats from entering the network and the Anti-Threat Toolkit (ATTK) that scans potentially compromised machines for ransomware and other forms of malware.
|Family Name||Notable Features|
|Ryuk||Distributed via banking Trojan variants, malspam, and exploits. Notable for its choice of high-profile targets.|
|Sodinokibi||Infects machines by exploiting the Oracle WebLogic Server vulnerability CVE-2019-2725, using a malicious spam campaign, or through exposed Remote desktop endpoints (RDPs).RDPs. It is capable of stealing computer data.|
|Babuk Locker||Utilizes a ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman (ECDH) for key generation, making the recovery of files without gaining access to the private key highly unlikely.|
|Nefilim||Its code shares many notable similarities to that of the Nemty 2.5 ransomware. It uses several legitimate tools and has data exfiltration capabilities used for its double extortion tactics.|
|RansomExx||Expanded to infect Linux servers. It is highly targeted and is capable of stealing data as part of its double extortion tactics.|
|Petya||First seen in March 2016, PETYA overwrites the affected system's MBR and is known to be delivered through legitimate cloud storage services such as Dropbox.|
|WCry||Originally spread via malicious Dropbox URLs embedded in spam. In May 2017, it began exploiting the patched CVE-2017-0144 an SMB Server vulnerability Microrosft Windows.|
|SamSam||Discovered in March 2016, SAMSAM is installed after the attackers exploit vulnerabilities on unpatched servers — instead of the usual malicious URLs and spam emails — and uses these to compromise other machines.|