Ransom malware shows sudden surge as pace of evolution quickens

As defences improve, ransomware criminals are coming up with nastier malware, says McAfee


The terrible CryptoLocker might have faded from view but ransomware itself is alive and well and might actually be getting somewhat worse, at least in terms of the volume of threat, McAfee’s first quarter threat report has suggested.

The firm’s figures show that this type of malware reached over 700,000 samples during the period, the biggest detection level ever, beating the previous high point of around 350,000 in the second quarter of 2013. The figure for Q4 2014 was around 250,000.

Since it first affected a largely undefended Internet user base in 2012, ransomware has rapidly morphed in a more and more complex phenomenon that probably beats any previous malware type for the speed of its development, aggressiveness and relative sophistication.

CryptoLocker was the gorilla on the block but its spectacular demise a year ago after the takedown of its distribution system, Gameover Zeus, stopped that particular family in its tracks for a while. But into that vacuum others have taken over its mantle – the ransomware world continues to grow ever more crowded.

According to McAfee, the single biggest contribution to the spike in ransom volume is a program called CTB-Locker (‘Curve-Tor-Bitcoin’), which McAfee reckons first appeared last December although reports from others trace its origins back to July.

By McAfee’s reckoning, samples spiked from almost nothing in Q4 2014 to 14,000 new samples in the most recent three months, beating even residual versions of CryptoLocker. Other families spotted during include CryptoWall, TorrentLocker, BandarChor and a new form called Teslacrypt that has the innovation of attacking data from 50 popular online games.

What is noticeable with CTB-Locker, indeed all current ransomware families, is their increasing sophistication. At first this sounds like an obvious point – doesn’t malware always get more rather than less sophisticated? The answer is that the ways in which ransom malware is evolving have consequences in the real world.

These programs are now being distributed in a bewildering number of ways, including better-designed phishing emails, IRC chat, malvertising, newsgroup posts, via P2P networks, drive-by downloads occasionally exploiting known but unpatched software flaws. They are also much more effective at bypassing the defences and detection mechanisms thrown up to stop earlier generations of ransomware.

What can’t be known is the extent to which the increase in ransomware is also tied to a lower conversion rate for turning infections into victims who pay to retrieve their files. However, almost certainly Internet users are putting up better defences against ransom attacks using secure backups and the attackers are having to boost the number of infections to keep the money rolling in at the same rate.

As well as attacking mobile devices, ransom criminals are even attacking web applications.

“Early this year, for example, Swiss researchers discovered a new technique using ransom and encryption that they dubbed ‘Ransomweb’,” notes McAfee’  

“The attackers infect web server scripts and database fields. They wait until these values are stored for a few weeks or months in backups and then remove the key from the server or remote location. The web application and database begin to malfunction, but the backups are also infected. Then the attackers send the demand for ransom.”

In short, ransomware is spreading its tentacles and future attacks might take in almost any form of data held far beyond PC hard drives. Cryptolocker was the pioneer that proved that this type of malware could find and exploit victims. As victims become harder to find, expect ransom malware to continue its evolution.

"Recommended For You"

Locky ransomware – for SMEs ransom extortion is always about weak backup When ransomware strikes - how a UK SME coped with a deadly strike on its data