Ransomware Is Getting Sophisticated

Some of the tricks that ransomware is using to get victims to pay up.

Posted on November 11, 2015 at 6:44 AM • 13 Comments


ChristianNovember 11, 2015 6:52 AM

What I once read as an option for ransomware and higher pressure:

Two companys getting infected... Both get the message:
The first one to pay gets his files back, the other one gets the decryption key destroyed/deleted.

PatriotNovember 11, 2015 8:29 AM

We have seen these kinds of attacks in Thailand. After some investigation we concluded that they came from nearby.

We have seen the file extensions changed, pseudo-random names generated, and 2048 bit RSA keys used.

As a solution we call it a loss, replace the HHD, flash the BIOS, and use TAILS over TOR from a USB with a heavily encrypted persistent volume, Windows 8 masquerading, and MAC address spoofing. That works.

Folks in this corner of the world usually operate a pirated version of Windows. This creates a security nightmare across networks. Moreover, the ISPs are doing security on the cheap. It's cyber crime paradise.

Clive RobinsonNovember 11, 2015 9:21 AM

A word of caution...

At the bottom of the article, the author indicates the company he works for was hit and simply wiped the machines and re-installed.

Well there are a couple of problems,

1, You need backups that you can use.
2, You can not wipe everything and reload these days.

That is you need backups you can reliably check, otherwise you may find that the backups have been malware encrypted as well. The problem is how do you reliably check... Think about it for a few minutes and you might end up feeling like you have "followed the White Rabbit" (if you don't then your capacity to "thibk hinky" is not well developed).

And you have to start making assumptions about any "mutable memory" on the infected machine. It's not just a wipe of the HD, it's the BIOS and all that hidden flash memory in the SoC chips on the motherboard and IO devices. Renember those machines that GCHQ's tweedle dee and dum twins" wiped in the UK's Gardian Newspaper's basment with dremmels and angle grinders? If not go look the pictures up on the internet.

The real problem is not the malware scammers, they are just cashing in on the opportunity made by the ICT industry and it's woeful shortsighted "race for the bottom" which means security does not get a back seat, it never gets near the vehicle in the first place.

It is also this ICT industry behaviour that alows the NSA, GCHQ etc to do what they do, but also alows the likes of the DOJ to ask for fifty year sentence tarifs, for what would be no more than a minor violation like jay walking in the real world.

To fix the malware problem, you need to go to the real source of the problem, and that folks is an unregulated market where we the consumer get fobbed off with goods that are in reality "Not fit for purpose".

blakeNovember 11, 2015 10:53 AM

@Clive Robinson

> the real source of the problem ... is an unregulated market

The big players already know about Regulatory Capture and how lucrative it can be: there's no guarantee that any regulation would benefit the end user at all - DMCA, Snoopers Charter, etc.

You also can't legislate that all software ship without 0-days, any more than you can legislate that pi=3.

Bottom line is though: we can't let these problems be dealbreakers. If the market isn't going to value security (see previous discussion with Linus) then something is going to have to step in, similar to regulation in the automotive / oil drilling / pharmaceuticals / food industries. I'd prefer it if customers started to care more though.

CallMeLateForSupperNovember 11, 2015 11:00 AM

"...FBI estimates earlier this year that CryptoWall alone generated losses of more than $18 million. A separate report estimated US damages of $325 million from CryptoWall 3.0. That translates into huge profits, especially when considering the revenue is tax-free."

Objection, your honor: "loss" or "damage" does not - not - necessarily result in "revenue" to the damager. If Boris & Natasha's stomping through your servers causes you to burn $$$ IT hours by way of recovery, said B&N don't see an equal bump in their bank account.

Quantifying a loss is an educated guess, at best. Besides, it's a dirty little non-secret secret that loss figures are inflated by every hook and crook at hand. "Then there is the cost of hiring a janatorial company to freshen the War Room upholstery and otherwise tidy up after each of the fourteen meetings of our UT staff who were charged with remediating the breach that they shoukd have prevented. And the cost of coffee and pastries. And bottled water."

AJWMNovember 11, 2015 2:36 PM

You also can't legislate that all software ship without 0-days, any more than you can legislate that pi=3.

Sure you can. The latter is a physical impossibility (well, not the legislating, but it actually having useful effect), the former is not (although it may be very hard). Impose sufficient penalties and software and hardware companies will get with the program (although many of them may decide to get out of the business).

Although I suppose it's always possible that a hacker will find an exploit through thinking sufficiently out of the box. I once came up with a privilege escalation for Burroughs mainframes (eg B6700) that involved a tape drive and an IBM 360. Dumpster-diving (that term was coined much later) to get the equivalent of the root password from an unshredded OS source listing was much easier, but with an element of luck involved.

blakeNovember 11, 2015 5:21 PM


> Although I suppose it's always possible that a hacker will find an exploit through thinking sufficiently out of the box.

This is the point. Even Rumsfeld chuckles when someone tries to claim they've addressed all the "unknown knowns".

Ransom ThisNovember 11, 2015 9:40 PM

The risk is not only to business, but home users who are increasingly targeted.

All home computer users should have nothing in their drives when plugged in to the Matrix - empty folders for your hacker friends.

Meanwhile, your valuable data sits on a LUKS encrypted, air-gapped drive (backed up), which is only opened on a computer (all networking removed) than never connects to the web.

As Bruce has outlined, all of this relates to our government hacker friends selling (or leaking) their programs on the side, for millions no doubt, leading to these attack tools being commonly available to scum everywhere within a few years.

Security can't be undermined to increase our virtual safety. This is doublethink of the worst kind.

The government is either on the side of rogue hackers / asswipes everywhere (current situation) or they are on the side of trusted computing platforms, solid e-business, and protection of the citizenry.

Right now they have made their choice, and made us all less safe as a result.

That is what happens when you progress to a post-democratic, quasi-police state that does not respect the rule of law.

DFNovember 12, 2015 7:30 AM

Maybe I missed it in the article but what is the attack vector they are using? Is it phishing emails or something else? Knowing that would make it easier to help educate users on how to avoid this particular attack. And yes I know there could be multiple ways this is happening.

metaschimaNovember 14, 2015 10:36 AM

Attack vectors that I have found:
1) browser plugin exploits: BlackHole exploit kit to deploy the malware, these are kits that are stitched into hacked or malicious Web sites, so that all visiting browsers are checked for a variety of insecure, outdated plugins, from Flash to Java to Adobe Reader.
2) payloads may be signed with digital signatures (attempt to appear legitimate)
3) payload written in JavaScript as part of an email attachment, which downloads executables disguised as JPG images
4) fraudulent e-mails claiming to be failed parcel delivery notices that require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded, preventing automatic e-mail scanners from detecting them
5) via an existing botnet

So, basically, either e-mail, insecure plugins, or existing botnet.

One concern I have is that politicians and LEAs will use this as an argument for backdooring encryption.

Shy guyNovember 16, 2015 8:45 AM

I have fear for ransomware that uses 0-Day-Exploits to be able to spread from client->client and client->server and server->server that in the end all data accessible from the normal employee to the domain administrator will be encrypted.

Until now I haven't heard of ransomware that is able to do this, but I think it would be no problem to do it and if the actual victims pay their bill there is enough money to buy good exploits for bugs that aren't closed for a while.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.