Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen.
There’s a reason why crypto-ransomware is making the news almost daily – it’s unique compared to every other threat we’ve seen in the last few years in that it offers a tangible service to the victim – pay the ransom and you get your files back. And, as we’ve seen in an increasing number of high-profile cases, this is exactly what people are doing. There’s no need to remind you of a recent case where a hospital shelled out a considerable sum of Bitcoin to recover their infrastructure. It has been estimated that the crypto-ransomware industry makes as much as 100,000,000 EUR per year.
Crypto-ransomware continues be a lucrative money-making vehicle for criminals, and it’s possible it will continue displace alternative malware models such as banking trojans as time goes on. As with all business, focus must invariably shift into models that optimize and improve return on investment. We liken the business models of today’s ransomware campaigns to those of the early Internet era – still very simple in nature and largely unfocused. The bottom line is there’s still a great deal of room for creativity and innovation. The business models behind crypto-ransomware are slowly maturing and recently we’ve started to notice some attempts at innovation.
Select crypto-ransomware campaigns have specifically targeted “tier 1” countries such as the US, UK, Australia, and Canada. This targeting makes sense from a bang-for-the-buck perspective. The ransomware itself doesn’t need to be localized, the target demographic is relatively affluent, and some studies have shown a willingness for victims in these regions to actually pay the ransom.
Phishing campaigns carefully tuned for specific regions and sometimes timed to calendar events are another trick we’ve seen. In one recent example we observed a spam campaign run in Sweden, where victims received a convincing message from their local post office about the arrival of a parcel. Although these sort of targeted, regional spam campaigns are nothing new, some malware actors are turning to them for superior uptake rates.
Some crypto-ransomware families have been working on improving their support interfaces in the hopes of making it easier for the victim to pay. Support sites are becoming more intuitive, and, in some cases (such as PadCrypt), even include live chat interfaces. Instructions on how to obtain Bitcoin, how to connect through Tor to the support site and how to get your files back are becoming clearer and more well presented. Unsurprisingly, crypto-ransomware supporting services are, in many cases, better than those run by legitimate companies. As an interesting aside, we’ve also seen independent IT support guys getting into the business of brokering Bitcoin for their customers in order to facilitate decryption of victims’ files.
The TrueCrypter family allows payments to be made using Amazon gift cards. We’ve also seen crypto-ransomware families accepting iTunes cards for payment. You might think that this is a risky move on the part of the criminals, since Amazon or Apple could easily go after the folks using those cards. As it turns out, the criminals are likely to immediately flip those gift cards on site such as eBay, leaving the buyer to deal with the consequences. Given the richer set of content on the US iTunes store, there’s a demand for US-based iTunes gift cards in Europe.
In another surprising direction, we’ve seen one crypto-ransomware family attempt to force a payment by applying pressure on the victim. We recently encountered the Jigsaw family, which deletes an increasing number of files every hour as long as the ransom hasn’t been paid, and presents the victim with a 72 hour deadline after which all files will be deleted. Rebooting the machine, or forcibly killing the agent will cause 1000 files to be instantly deleted. These tactics are not unlike hostage situations you might have seen on TV shows or movies. Unfortunately, at this moment we don’t have data available to determine whether this particular tactic makes people more, or less likely to pay up.
The above examples show how actors behind crypto-ransomware are starting to experiment with different business models in an effort to gain better return on investment. Criminals have learned that large crypto-ransomware campaigns will get you noticed and taken down. At least that’s what happened to the guys behind CryptoLocker a few years back. So they’re all running smaller campaigns nowadays. But smaller campaigns aren’t just important for staying under the radar of major law enforcement agencies, they’re also important for maximizing profits in a world where you must pay for each infected computer or each spam message sent.
We recently ran a poll asking users how much they’d be willing to pay to decrypt their files, should they fall victim to crypto-ransomware.
At the time that he ran the poll, many ransoms were around 1 BTC, or just north of $400. After doing some simple math, we came to the conclusion that, by halving the price, these guys could almost triple their money. Conducting that research and coming to that conclusion didn’t take too much effort, and it’d take even fewer lines of code to implement. We aren’t sure if we tipped off some malware authors with those tweets, but we have recently seen a trend towards cheaper ransoms.
It seems that not all ransomware authors got that memo, though. Just a few days ago, a new strain of crypto-ransomware appeared that claims to donate the ransom to charity. However, at 5 BTC, or about $2,200 at the time of writing, we don’t expect many people to be so generous.
Down the road, we’re expecting to see more intelligence and sophistication applied to the pricing models used by crypto-ransomware. Right now, the software is rather unintelligent, setting a fixed-price ransom for any and every infected machine. We expect variable pricing schemes to show up at some point, perhaps based on number or type of files encrypted, or whether the software detected the machine to be personal computer versus one being used by a corporate employee. A 1 BTC ransom is a fairly hefty fee for most individuals, but peanuts for many companies.
Many crypto-ransomware families already attempt to infect network shares, but none do it in an intelligent way; a single payment would, in theory, allow a victim to get back all files, including those on the share. For this reason, we’re also expecting to see developers build some intelligence into their software in order to more efficiently propagate throughout a network, upping the number of infected machines, or again, pricing the ransom based on the environment.
The folks behind crimeware affiliate networks and malware campaigns are already showing a fair amount of business savvy. It is not unimaginable that these individuals, when given the task of maximizing profits or return of investment, will devise more creative software and process models, based on pricing, ease-of-use, network propagation, or smart-targeting. We fully expect to see progress in the sophistication of both business and monetization models used by crypto-ransomware in the near future.