Welcome to the world of franchising – not fast food, convenience store, or the likes. No, we are talking about ransomware. The ‘new kid on the block’ so to speak. Cybercriminals have jumped on the bandwagon and are resorting to following the same business model as franchisors.
Let’s look at the franchise model – based on a good business idea with low risk. Have a good product. Develop training; put them together in a repeatable formula and you are good to go. And you can start collecting royalties from your franchisees.
Now translate that same business model for ransomware and what do you have? A successful business model that is cause of nightmare for individuals and corporations alike.
Though cybercriminals have been making their tools available to others, to show-off or to generate healthy profits for themselves, ransomware as a service model is relatively new. This in turn as resulted in a massive increase of ransomware attacks. Two such successful business examples are CTB-Locker and Tox, both use different business models to flood the internet with attacks, catch victims unaware before threats notices, signature updates, and other defensive measures are available.
Last year saw the takedown of CrytoLocker servers, but since then, CTB-Locker has become one of the most common sources of ransomware attacks.
CTB-Locker uses an affiliate program to drive growth and revenue. An affiliate program is basically an automated marketing program, where two or more parties work to provide a certain level of benefit to each other, in return for referral fees or commission. It is a very lucrative business for the cybercriminals. Criminals who sign up as an affiliate will receive tools to distribute this ransomware to their own selection of targets. Profit-wise, they earn 70% per cent of the revenue. The ransomware is distributed typically via phishing (see Definition) emails such as delivery notifications and fake software updates.
When your files are encrypted, you are left with .bmp, .txt and.html files that contain instructions on how to get you files back, meaning that you have to pay a ransom first. Bitcoins (see Definition) are the preferred currency for payment, which ensures that it is not traced and the criminals remain anonymous. Decrypting the encrypted files is virtually impossible as the files are encrypted with RSA 2048 bit private-key encryption.
Tox is another ransomware that is growing in popularity. The authors of this ransomware provide a kit that requires very little technical skills. All one has to do is to provide the ransom amount and the “cause” for which you are fundraising and you get your own executable file. You may then install or distribute it as you see fit for only 20% of the gross ransoms, paid in Bitcoins for obvious reasons. Tox and CTB-Locker use the TOR (see Definition) network to get encryption keys and hide their IP addresses of their servers.
Many cybercriminals favour virtual currencies like Bitcoins to evade detection and being caught. Attacks seem to be shifting from consumer systems to business systems, where the big money is.
Unfortunately, many organizations seem to be paying ransoms to get their data back, thus validating the ransomware model which in turn leads to more attacks.
As ransowmare grows and spread, experts believed that it can be stopped. Frequent backups and user awareness remain the best protection against this menace.
Recommendation
1. Frequent backup of critical data / information and keep it offline.
2. Multipoint defenses.
3. Anti-spam systems are a good protection for phishing emails. It should be configured to block compressed files and executables.
4. Consider blocking TOR network connections to prevent ransomware from getting encryption keys.
5. Keep system patches up-to-date. Advanced security features to be configured and enabled at endpoints.
Definition
1. Phishing – is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites.
2. Bitcoin – digital currency, created and held electronically. It is an online payment system developed by a Japanese, Satoshi Nakamoto.
3. TOR (The Onion Router) – free software for enabling anonymous communication. The original software project was named The Onion Router. It directs traffic through a free, worldwide, volunteer network to conceal users’ location and usage from anyone conducting network surveillance or traffic analysis.
Source
1. Information Week (Dark Reading).
2. Bleeping Computer (image, CTB-Locker & Tox).
The Week That Was
1. The kid who attacked Spamhaus, given second chance. Spamhaus is a project that tracks internet spam senders. One of the hackers (16yrs old at that time) who took down Spamhaus momentarily with a massive DDoS (Distributed Denial of Service) attack was recently sentenced to 240 hrs of community service rather than prison.
2. Google Photo App uploads your images even after uninstalling app. Oops! Android phones continue to upload your photos stored on your phones without your knowledge, after uninstalling the app. Google responded that “the backup was intended”. This is because the Google Photos settings are interconnected with the phone’s Google Play Services. To avoid pics from being uploaded automatically, disable the sync option from either Google Photos app or from your phone’s Google Settings.
3. Bitcoin Cloud Mining Service Hacked; Database On Sale for 1 Bitcoin. Cloudminr.io, a bitcoin cloud mining service was hacked and its database of 80,000 users has been put up for sale. About 1,000 usernames and unencrypted passwords were found on its defaced homepage. Such a cloud service with unencrypted passwords? Definitely, not the best security practice.
4. WhatsApp, Facebook Messenger and Snapchat could be banned in the UK. These popular messaging apps may be banned if the UK government gets its way. If the Investigatory Power Bill is passed, service providers to hand over details of web searches, WhatsApp group messages, Facebook conversations, SanpChat videos and other communications data to the authorities when required. Service providers will also have to remove encryption from their apps or be banned.
5. Microsoft Shuts Down Antimalware Support for Windows XP. Microsoft has officially ended support of its antimalware solutions for Windows XP users, namely the Malicious Software Removal Tool and updates for Microsoft Security Essentials. This would leave hundreds of millions users exposed to malware attacks. As of April 2015, around 250 million users were still using Windows XP. Figures provided for June-July 2015, about 12% of users (180 million) chose to stick to Windows XP.