When reviewing the past year, anti-malware companies usually give supporting fdata such as the number of incidents, top threats, and the amount of money lost to malware. This year, unfortunately, we’re starting a new section in malware reports that counts the number of people who have paid the ultimate toll to malware: their lives.
It began in March last year when a Romanian citizen ended his and his son’s life after he was informed that he had to pay fine in excess of $21,000 for watching pornographic content; the fine was bogus. Because there was no way for the single father to produce the money, he felt under pressure and killed his son and committed suicide.
The story repeated earlier this year, when a 17-year-old college student took his own life after seeing a ransom message impersonating the UK police. At this point it has become clear that malware has moved well beyond our financial welfare; it is now claiming lives.
The number of crypto-ransomware families is growing at an alarming pace, fueled by the success of crypto-ransomware such as CryptoLocker and CryptoWall. But, unlike CryptoLocker, next-generation CryptoWall developers learned their lessons: The new malware delivery and key management infrastructures of CryptoWall are so well developed and scaled that they could put a significant chunk of legitimate businesses to shame. These developers also learned that the weakest link in this ecosystem is now the command and control infrastructure that can be taken down by law enforcement.
If there were a natural evolution in malware development, CryptoWall would be to CryptoLocker what Homo sapiens are to the Neanderthal. Evolution has trimmed out shortcomings that could make CryptoWall vulnerable: For example, paid ransom money is now split among individual, ad-hoc generated Bitcoin wallets so anti-malware companies and law enforcement can’t just look into one wallet and see the immense profit the operators have made.
The command and control infrastructure has also been migrated to the Darknet via Web-to-TOR gateways. This not only prevents the sink-holing attempts that were once possible by reverse-engineering the DGA, but also makes it impossible for law enforcement to estimate the magnitude of the botnet.
Nobody Is Safe
CryptoWall comes with a variety of features that make it more difficult to detect or take out of business, but a particularly important feature is the polymorphic builder used to create a new virus for every potential victim. Over the weekend, we received more than 1,200 unique CryptoWall samples, and this is only a fraction of what happens on a global scale. Another tactic we spotted through the weekend is calibration: Hackers upload thousands of ransomware samples on antivirus engine aggregators such as VirusTotal, but they don’t show up in the malware telemetry, which means that they have never been sent into the wild. These samples are only used to test how many antiviruses detect it. It only takes one missed sample and your data gets completely owned without any chance of recovery.
It has already been proven that ransomware can inflict huge financial damage on companies and users. It’s also a fact that ransomware has killed people in its wielders’ quest for money, although the incidents mentioned above are only collateral damage and not the hackers’ end goal.
One question still needs answering: How long will it take ransomware to target more sensitive devices we use, including cars and medical implants?Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio