THE BLOG

Put 'Em Up! The Scourge of Ransomware

21/05/2015 16:37 BST | Updated 20/05/2016 10:59 BST

Ransomware, or encryption malware, is a growing problem. These programs encrypt important data on infected computers and then demand a ransom to decrypt them. Just this month, the security industry found a new variant down-under, with a Breaking Bad theme, that was demanding that infected victims pay AU $1000 (around £500) to decrypt their images, videos and documents. Such campaigns can reap big rewards for the attackers: it's estimated that CryptoLocker, a ransomware worm that surfaced in late-2013, procured US$3 million for its creators.

Ransomware is evolving, with cybercriminals continually developing the techniques they use, including cryptographic methods, code obfuscation techniques, executable file formats and infection vectors. Usually distributed via spam emails, the persistence of this form of extortion is easily explained: whereas bank-based phishing scams only generate an 'income' if the victim uses the particular bank referred to in the e-mail, a piece of encryption malware will almost always find something to encrypt and hold to ransom.

Whilst it is common for attackers to specify their rates in real-world currencies, such as US dollars, euros or rubles, cybercriminals usually prefer to be paid in Bitcoin, or via online payment services, as they offer a high level of anonymity.

What makes ransomware so dangerous is that there is no safety-net once you're infected. Unless you have a backup copy of your data, there is little chance of getting your data back. It would take a mistake by the attacker in terms of the design or implementation of the encryption scheme for anyone to be able to decrypt the files - and this rarely happens (although there are rare exceptions).

Some ransomware programs even try to circumvent security software that tries to detect and remove them. The Scraper malware, for example, encrypts the victim's documents and demands a ransom ($300 or greater) to decrypt them. If it is deleted by a security product after the files have been encrypted, the Trojan displays a bright red wallpaper on the desktop, containing a link to its executable file - in the hope that the victim will re-install the malware.

It's not just your computer or laptop that could be in danger from ransomware. Cybercriminals are increasingly turning their attention to mobile devices. Svpeng, for example, discovered early in 2014, blocks the phone, claiming that the victim was viewing child pornography and demanding a 'fine' of $500 to unlock the phone. A subsequent modification of this malware, discovered in June 2014, completely blocks the device, so that it can only be turned off by pressing down the 'Off' button for a long time - and the Trojan loads again as soon as the device has been switched on again. This version was aimed mainly at victims in the US, but we also saw victims in the UK, Switzerland, Germany, India and Russia. This version demands a payment of $200 to unblock the phone, payment to be made using MoneyPak vouchers. The ransom demand screen displays a photograph of the victim, taken using the frontal camera.

To combat the full impact of ransomware, it is imperative to regularly back up important data and store the backup copies separately from your computer or device - whether on a cloud based storage repository such as Dropbox or on an external hard drive or memory stick (if they are connected to your computer, the malware can encrypt these too). In addition, it is also important that you are using the latest version of your preferred security solution to block such programs. Kaspersky Lab's System Watcher module, included in all current products, not only scans the processes launched in the system and identifies any malicious activity, but also backs up your files if a suspicious program attempts to access them: if the analysis of a program indicates that it is malicious, your data is automatically recovered.

I believe it's unwise to ever pay the ransom. For one thing, there's no guarantee that the cybercriminals will restore your data, even if you pay-up. For another, it simply validates their business model and makes the creation of further ransomware programs inevitable.