Ransomware extortionists not as trustworthy as they’d have you believe

There are a variety of different ransomware variants that encrypt your data with no intention of ever decrypting it. There are also ransomware distributors who are happy to collect ransom payments but have no interest in returning anyone’s data.

Innocent victims often fall prey to ransomware hoaxes or find problems with ransomware decryptors. They all end up in the same place they started, without their valuable data.

Some of the groups behind the most prevalent ransomware viruses are working to build up confidence that victims will receive their data if they simply pay the ransom, but victims have learned the hard way that paying the ransom comes with no guarantee.

Purely destructive ransomware
There have been a number of ransomware viruses that infect systems only to delete victims’ files and then demand a ransom payment. One version—dubbed Ranscam because it is a ransomware scam—does exactly this. Similarly, AnonPop also pretends to be ransomware, deleting victim files rather than encrypting them.

The good news is that both Ranscam and AnonPop do not wipe the data from the disk. Wiping writes over data multiple times so that it cannot be recovered. That means if your files are deleted by Ranscam and Anonpop, you may be able to get them back using a file recovery program. Victims of Anonpop can also use their “system restore” feature to restore files and settings.

Ransomware hoaxes
Citrix did a study of 200 UK companies who had received fake ransom demands and found that 63% of them still paid the ransom. Why? Because they were unsure whether the demand was real or fake. Victims sometimes received demands for ransom in email, through browser popups, or in messages on their mobile devices.

Sometimes victims are unable to obtain decryption keys because ransomware authors stop supporting a particular version of a ransomware virus. But this doesn’t stop them from spreading those versions around and demanding ransom, even though there is no way to recover the data.

In some cases, new versions of ransomware are released because anti-malware researchers have released decryptors for a previous version. However, in other cases, ransomware authors upgrade their software proactively before a flaw has been discovered. For example, the creators of JIGSAW made updates to their code that changed encryption packages, but versions in the wild still contained the old code and could not be decrypted.

Occasionally, there are bugs in ransomware code that prevent extortionists from generating decryption keys. CryptXXX came out with a new version, but bugs in the payment system prevented it from sending decryption keys to victims who paid. Those who were infected were able to pay the ransom, but the decryption capability no longer existed or was unavailable.

Cybercrime power struggles
Some victims of ransomware have started communicating with an extortionist or even paid a ransom demand and then found that the extortionist was apprehended by law enforcement. Law enforcement forensically preserves data and evidence for court and shuts down services, but victims are left without decryption keys, so their machines wipe data or remain encrypted. At some point it is possible that they will receive their money back, but not their data.

Other extortionists have been taken down by a rival cybercrime groups or hackers in the midst of their negotiations with victims, and in some cases, victims have already paid the ransom or some portion of it. Unfortunately for these victims, their transactions were lost in the limbo of cybercrime power struggles, and they may not end up getting their data back.

The big cybercrime groups behind some of the major ransomware variants out there try to establish some level of integrity with their victims so that they will pay the ransom. But there are plenty of others who show that trusting a criminal is a gamble at best.

Don’t gamble with your data. Paying ransoms is not an effective way to recover data. Ensure that you have a robust backup and recovery strategy in place and you’ll never have to pay the ransom.

 For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

The Economics of Extortion: Understanding the ransomware market

We all know money is the motivating force behind cybercrimes like the creation and distribution of ransomware. The interesting twist with ransomware is that the basic rules of supply and demand become a little hard to follow. Typically you have a buyer and a seller. In the case of ransomware, the distributor—or supplier—has to steal what’s in demand—your data.

Cybercriminals create the demand by restricting access. Victims realize they need access and­—if they cannot get access themselves by restoring critical files from backup—they end up paying the ransom and fueling this economy. This applies to online consumers, small business owners, and CEOs—they have all paid to retrieve data.

It’s interesting to consider the ransomware economy in the following five segments:

1) Investment 

Cybercriminals leasing ransomware can obtain it for as little as $39 and as high as $3,000 depending on which type is purchased. They must then distribute it. Distribution costs include time spent creating and sending emails. According to Trustwave, an IT security team that spent time trying to dissect the ransomware economy, it would cost about $2,500 to spread 2,000 ransomware infections once you factor in the time to send emails and compromise sites.

2) Pricing 

Ransom demands in the United States have been known to be several hundred dollars higher than the same ransomware in Mexico or other countries with lower median incomes than the U.S. Ransomware authors have researched regions and incomes—and they understand that they can only charge what the market will bear. Ransomware authors also consider the bitcoin exchange rate when determining the ransom demand. This helps cyber criminals set a ransom that victims can afford to pay regardless of which country they’re from. In the U.S., the average ask is between $300 and $500, according to many industry sources.

3) Target market 

The target market for ransomware consists of consumers and companies that retain important or business-critical information and have the ability to pay the ransom. Unfortunately, these people also typically aren’t adhering to IT security best practices. Hospitals and other healthcare organizations are a popular target for cybercriminals because of the pressure to pay up quickly, rather than risk patient health.

4) Revenue 

Estimates as to how much has been paid in ransom tend to be conservative because many payments are undisclosed. That said, The U.S. Departments of Justice Internet Crime Complaint Center received reports of ransom payments totaling $24 million in 2015. And in July 2016, ransom payments for Cerber ransomware alone totaled $195,000 for the month. But the market is growing exponentially, and the FBI has said ransomware costs could total $1billion this year.

5) Competition 

The relatively low barrier to entry has resulted in fierce competition among cyber criminals. Some ransomware authors and cyber-extortionists have even adopted higher levels of professionalism to make it easier for victims to pay up. And, in an interesting angle to the supplier side, ransomware kits are easily available and come with simple instructions, meaning that distributors can sell ransomware to new, smaller distributors—as long as they are guaranteed a piece of the profits.

The ransomware economy is booming and returns are high. That means you can expect the number of ransomware attacks to continue rising. Protect yourself by having adequate backups in place before a ransomware attack occurs. Test your backups to ensure that the right data is being protected and can be restored in satisfactory time frames. Also, ensure that a backup copy is kept in a different location from production data so that ransomware does not infect both at the same time.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

4 ways to avoid holiday phishing on Black Friday

Cybercriminals are raising the black flag this Black Friday and Cyber Monday. These are the biggest shopping days of the year and these criminals know that the sales ads and offers will soon start pouring in. Buried among those offers will be fake deals from these cyber criminals. Use these tips to stay safe this year.

1. Verify deals

The first thing you can do is verify deals on the retailer’s website. If you receive a deal from a website, go to the site and verify the same deal there rather than trusting the email alone. Do not click the links contained in the email to access the site as these might take you to an attacker site first or direct you to an entirely different site. Please note that phishing sites may look exactly like legitimate sites such as Best Buy or Walmart. Type the address for the site you wish to validate in your browser instead.

2. Verify addresses

Sometimes retailers send out deals only to those who subscribe to their mailing list. In such cases, you will not be able to verify the deal on the retailer’s site. If you still believe the message might be a hoax, you can verify the addresses in the email links. Hover over links in the email to see the address. Make sure the address displayed matches the address in the link. Make sure that links attached to images are going to the retailer’s website address. For example, if the email has a picture of a Dell laptop and it says it is from Dell, make sure that the address is Dell.com.

Also, make sure that there are no additional names following the .com. Dell.com.dealsexpress.fr will not take you to Dell.com. The address is composed of a few elements. Items before the site name are subdomains so support.dell.com is a subdomain of Dell.com. Items listed before the .com, .org, or other top level domain name in the address direct you to a specific site while items following a / will take you to a specific location on that website. For example, Walmart.com/toys/lego.html would take you to a page called lego.html in the toys folder on the Walmart.com website.

3. Browser warnings

If you do click a link and your browser displays a warning, close the browser window or tab and do not proceed to that link. Browser warnings might include “There is a problem with this website’s security certificate” or “This connection is untrusted”.  These warnings indicate a problem with the web site’s certificate.

Certificates are used by websites to prove their identity. Certificate issuers are companies that computers are configured to trust and companies go through a validation process and then purchase certificates from these companies. The certificates are installed on a website and then your browser verifies that the certificate was issued for the site you are visiting and that the certificate came from a certificate authority that you trust.

Take these warnings seriously and do not proceed to such sites. While there are some instances where a legitimate site could have a certificate problem, it is generally not worth the risk to proceed.

4. General phishing signs

You should also watch out for other phishing messages in addition to the holiday specials. Some other signs for spotting these messages include bad spelling, the request for personal information or a detailed sad story that requests you to send money.

I hope you stay safe this holiday shopping season. Catch the Black Friday and Cyber Monday deals without getting pillaged by following the tips above. Above all, remember if a deal sounds too good to be true, it probably is a hoax or a scam.

Continue reading

Cybersecurity Investigation, Prosecution, and Prevention

Join the Cleveland Metropolitan Bar Association Business, Banking & Corporate Counsel Section on Thursday, December 11, 2014 for a panel discussion on “Cybersecurity: Investigation • Prosecution • Prevention” highlighting the likely perpetrators and targets of cybercrime, the methods of cybercrime, how to prevent, respond to, and the prosecution of, cybercrime.

The shift to complete dependence on the Internet and related technologies has left us all vulnerable to cybercrimes and intrusions aimed at bringing economic, social and political infrastructures to a standstill. Cybersecurity is among the leading issues facing corporate directors, officers and general counsel as companies are becoming more proactive in protecting data, intellectual property and customers.

Moderator:
Brent M. Buckley, managing partner of Buckley King and Chair of the CMBA’s Business, Banking & Corporate Counsel Section

Panelists:
Ganpat Wagh, Supervisory Special Agent in Charge of Cybersecurity, FBI
Duncan Brown, Director of International Organized Crime, U.S. Attorney’s Office
Eric A. Vanderburg, Director, Information Systems and Security, JURINNOV Ltd

Registration – 3:00 p.m.
CLE Presentation – 3:30 – 5:00 p.m.
Reception: 5:00 p.m.

CLE: 1.50 hours approved

Cleveland Metropolitan Bar Association
1375 East Ninth Street
Second Level – One Cleveland Center
Cleveland, OH 44114

Pyramid Schemes: Building lies on hopes and dreams

A pyramid scheme is much like the old chain letters people received when the post office was the en vogue form of communication. The way this scheme works is simple and very identifiable. One person begins at the top of the pyramid and recruits a few other people to “invest” some amount of money, say $100, into the initial investor. These new recruits go out and recruit more people, who recruit more people thus promulgating the scam further. The fraud comes in when people closer to the bottom of the pyramid cannot recruit enough people to pay off those who are a level above them, thus losing money. There are many types of pyramid schemes that have similar motives and results: invest in order to see a profit, but there is nothing tangible to invest in. Other similar schemes are called, ponzi schemes, chain letters, and multilevel marketing.

Despite the name, money mules are not good

The life of a money mule begins simply enough. An email arrives, often unsolicited, that asks whether or not you would like to change careers, receive copious amounts of money, and work unsupervised. Who wouldn’t want that? The job ads might call this position a payment processing manager, fund manager, transaction processing agent, or some other legitimate sounding name. Those who accept the position are instructed to transfer funds from one account to another, in the meantime gaining a percentage on the amount transferred. It seems like an easy job with more than adequate compensation so what’s the catch?

If you read the fine print you will see that this is just a basic money-laundering scheme. These money transfers the person engages in are illegal since the funds transferred are stolen. Those who participate could be fined or jailed. In the best case scenario, participating in such a scheme, even unknowingly, could result in a freezing of the victim’s account, while investigations go on.

There is another variation you should be aware of. Instead of transferring money over the wire some scams may ask you to deposit checks and then wire money elsewhere. The check will arrive in the mail and you go to cash it taking your promised percentage. The problem happens when the check bounces and the bank deducts the money from your account along with a fine after you have already wired the money elsewhere.