Cybercriminals turn to DIY kits and Ransomware as a Service (RaaS)

Ransomware creators are monetizing their software in creative new ways. Not only are they using ransomware to encrypt files and collect ransoms, but they’re also selling their ransomware to others as do-it-yourself (DIY) kits and licensing it as a service.

DIY Ransomware

Criminals can purchase popular ransomware such as Cryptolocker, Cerber, Locky and Stampado as DIY kits with prices ranging from $39 to $3,000. These DIY kits allow criminals to quickly customize and distribute their ransomware to start collecting money.

There is wide variation in the types of DIY kits offered. Some are based on versions of ransomware that are already outdated while others are stable systems that work effectively. Some include advanced features, like one that allows administrators to delete random files at specific intervals until the ransom is paid.

DIY ransomware often includes a configuration wizard that helps criminals customize the ransomware to their specifications. These future extortionists define a custom name for the ransomware, determine the currency they will accept and the amount of the ransom, and upload a custom ransomware message. For encryption ransomware, criminals purchasing the kit select the file types that will be encrypted. Locking ransomware allows the purchaser to select which functions of the system to freeze.

Ransomware as a Service (RaaS)

Other ransomware creators are outsourcing the distribution element of the ransomware while still collecting the ransom. Such systems offer distributors a percentage of the ransoms received. Ransomware such as Petya, Mischa, Tox, Ransom32 and Cryptolocker Service follow this model of Ransomware as a Service (RaaS). Ransomware creators allow criminals to sign up on servers that are typically hidden behind an anonymous network to protect the creator’s identity and the distributor’s funds. All future extortionists need is a bitcoin account to sign up and they can download the ransomware for distribution. RaaS allows for some customization as well. Criminals can set the ransom demand amount and custom tailor their ransom message.

As victims pay ransoms, the RaaS providers track which bitcoin account was tied to the ransomware version, take a percentage off the top and deposit the remainder into the extortionist’s account. Extortionists can log into the RaaS page to see infection statistics and their earnings.

This has created a gold rush with new entrants to the ransomware market customizing and distributing malware in the attempt to claim their stake of the prize. Unfortunately for the rest of us law abiding citizens, this means that we can expect ransomware attacks to continue to grow. It is important to stay vigilant in implementing security controls, keep systems up to date and train users on the latest distribution techniques and incident response procedures. Make sure that important files are backed up to a location separate from the primary data so that ransomware infections will not impact both production and backup data.

Continue reading

Will Hacktivists Turn to Ransomware?

The US presidential election is upon us and some political activists are out in the streets, and in convention halls. And some are busy hacking. I am referring to the hacktivists, those who illegally use technology to promote a social or political agenda. The main difference between hacktivists and other cybercriminals is that hacktivist crimes are typically associated with a protest or political motivation.

In the early days of hacktivism, hackers used computer worms to spread messages, such as the 1989 Worms Against Nuclear Killers (WANK) anti-nuclear message that sent system announcements on DEC VMS systems.

In recent years, hacktivists have used mostly website defacing, data disclosure, and Distributed Denial of Service (DDoS) attacks to spread their message. Hacktivists typically do not create the attack technology.  They simply augment it for their use. With versions of Cryptolocker, Cerber, Locky, and Stampado for sale at reasonable prices, hacktivists have all they need to launch their own attacks.

Hacktivist ransomware? Not yet.

The good news is that we have not seen hacktivist ransomware – yet. It is a concern because it will differ greatly from the ransomware we know today. Some hacktivists may not even make a demand.  Encrypting the data will cause the disruption in business they desire.

Now is the time to guard yourself from such attacks. Take an inventory of the data in your organization so you know where it is. Next, back up the data and ensure it can be recovered in time. Lastly, ensure that users know that your organization has a plan in place to respond to ransomware (your backup strategy) and educate them on the process for spotting and reporting ransomware. That last step, prevention, is key to your success.

Three steps to data protection

Many organizations have found out too late that valuable data was on a device that they did not track, and these oversights have resulted in data breaches, or data loss. Both consequences can be avoided when the organization understands what data they have and where it is located.

Craft a backup strategy that keeps the backup copies separate from the production copies so that ransomware will not infect both. The strategy should also allow for restores to be performed quickly enough so that business interruptions are kept to an acceptable minimum. In the industry, we call this the RTO or Recovery Time Objective. You also want to make sure the backups are performed frequently enough to avoid unnecessary data loss.

The final key to protecting your data from ransomware attacks of any kind is to communicate with employees. Ensure that they understand that the organization has a plan in place to deal with ransomware. In this way, employees will not feel that they need to take on the solution themselves by paying the ransom or, in the case of hacktivism, performing the requested action. Employees should also understand how to report ransomware so that the organization can respond to the incident quickly.

If hacktivism follows the route many believe it will, hacktivist ransomware will eventually enter the scene. Protect yourself from all ransomware by putting the right controls in place before the attack.

Continue reading

Newest Ransomware has Polished, Professional Look

Criminals are raising the bar in the fight for your money.  It’s natural to expect that competition would follow success—and ransomware is succeeding.  Your data is the target and your pocketbook is the end goal.  As the landscape becomes more saturated, criminals are seeking ways to get a better return on their infections by making it easier to pay up.

One way extortionists are making it easier to pay is by using alternate currencies.  The process for purchasing bitcoins, the mainstream ransom currency, can be difficult for those who have never purchased them before.  Victims cannot just go to their bank and exchange dollars for bitcoins. That’s why some ransomware such as FLocker and TrueCrypter allow for payment with iTunes or Amazon gift cards.

Other ransomware distributors provide very clear instructions and online support.  Today’s ransomware is developed in multiple languages by professional translators so that the instructions for paying the ransom are easy to understand.  Some even come with a guide that explains how to obtain the desired currency. These cyber crooks utilize call center technology and live chat to walk victims through the process of purchasing bitcoins, paying the ransom, and decrypting their files.

Ransomware authors utilize graphic design professionals to create ransomware that has the feel of a professional application.  Sophisticated visuals and easily readable text can make paying a ransom feel more like renewing software.  Each new piece of malicious software is crafted in this way to make it more likely for you to pay rather than protect.

In some cases, organizations and individuals do choose to pay up. A one-time cost may seem the simpler route, but now you’ve opened the door to more attacks; you’re considered a paying customer. The best way to avoid being re-targeted is not to have to pay ransomware distributors in the first place.

No one ever put out a fire by feeding it.  Rather, we must starve the flames to see them extinguished.  Equip your company with the processes, people, and technology to fight the fire.  Protect yourself with a solid backup plan that can help you avoid paying cybercrooks. And you can help make ransomware a thing of the past.

Continue reading

Geolocation technology helps ransomware deliver targeted message

It might surprise you to know that ransomware uses geolocation technology to customize payloads and target individuals. You probably already know that geolocation is the approximate place where an Internet-connected device resides. Geolocation obtains an approximate location of a connection by referencing a machine’s IP address against various databases. As a reminder, here’s a good definition of IP address, which is the protocol by which data is sent from one computer to the other on the Internet.

Those databases are maintained by Internet Service Providers (ISP) and Traffic Detection Services (TDS), all of which utilize and maintain databases on the places where an IP address has been used. Geolocation data does not provide the actual address of an Internet-connected device, but it can get within 10 to 20 miles of a device’s location.

This geolocation information is used by extortionists to direct ransomware to specific regions where they can believe they can get a big return. They might use geolocation to customize ransom messages for each target region, so you are fooled into thinking a fraudulent email or link actually leads to information you want or need regarding changes to your regional bank or utility provider.

Also, ransomware distributors can target regions or countries with a higher average level of income such as those in the United States, Japan, and Europe where users more capable of paying more than $500 to get the keys to decrypt their data. Recently I wrote about how ransomware distributors are using graphic designers and online chat tools to make it simpler and more likely that victims will pay — and geolocation is just another way that ransomware is becoming more sophisticated.

Geolocation customization

Ransomware uses geolocation to customize the language and content of the ransom message it displays to a user. Cybercriminals know that it will be much easier to get paid if their victims do not need to translate their messages first so they write ransom messages in the language used by the victim’s region. Some ransomware also check the language settings on the computer in addition to using geolocation information so that they utilize the correct language.

A variety of ransomware threats have included false claims from law enforcement agencies that users have conducted illegal activities such as downloading copyrighted movies, games, or music. Those that falsely claim to be from a law enforcement agency have the greatest chance for success when the law enforcement agency they claim to represent is one that has jurisdiction over their intended victim.  These ransoms lock the computer until fines are paid to the extortionists. Such schemes use geolocation to customize which law enforcement agency is used in the ransom message.

As you can see, geolocation is an essential part of ransomware. No matter where you live, though, the basic rules of data protection apply. Avoid phishing emails that lead you to bogus sites. Back up your data with a reliable provider. Take the time to check out and reminders or invitation to click on links, to upgrade applications or browsers, simply by hovering over the link to see the full name of the URL. Often times, you’ll find suspicious words in the URL you are being encouraged to use. Ransomware of any type feeds on fear, and the motivation to move fast to avoid danger. Instead take the time to look for any hints of trouble.

Continue reading

Adding Ransomware to Security Radars

Ransomware is the quickest way to turn your valuable data into garbage.  Ransomware is a form of malicious software that blocks access to user data such as documents, spreadsheets, pictures, music, or videos, typically by encrypting those files.  At this point, the ransomware will display a demand for payment in order to send the victim the decryption keys to the data.

Businesses and consumers often do not know what they have until it is encrypted.  It is then that they realize their Christmas list, family photos, and personal financials are inaccessible.  It can be much worse for companies.  Imagine the impact when payroll data, product formulas, or inventory records are suddenly unavailable.  Now imagine a doctor who is unable to prescribe medicine or perform an operation because the prescription information or patient records they need are encrypted.  As you can see, the impact of ransomware can be severe.

Despite ransomware’s severe impact, its attack vectors are more mundane.  Ransomware is obtained through a variety of well-known routes including email, websites, online advertising, exploits on system vulnerabilities, and infected files on shared folders or cloud file sharing services.


Emails, particularly phishing emails, frequently entice users to open attachments that contain ransomware or to click links leading to infected websites.  The techniques used here are the same ones used by scammers, hackers, and other malware distributors.  Protection techniques include screening attachments with antivirus tools and utilizing email gateway scanning and filtering tools.  It is also important to educate employees or family members on how to recognize suspicious emails.

Infected websites and online advertising

Ransomware is also distributed from infected websites and through online ads.  Extortionists seed websites with malicious code and then wait for unsuspecting Internet users to visit a compromised site and get infected with their ransomware.  The likelihood of infection from such sites can be greatly reduced by utilizing a web filter, scanning web sites for malware or by browsing the web in a virtual machine.

Extortionists also create ads on social media or in search engines that download the malware.  Ads might pretend to be a flash player update, help or chat ads, or fake antivirus.  These ads are collectively known as malvertising.  The best way to protect against ransomware distributed through malvertising is by using an ad blocker.  There are many extensions for common browsers or standalone applications that can perform this activity.

Shared folders or cloud file sharing

Ransomware can also be obtained when a computer is connected to a network share that has ransomware on it.  Many ransomware variants are capable of spreading to shares that a computer is connected through, typically through mapped drives.  Ransomware can also infect your machine if you are using a cloud file sharing service that synchronizes files between machines.  If a personal computer is infected and has the cloud file sharing software on it, it can replicate the malware to other computers that are part of the sharing relationship, infecting them all in the process.  Monitor file servers for mass file changes to detect ransomware behavior and scan files that are placed on network shares.  Similarly, equip each computer that utilizes cloud file sharing applications with antivirus software and segment business cloud file stores from personal ones.

System vulnerabilities

Vulnerabilities in operating systems, applications and browser plugins are well documented once they have been discovered.  Attackers create exploit kits to target these vulnerabilities and then other malicious actors utilize these exploit kits to deliver malware to your machine.  The most common exploits are those related to operating systems such as Windows, applications such as Adobe Acrobat, or browser plugins such as Java, Flash, or Silverlight.  The best way to protect against the exploitation of such vulnerabilities is to keep systems, applications, and plugins updated to the latest version.  Vendors frequently release new versions or patches to software that fix the vulnerabilities that have been discovered.  Applying these updates can prevent those vulnerabilities from being exploited.


There will always be exceptions in a security system.  No system will protect you one hundred percent of the time and that is why it is important to have contingency plans.  When ransomware gets past your defenses, and it will at some point, be sure you have up-to-date backups of critical files so that you can remove the malware and encrypted files and then restore clean versions of the files back to computers.  Backup solutions should be distinct from production systems.  For example, a hard drive connected to a computer or a network attached storage device are both accessible from an infected machine so they are likely to be infected too.  However, tape backups or online backup services are distinct from production storage and can be relied upon to restore clean copies of data if the restore points predate the infection date.

Continue reading

Security’s common cold

New and creative security threats may grab headlines, but smart security practitioners know that many attackers still rely on the tried-and-true methods, and they protect themselves from these threats accordingly. The challenge some IT security experts face is in maintaining awareness of threats to which users have grown accustomed. Malware has been around for decades now, and in the technology world, a decade is a long time. Despite malware becoming more sophisticated, the average person is used to getting infected — to the point that it’s seen as a mere nuisance rather than a threat.

Did you know that according to the Anti-Phishing Working Group, one in three computers is infected with malware? The same group reports that new malware is being created at a faster rate with nearly 160,000 malware samples discovered each day last year. Like the common cold, malware is familiar and seen as an inconvenience by most people since the effects of malware are mostly hidden from the user. While Trojans, which make up almost three-quarters of malware, steal data from computers, users can only see the performance impact malware has on their machine.

This lack of visibility to the threat is partially due to the nature of digital information since information can be copied without damage. Unlike the theft of items from a home, information theft is not as easily noticed by end users because the original information is still left in place, unaltered. So what is the real threat?

Data breaches and botnets

Data breach risk and the level of botnet activity are directly correlated, according to a recent study by BitSight. A botnet is made up of malware residing on many machines that act in unison and receive common instructions. In essence, a higher amount of malware in an organization puts it at higher risk for a data breach. And these days, breaches make the news.

Security practitioners focus on two areas to combat this threat: security controls and training. Security controls such as antivirus software, Internet and spam filters and firewalls can prevent some malware from entering a facility or from propagating. When not prevented, systems such as intrusion detection, monitoring and alerting, and event collectors can detect anomalous behavior and alert team members to the potential presence of malware.

Some systems rely on signatures to identify malware. Signatures are an effective way of screening known malware, but they provide almost no defense against new, unclassified malware. These threats must be addressed through heuristics and anomaly-based detection. Heuristics looks at the way software works to identify potential malware. For example, a process may not match a known signature, but it could be flagged by a heuristic scanner if it replicates or performs reconnaissance. Anomaly detection considers a baseline of how a system or network functions and identifies behavior that is outside the norm. More-advanced detection systems may build on the baseline over time through machine-learning techniques to continually improve on the model.

Steps to a secure workforce

This large array of technical controls can often make companies feel safe, but they are most effective when combined with employee training on how to safely and securely use computing technologies. The first step is to assess your workforce to determine the areas where training is most necessary. Some organizations may have a wide range of security awareness levels so some may need more introductory training on how to safely use the Internet, what malware is, how to notify personnel of a breach or how to recognize phishing while others may be more suited for a more advanced discussion on computer security.

It is important not to confuse technical computing knowledge with security knowledge. Sometimes those who are most computer savvy are most vulnerable because they take technological risks that others would not take or they circumvent existing controls in the belief that this makes them more effective.

Malware should make us uncomfortable. It can be a threat, and threats create pain. It is unfortunate such a threat has persisted so long that some have become numb to it, but we need to take malware seriously. The key to preventing the next breach lies not only in effective technical controls but with an educated workforce that knows how to work safely and securely with organizational technologies.

Continue reading

Malware behind university data breach

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.  The warning informed them that information for over 25,000 persons including social security numbers had been breached.  The breach was caused when malware, identified as Vobfus, infected the university’s human resources database.

Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked.  Malware gets behind the organization’s perimeter and it can act with the credentials of legitimate users including administrators.  Just because a system is behind a firewall or in a demilitarized zone doesn’t mean it is safe as threats from the inside are just as virulent as those from the outside.  Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions, and retailers.

Antivirus software is essential but it is only the first step in protecting against malware.  New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones.  Understand what normal traffic looks like on your network so that abnormalities can be quickly identified.  Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions.  Lastly, know what to do and who to call if there is a data breach