Ransomware thieves have come up with creative new schemes in the past month.
Current ransomware typically encrypts victims’ data and then threatens to delete the key if payment is not made. The latest variant of the prolific CryptoWall malware, however, now scrambles the filenames on infected computers, making it even more difficult for victims to recover without buying the key from the attackers.
Potentially worse, another ransomware operation, known as Chimera, has threatened to publish the data of any non-cooperative victim—whether business or consumer—to the Internet. The operation, which currently aims at German targets, demands the payment of almost 2.5 bitcoins, or more than US $800, according to German cybersecurity site Botfrei, which reported the initial attack.
“To frighten the user even more, the message indicates the threat to publish personal data and pictures somewhere on the internet – if user doesn’t pay the bribe,” states Botfrei’s analysis of the attack.
An empty threat that may still signal a trend
Subsequent analysis has found that the program does not actually steal data. While this makes its threat largely toothless, it also raises questions about whether such tactics are a possible escalation in ransomware.
It would be a logical move in the cat-and-mouse game between data-encrypting criminals and security experts. In the past, online blackmail schemes have taken one of two paths. In the oldest type of schemes, criminals hack computers or use malware to steal—or create—sensitive or embarrassing information and then demand a payment for not publicizing the information. More recent schemes involved denial of service—the criminals use encryption to deny access to data, or use packet floods to overwhelm Web sites.
“Ransomware has always been a two-pronged attack,” says Adam Kujawa, head of malware intelligence for Malwarebytes Labs. “One being against the technology of the system and the other against the psychology of the user.”
The claimed abilities of Chimera combines these two attacks, denying access to data but promising to embarrass any victims that do not pay.
Ransomware has become a significant threat to both businesses and consumers online over the past three years. The malicious software targets Windows and Macs, and even Linux servers and systems are not immune to attack. In August, Dell Secureworks researchers estimated that more than 600,000 computers had been infected by one type of ransomware, CryptoWall, in the first six months of 2015, and at least 0.27 percent of victims paid the ransom, garnering more than $1 million for the operators.
Security experts have also identified two fundamental hurdles to any ransomware schemes that threaten to publish data.
Currently, ransomware operators only encrypt data and then store the key to that data. Uploading copies of all of a victim’s data, or even a subset, is most resource-intensive and will make the ransomware more noticeable, says Chester Wisniewski, senior security advisor with security firm Sophos.
“There is nothing stopping them from saying they are going to go through your files, but are they really going to spend all that time for a few hundred dollars?”
Finally, publishing some or all of a person’s data to the Internet undermines the other part of the ransomware threat—losing access to the data. A victim could just not pay and then download their data from the information posted online, says Malwarebytes Kujawa.
Yet, future ransomware could turn the threat into a real tactic.
So what’s the latest advice? Security experts have a few recommendations.
1. Attend to your systems’ security
The first line of defense is to not get infected by ransomware. Users should avoid clicking on links or opening attachments in suspicious email messages and beware of dodgy Web sites, but also harden their systems. Update your software regularly, especially the ubiquitous code often targeted by attackers, such as Adobe’s Flash, Oracle’s Java and Microsoft’s Office formats.
In addition, users should maximize their chances of detecting malware, which is changed frequently to try to avoid security software. “There is a lot of money on the line, so these guys are working hard to keep their malware dynamic,” Sophos’s Wisniewski says.
Users should make sure to turn on the advanced settings in their security software, he says.
2. Back up your data
Historically, security firms have recommended that that businesses and consumers restore their files from backup, but not all businesses—not to mention consumers—back up their files regularly, leaving payment as the only option. In addition, it is often cheaper for a company to restore files using the encryption key rather than from backups.
“We always tell people to have backups and we tell people to never pay, but that is not always realistic,” says Chester Wisniewski, senior security advisor with security firm Sophos.
The FBI recently gave a nod to this reality. Joseph Bonavolonta, assistant special agent in charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, told a recent conference, “To be honest, we often advise people just to pay the ransom.”
3. Encrypt data even on your own hard drive
Even security experts have had their files and email stolen by hackers and posted to the Internet. Increasingly, businesses are encrypting their most sensitive data and any sensitive email discussions. While encryption will not necessarily protect the content of messages, if the computer itself is compromised
This step is not foolproof, but it does add another hurdle for the data thieves.