Nothing spurs malware development like success and that's likely to be the case in the coming months with ransomware.
Ransomware has been around for around a decade, but it wasn't until last fall, with the introduction of CryptoLocker, that the malevolent potential of the bad app category was realized. In the last four months of 2013 alone, the malicious software raked in some $5 million, according to Dell SecureWorks. Previously, it took ransomware purveyors an entire year to haul in that kind of money.
So is it any wonder that the latest iteration of this form of digital extortion has attracted the attention of cyber criminals? A compromised personal computer for a botnet or Distributed Denial of Service attack is worth about a buck to a byte bandit, explained Johannes B. Ullrich, chief research officer at the SANS Institute. "With ransomware, the attacker can easily make $100 and more," he said.
What distinguishes CryptoLocker from past ransomware efforts is its use of strong encryption. Document and image files on machines infected with the Trojan are scrambled using AES 256-bit encryption, and the only way for a keyboard jockey to regain use of the files is to pay a ransom for a digital key to decrypt the data.
Nevertheless, the bad app is the result of an evolutionary process that can be traced back to the rogue anti-virus campaigns during the 2000s. Those campaigns used persistent pop-up windows alerting a user that their computer was infected. To clear up the infection, the user needed to buy the pop-up perpetrator's anti-virus software. "Of course, the people selling the software were the same people who infected your machine," explained Garth Bruen, a fellow with the Digital Citizens Alliance, a consumer safety group focused on online crime. "That became known as scareware."
Most of the time, users were just paying to make the pop-up windows go away. On some occasions, though, the "anti-virus" software was more malicious. "It would infect your machine, use it to relay spam and spread infections," Bruen said.
Eventually, through a combination of education, better distribution of legitimate anti-virus software and law-enforcement raids, scareware's popularity began to decline, and ransomware started gaining traction. "Instead of trying to deceive a consumer that their computer is infected, the attacker is telling them, 'We've locked your PC, and we won't unlock it until you pay us X number of dollars,'" Bruen noted.
Although the predators started demanding ransoms, they also continued their scare tactics. For example, the lockscreen for some forms of the malware would display an official warning — similar to those shown at the beginning of DVD movies — from a law enforcement agency accusing the user of some crime for which a fine must be paid before the computer is unlocked. "They'll scare you in some way," said Keith Jarvis, a security researcher at Dell SecureWorks. "They'll say you've downloaded pornography or pirated music files and you have to pay this ransom by this date or face prosecution."
Sign up for Computerworld eNewsletters.