Duke Winston had just graduated from a university with a degree in marketing and was excited to start work with a major San Francisco advertising firm. One evening a message flashed on his computer screen that said his files were encrypted, and he had to click on a link to a website and pay $300 to gain access to the key to decrypt his files. If he didn’t pay the ransom in seven days, the message said, the amount would increase. Duke talked with a friend who worked for a computer company, who said the ransomware probably infected Duke’s computer when he clicked on a malicious link or file in an email or attachment. However, Duke lucked out because he’d previously backed up all his files. He could keep his $300.
Even though Duke’s story is fictitious, thousands of individuals and businesses still are ransomware fraud fodder for online criminals, and many of them aren’t as fortunate as Duke.
Based on the escalating number of major ransomware attacks reported by the media last year, we could easily get the impression that this scheme is a relatively new phenomenon. But the first variant of ransomware, PC Cyborg, which evolved in 1998 from scareware fraud, is increasingly showing up as numerous variants.
Although losses from ransomware were relatively minor in its earlier years, they’ve grown significantly from about $24 million in 2015 to $1 billion in 2016, according to Danny Palmer in his Sept. 8, 2016, ZDNet article.
And back in May 2017, Jonathan Berr of CBS’s Moneywatch said that losses from the “WannaCry” ransomware alone (described below) could reach $4 billion in 2017.
In both ransomware and scareware fraud schemes, fraudsters follow the same script by using extortion tactics to panic victims and trick them into unloading their cash and divulging their personally identifiable information (PII). We can consider ransomware to be a “new and improved” version of scareware fraud.
In general, scareware fraud emerges when a user is browsing the internet and receives a warning message that his computer is infected with a dangerous virus. The message suggests that the user can download a free trial version of a new software security suite.
While the user is pondering what to do, they typically are bombarded with online advertisements and security warning pop-up windows informing them that their computer’s data isn’t secure. And then several of their favorite software programs stop running correctly. The free software security often doesn’t fix the problem. The user must instead pay a subscription fee, usually about $40, to receive the full version of the suite to remove the virus. But the computer continues to malfunction even with the full version.
The scareware hackers now have the victim’s credit card information and can gain access to their personal files and habits. The scammers then can steal identities, transfer money from bank accounts, make fraudulent charges on credit cards and much more. In worst-case scenarios, scareware scams can have devastating repercussions for years to come.
(To gain a thorough understanding how scareware fraud works and how it’s directly related to ransomware see the two feature articles, “Scareware fraud: All trick and no treat?” parts 1 and 2, I coauthored with Tiffany McLeod in the March/April 2011 and May/June 2011 issues of Fraud Magazine.)
Ransomware, on the other hand, typically displays an on-screen alert on a user’s screen stating that the computer systems have been locked or files have been encrypted. To restore the user’s systems or gain access to the encrypted files, the user must pay a ransom — most often in bitcoin — within a certain time period.
I reported on the emergence of ransomware in a feature article I wrote with Tiffany McLeod, European fraudsters say pay up or your computer and files are goners! in the July/August 2013 issue of Fraud Magazine. As we wrote then, fraudsters initially focused their attention on victims in European countries, but in 2013, they began to refocus their efforts on victims in other countries, including the U.S.
Individuals and businesses in approximately 150 countries have now experienced the ransomware scam. (See Global cyberattack: Full list of countries affected by the ransomware campaign, by Agamoni Ghosh, International Business Times, May 16, 2017.)
The ransomware malware variants have “left no prisoners behind” as they have invaded organizations worldwide in every industry sector imaginable, including the health care industry, which was hit relatively hard last year. But the hackers’ marketing plan doesn’t end just with industry penetration as shown by the number of emerging ransomware variants. Of course, this is nothing new as fraudsters continue to develop “new and improved” versions of many of their products, which organizations and security specialists find extremely difficult to overcome.
Fraudsters have used ransomware to create lucrative businesses because many individuals and businesses pay the demanded ransoms to unlock and log into their computers or get the keys to decrypt their encrypted files. Also, some variants of ransomware plant various types of malware within networks, including some that allow fraudsters to steal PII related to online banking account users. More bang for the buck. This results in a double-whammy risk for many individuals and organizations and, in most cases, prompts them to invest significant resources to recover from it or help prevent it, although the probability of doing so isn’t great.
Employees who aren’t adequately trained in how ransomware is delivered compound the ransomware problem and hinder development of improved detection and prevention tactics. Organizations need to overcome this weakness so employees at all levels can respond correctly and not be victimized.
The majority of ransomware is delivered via these ways:
Fraudsters target all types of devices to deliver ransomware, but they’re now aiming at mobile devices because that’s where most people spend their time online.
Hackers might exploit vulnerable web servers as entry points to gain access to networks to download ransomware malware. This technique allows a hacker to install additional malicious malware that searches for new vulnerabilities and exploits networks to gain access to PII, including usernames, credit card numbers and routing information for bank accounts.
Ransomware is classified into two general types: Lock Screen (or Locker also known as Winlocker) and Encryption (or Crypto).
Lock Screen types lock up computers or other devices, which prevents users from logging in. Encryption types encrypt user files, which denies users accessibility and use.
Lock Screen, the predominate form, displays a full-screen image or web page that prevents the user from accessing anything in the affected computer. Fraudsters use social engineering techniques such as displaying FBI or IRS logos to panic and scare users, which is why so many of them succumb to the fraud. (See Figure 1 below.)
Figure 1: A Lock Screen ransomware locked-computer message (from the Malware don't need Coffee website.)
Encryption ransomware, a less common form, uses a direct ransom demand approach instead of social engineering. After the fraudsters hook a victim, the ransomware encrypts the files, which prevents the user from opening them. The fraudsters then demand payment in exchange for a key to access and decrypt the encrypted files. (See Figure 2 below.)
Figure 2: An encryption ransomware locked computer message (from Remove 'computer locked, data encrypted' virus (FBI - ICSPA Scam), by Stelian Pilici, Malware Tips, May 25, 2013.)
Because of their initial financial success, the evolving variants have become more sophisticated, which makes it difficult for individuals and organizations to keep up with and overcome them.
To help understand why ransomware has become so sophisticated and difficult to detect and prevent, it’s important to track the evolution of some of the more common major variants. Organizations then will be able to refocus their efforts more clearly when developing tactics to identify and patch vulnerabilities in their networks to avoid being victimized by older as well as possible new variants of ransomware.
The first variant of ransomware, PC Cyborg, which emerged in 1998, was designed with simple symmetric encryption to lock user files, according to Common Types of Ransomware, by Paul Rubens, Security Planet, March 2, 2017. It was relatively unsuccessful because hackers could easily produce tools to decrypt locked files, so they created newer and more sophisticated versions of ransomware, which they began to use big starting in 2012.
Reveton ransomware, which evolved from the PC Cyborg in 2012, prevents users from logging onto their computers. It normally uses an “exploit kit” known as BlackHole, according to investigative journalist Brian Krebs, author of the Krebs on Security blog. An exploit kit is a tool that’s “stitched into hacked or malicious Web sites [along with the ransomware malware], so that all visiting browsers are checked for [vulnerabilities such as] a variety of insecure, outdated plugins [software], from Flash Java to Adobe Reader,” Krebs writes. (See Inside a ‘Reveton’ Ransomware Operation, by Brian Krebs, Aug. 12, 2012.)
When the kit finds security holes in the computer’s software, the browser is “handed a Trojan downloader that fetches Reveton and most likely a copy of the password-stealing Citadel/ZeuS Trojan,” Krebs writes.
The Citadel/ZeuS Trojan, the most common type of financial malware, continues to operate on compromised computers collecting data, which hackers use to commit online banking and credit card fraud. Thanks to the BlackHole exploit kit, the end user’s computer is infected with the malware — in a drive-by-download fashion — without any interaction from the user. This creates “double trouble” for the user and enhances the coffers of the fraudsters.
The Trojan horse, CryptoLocker, first appeared in September 2013, according to Symantec. CryptoLocker “encrypts files on the compromised computer and then prompts the user to purchase a password in order to decrypt them.”
According to Enigmasoftware, “CryptoLocker may typically be installed by another threat such as a Trojan downloader or a worm [for example, the major botnet, GameOver Zeus].
After CryptoLocker is installed, according to Enigmasoftware, “it will search for sensitive files on the victim’s computer and encrypt [all of the data in each of] them.”
According to Microsoft, the encryption process includes a pair of keys: a public one to encrypt the plain text data and make it unreadable, and a private key that the victim must purchase from the owner of both keys to decrypt the encrypted data and return it to plain text.
“CryptoLocker takes the infected computer hostage by preventing access to any of the computer user’s files,” according to Enigmasoftware. “CryptoLocker then demands payment of a ransom to [purchase a public asymmetric key that is needed to] decrypt the infected files.”
On June 2, 2014, the FBI, in conjunction with the U.S. Department of Justice and law enforcement agencies from throughout the world, disrupted the GameOver Zeus botnet and so ceased this common form of the Cryptolocker ransomware. (See GameOver Zeus Botnet Disrupted.) But it wasn’t long until new versions of the ransomware evolved to raise even more havoc on individuals and organizations.
CryptoWall ransomware first appeared in 2014, and since then it has appeared in slightly different versions, with names that include CryptoDefense, CryptorBit, CryptoWall 2.0, CryptoWall 3.0 and CryptoWall 4.0, according to Paul Rubens in his Security Planet article. “One notable feature of this ransomware is that the authors offer a free single-use decryption service for one file only, apparently to prove to their victim that they do indeed hold the decryption key,” writes Rubens.
Organizations need to understand that individuals are the weakest links in any fraud prevention program.
He writes that CrytpoWall 4.0, released in late 2015, introduced a new “feature” that encrypts the filenames that make it more difficult for victims to know what it has encrypted. “The ransomware is spread by a variety of methods, including attachments in emails purporting to come from financial institutions, exploit kits that exploit vulnerabilities in users’ software when they visit malicious web pages, and web pages that display malicious advertisements,” writes Rubens.
“Some variations of CryptoWall’s ransom note are also unusual, containing text such as: ‘Congratulations!!! You have become a part of large community CryptoWall. Together we make the Internet a better and safer place.’ The ransom demanded is a hefty $700, doubling after about a week to $1,400,” writes Rubens.
CTB Locker ransomware (which is sometimes called Critoni or CTB Locker) was first noticed in July 2014, according to Giedrius Majauskas in his July 30, 2014, article, CTB Locker ransomware or how to decrypt encrypted files, on his 2-viruses.com website.
“This virus aims to encrypt various files and asks for a ransom in order to decrypt them,” writes Majauskas. The ransomware can affect almost all versions of Windows, he writes. Anyone can buy this ransomware for $3,000, he writes, which means users can encounter many versions of CTB Locker with different appearances.
This variant, also known as Crypto010-l0cker, behaves totally different from the original Cryptolocker (except for encrypting files and demanding a ransom to decrypt them), according to an information guide on the Bleeping Computer website.
This variant of the Lockscreen ransomware “is a file-encrypting ransomware program that was released around the end of August 2014 that targets all versions of Windows,” according to the information guide.
TorrentLocker scans computers for data files and encrypts them with AES 256 encryption so users can’t open them, according to the guide. “TorrentLocker is distributed via [phishing] emails that pretend to be shipping notifications, driving or speeding violations, or another corporate/government correspondence. Some emails will contain the malware installer as ZIP attachments or Word documents, while others will contain a link that will bring you to the associated fake site that will prompt you to enter a 5-digit code to download the shipping notification or violation notice. When you enter the code, it will download a ZIP file that contain [sic] an executable that are disguised as PDF files,” according to the information guide. This ransomware variant also created botnets with the user email address and used them to promote the scam with other users.
Bit Cryptor is the most recently released and related variant of ransomware that targets Windows computers on a large scale.
Bit Cryptor “encrypts the user’s files with AES-256, a government-level standard leveraged to secure classified data and widely used in legitimate privacy protection software. … The ransomware uses a mix of exploit-based techniques and spear phishing to infect computers. In most cases, therefore, the users realize they have been attacked only after the program has caused virtually irreversible damage, hence they have to deal with the aftermath,” according to the NABZ Software article.
“Once the trespass has taken place, Bit Cryptor scans the hard drive for specific types of files. The extensions it looks for match the most popular files and documents, so it’s obviously personal data that is targeted,” according to the NABZ Software article.
Kaspersky Lab, a major Russian security firm, obtained the master keys and made them available to the public to decrypt their infected files. As a result, these two variants were shut down. But watch for new emerging forms.
TeslaCrypt ransomware, which evolved in 2015, “often targets gamers, lands on systems through malicious downloads, web domains which load exploit kits and phishing campaigns,” according to TeslaCrypt no more: Ransomware master decryption key released, by Charlie Osborne for Zero Day, ZDNet, May 19, 2016. “As ransomware, TeslaCrypt will infect systems and encrypt user files, sticking up a landing page and removing access to the PC until a ransom is paid, usually in virtual currency Bitcoin.”
The developers behind the malware were very active, which made TeslaCrypt particularly severe, Osborne writes. “[R]esearchers found it difficult to crack the software before new, even more sophisticated versions were released into the wild,” she writes.
A researcher for ESET, an IT security company, posed as a TeslaCrypt victim, and via the support chat system on the payment website asked if the developers would consider releasing the master TeslaCrypt decryption key. To the researcher’s surprise, the scam’s authors did release the master key to the public, which allowed all victims to decrypt their files and end this variant of ransomware. However, based on the past behavior of ransomware authors, it’s no time to celebrate because this variant might emerge again in a different form.
“Locky ransomware [released in 2016] is the current big thing in malware, with a … list of millions of infected computers including high-profile businesses, hospitals, and even police departments."
“The malware infiltrates into user computers through email attachments, JavaScript, and even ads, where it proceeds to encrypt files, making them inaccessible to users,” according to the article.
No Locky decryption program is available as of press time. Infected users must pay the ransom, which varies between ¼ and one bitcoin ($200 to $800) to restore their data, according to the article. High-profile users have had to pay up to $17,000 in ransom. Low-profile users aren’t guaranteed the return of their data in exchange for paying, according to the article. The decryption keys the hackers give to the ransom payers don’t always work.
This variant was exposed in May 2017 when fraudsters took advantage of a flaw in the Windows operating system and hijacked computers in more than 150 countries worldwide. According to the May 17, 2017, article, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” by Bill Brenner on the Naked Security website, an investigation revealed that “once computers were hijacked, it encrypted documents and displayed ransom notes.” The worm also deleted known local backup files.
The WannaCry developers didn’t have to use the usual phishing technique but were able to penetrate computers that were still using the old Windows XP operating system and hadn’t installed Microsoft patches, Brenner wrote. The attack exploited a Windows vulnerability for which Microsoft had released a patch in March 2017. The worm would generate random IP addresses and then would send malicious Windows Server Message Block (SMB) packets to the remote host and spread itself, Brenner wrote. Windows computers use SMB to share files and printers across local networks.
Even though Microsoft has discontinued support for Windows XP, it subsequently issued a patch to prevent WannaCry on XP systems.
The FBI recommends these steps for organizations and individuals to help avoid becoming a victim of ransomware.
Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. His email address is: doctorh007@gmail.com.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 11 mins
Written By:
Adrian Harrington
Robert E. Holtfreter, Ph.D., CFE
Read Time: 8 mins
Written By:
Read Time: 11 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Adrian Harrington
Read Time: 11 mins
Written By:
Adrian Harrington
Robert E. Holtfreter, Ph.D., CFE
Read Time: 8 mins
Written By:
Read Time: 11 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Adrian Harrington
