pixel_dreams - Fotolia

Ransomware is a mature business model for cyber criminals, says report

Ransomware is now an established business model for cyber criminals as malware increasingly uses evasion techniques, second quarter research by PhishMe reveals

Ransomware that encrypts victims’ data and demands payment for its release is firmly established as a mature business model for cyber criminals, a report has revealed.

Ransomware now accounts for 50% of all malware configurations and is showing no signs of diminishing, according to the Q2 2016 Malware Review by security training firm PhishMe.

Given the tenacity and frequency of ransomware phishing attacks, the report said it appears cyber criminals now consider this a tried and trusted business model.

Generally, ransomware demands are between the Bitcoin equivalent of $200 and $500 and often include an added threat that the required amount will double, the report said.

During the second quarter of 2016, PhishMe Intelligence generated 559 active threat reports detailing new delivery of malware via phishing emails, including the indicators of compromise and the tactics and techniques used by threat actors.

The data showed an increase in the number and volume of malware deployments incorporating simple evasion techniques to circumvent protection by security systems.

Numerous deployments of malware were also recorded with less sophisticated actors who still wield robust feature sets.

In March 2016, PhishMe malware analysis noted a strong diversification of ransomware strains which were responsible for 93% of all malware payloads delivered that month, but the Q2 malware research shows that ransomware began consolidating in May and June, with Cerber encryption ransomware and Locky strongly dominating the ransomware scene.

Generate sustainable profits

The research on this ransomware evolution strongly supports the notion that ransomware has effectively become a major business model for threat actors who are seeking the most advantageous and cost-effective means to generate sustainable profits.

“Barely a year ago, ransomware was a concerning trend on the rise,” said Rohyt Belani, CEO and co-founder of PhishMe. “Now ransomware is a fully established business model and a reliable profit engine for cyber criminals, as the threat actors involved treat it as a legitimate industry by selling information, tools and resources to peers all around the world.

“Empowering the human element to detect and report these campaigns needs to be a top priority for organisations if they are to protect themselves from a threat that is here for the long term.”

The risks associated with encryption ransomware are diminished by ensuring that an organisation has sufficient backup and segmentation processes in place, along with established response processes to prevent data loss, the report said.

The report also unveiled findings on the usage of steganography and ciphers in malware delivery, both increasingly popular anti-analysis techniques designed to bypass security systems and the efforts of security researchers.

Read more about ransomware

  • Businesses still get caught by ransomware even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Using a common steganography technique, threat actors can hide the Cerber executable of a Cerber malware payload within a seemingly harmless image file – sneaking past layers of security technologies to make its way into the target victim’s inbox.

The report gave further examples of how the executables are embedded and what to look for when conducting a deep ransomware analysis.

The report also shed light on remote access trojan (RAT) utilities, which have been in the news recently because of their purported use in the high-profile intrusion and apparent theft of data from the US Democratic National Committee.

While details of the attack are still private, deployment of remote access trojans via phishing emails is a frequent occurrence. The risks associated with these less sophisticated, yet feature-packed malware utilities have been highlighted through their frequent use by advanced actors.

The report said the research data underscores the hazards of relying entirely on sandbox, network and endpoint detection and mitigation utilities to secure an organisation against malware threats, as an increasing proportion of attack techniques are designed to foil many standard analysis processes.

Read more on Hackers and cybercrime prevention