Ransomware, or malware designed to lock or encrypt files in order to extort payment from the victim, is expected to play a major role in cybersecurity this year, according to a new report from the Institute for Critical Infrastructure Technology.
Ransomware attacks spread through a number of vectors, including email, downloaders, malicious advertisements and even “ransomeware as a service” distributed by third parties and botnets for a share of the revenues. The average ransom demanded for the return of functionality for a device is about $300, ICIT reported.
The report from ICIT (pdf) comes just days after reports Apple shut down the first known, fully-functional ransomware affecting its devices, after the malware was identified by researchers at Palo Alto Networks. In the case of Apple, the malware (dubbed KeRanger) infected a BitTorrent installer for OSX, and an estimated 6,500 systems were infected between March 4 and March 6. A valid Apple developer certificate was used to bypass Apple’s Gatekeeper security, according to ICIT. The malware took a delayed attack approach – it “slept” for three days before activating and then demanded a payment of one Bitcoin, or about $420, to reinstate access to the user’s files.
“Kaspersky, Trend Micro, Forcepoint, Securonix, Covenant Security Solutions, GRA Quantum and numerous other information security firms predicted that ransomware attacks would significantly increase in 2016, and they were correct. By March 2016, the media covered at least one major ransomware attack every few days,” ICIT noted in its breakdown of the recent KeRanger and Cerber ransomware.
Most devices, particularly mobile devices, aren’t protected from ransomware attacks – or from malware and viruses in general as mobile is generally perceived as a safer environment than PCs. Security company Kapersky reported that last year, it detected 884,774 new malicious mobile programs – three-times as many as in 2014. Mobile malware has so far been seen as a nuisance rather than a serious threat vector in reports such as Verizon Communication’s annual Data Breach Investigations Report. The 2015 DBIR found “the incidence for all types of malware was extremely low, and the bulk of it was resource-wasting, but low-impact, infections.”
However, that may be changing.
“Mobile malware continues to evolve towards monetization, with malware authors trying to ensure their creations are capable of making money from their victims,” security firm Kapersky has concluded.
Although KeRanger was the first major ransomware issue for Apple’s OS, there have already been a few examples of ransomware targeting Android systems: one variant posed as antivirus software but locked down the device, and another imitated an adult website application and threatened legal action unless the user paid up. Cerber ransomware hijacks a mobile device’s text-to-voice capability and sets off an audible “alarm.” The latter two in particular rely on a user’s panic to get payment.
“For the most part, sensitive data is not stored on mobile devices,” ICIT said. “The value is the device themselves and the inconvenience suggested to most users should they choose not to pay. Since many mobile devices now automatically back data up into the cloud, mobile ransomware must heavily rely on social engineering panic in victims; otherwise, the user can just reset their device to factory default and download some or all of their data from the cloud network.”
ICIT also noted Microsoft’s Windows has been a more popular target on PCs because of its larger installed base, the very popularity of Apple’s iPhone means it is more likely to become a target.
“Because the iPhone is the leading mobile device, mobile malware and ransomware targeting Apple products will probably popularize before other variants,” ICIT said.
James Scott, co-founder and senior fellow at ICIT, told RCR Wireless by email in the wake of the Apple ransomware attack “there will continue to be new forms of ransomware that exploits new vulnerabilities in applications, computers and devices. Ransomware is basically weaponized encryption for which there is no singular silver bullet defense. Cybersecurity education and a layered approach to cybersecurity must be part of our techno-centric culture. As the ‘Internet of Things’ expands, so do the risks associated with using technologies attached to it. People need to start taking cybersecurity hygiene more seriously, because there is no application patch for human stupidity.”