Ransomware: Cybercriminals New Attack of Choice

In recent years, we’ve seen banker malware as the most prominent threat in the cyber world. However, over the last six months there has been a major change in the cyber threat landscape. Banker malware has been replaced in many cases by the incoming wave of ransomware, which continues to attack users worldwide, severely impacting many organizations. The graphs below show this abrupt transition clearly.

fig 1

Why the sudden change? Banker malware was profitable for attackers, even though security measures were vastly upgraded. To answer this question we offer the following explanations:


Easily target a broader audience.

The first compelling data point is the very different distribution approach required for a successful campaign. One can easily see the difference when comparing the Locky ransomware campaign with two different Zeus banker campaigns. In figure 1, you can see Locky has impacted numerous countries across all regions, without any need to localize or target the infections. Figures 2 & 3 show two sample Zeus campaigns, which out of necessity are targeting specific countries.

fig 2
fig 3
It used to be relatively easy for a hacker to obtain funds transferred from a bank user, when all you really needed was to phish out a mirror copy of the bank’s site and capture the user’s credentials. But those days are long gone. Today, this type of attack is more complex. Even if you have credentials and the second factor authentication, if you are not connecting from a desktop device previously authenticated by the user, you will likely not be able to transfer funds.

Online banking service attackers must also monitor malware activity and modify it in real time, changing the browser behavior (Man-in-the-Browser overlay attack) to transfer funds to a mule account. This is done through web injections, which must be handcrafted for each online banking site and language. Banking malware requires massive adaptions from bank to bank, so there is no generic attack weapon.

Ransomware, on the other hand, can easily adapt without any special effort needed from the developer. To localize a campaign, ransomware creators simply need to translate the ransom note into the appropriate language, with lazy attackers simply referring users to Google for translation as in the examples below.

fig 4 
fig 5


Having trouble moving the money? Simply use Bitcoins!

The second factor driving the shift to ransomware is ease of access to funds. In a banker attack, even if funds are successfully transferred to the attacker-controlled mule account, there is still the risk that the hacker will either not gain access to the funds or will be caught. Banking fraud systems can silently raise a red alert to catch the attacker trying to get the cash or just block the transfer. The ability to trace movements of funds, or physical pick up, creates a real risk for the attacker.

However, most current ransomware uses the Bitcoin currency. This allows liquid funds to be transferred without a cancellation option, and some Bitcoin wallet shuffling allows the transaction to remain untraceable by the authorities. And changing Bitcoin into money is as easy as going to an ATM.

fig 6


Fear of a Command & Control takedown? Not for ransomware.

Banking malware needs to keep a live channel for the web injects and real time money transfers. If the Command & Control (C&C) server is shutdown during the process, the attacker will not be successful.

Ransomware does not suffer the same challenge. After the infection, there is no need to keep a communication line open. Ransomware simply raises a laconic ransom notice, putting the onus on the victim to complete the transaction, even if that means they must search for the “owner” in the TOR anonymized underground.

fig 7

Recent trends show that some ransomware variants do not even communicate out to get an encryption key, but rather come packaged with a pre-determined public key. Unlike banking malware, with ransomware there is no need to establish a connection to a live C&C server to successfully generate revenues.

With all these advantages, it is easy to understand why ransomware is generating such a significant profit for its perpetrators. This trend is rising rapidly and we can expect it to grow even further. In order to counter this surge, we must make the attacks less profitable. While targeting the money laundering trail would help, until then this can be accomplished by aggressively targeting the infection vector, with solutions that can block modern attacks before they have a chance to act. And then, over time, we’ll need to keep an eye out for the next easiest monetizing technique, knowing that attackers will certainly move on.