Ransomware: Steal Smarter, Not Harder

Occasionally, even cybercriminals must revamp their “product lines.” They do this when their bread-and-butter malware stops making money due to new security measures, or if they invent a better way to rip people off. Check Point security researchers have caught criminals in the act ramping up ransomware attacks while scaling back banking Trojans. We believe ransomware, a type of attack in which attackers encrypt a victim’s files then demand the victim pay to decrypt them, has become the attack of choice for those who wish to “steal smarter, not harder.” Check Point security researchers have compiled a list of predictions about the future of ransomware. To see the list, download the Check Point Security Report 2016.

Raiding bank accounts used to be a snap. First, lure a user to a deceptive copy of his or her bank’s website. Then, use the mirror website to capture the user’s login credentials.  Finally, log onto the real bank’s websites and transfer the user’s funds to a mule account. But, banking attacks aren’t so easy anymore.

Now, attackers must contend with 2-factor authentication and connect to the bank’s website from users’ recognized desktops or mobile devices. In addition, large funds transfers now trigger fraud systems that block transfers and freeze accounts. Always time consuming, threat actors must also customize content to spoof each target bank’s website.

In contrast, ransomware can attack any user, not just banking customers. This vastly increases the pool of potential victims. Ransomware forces victims to pay quickly or lose access to vital content without making users sign in to capture their login credentials. After encrypting the victim’s data, a ransom note tells users how they can pay, or where to find their “owner” in the TOR anonymized underground. Recent data shows some ransomware arriving with a pre-held key so it doesn’t even have to communicate with an external server to obtain encryption keys before initiating the attack. Without needing several mirror sites, one ransomware attack works for all users. The only localization needed is for short ransom notes, or attackers can direct victims to Google Translate and entirely skip localizing content.

Ransomware payoffs typically use alternate payment methods like Bitcoin. This permits liquid funds transfers that users can’t dispute and banks can’t cancel. Bitcoin wallet shuffling prevents authorities from tracing transactions. In addition, it is easy to anonymously convert bitcoins to virtually any currency.

More potential victims, lower overhead, ease of operation, and payments that are surer and less traceable are all factors that contribute to the uptrend we are seeing in ransomware. For more information about ransomware as well as other attack trends and industry information, download the Check Point Security Report 2016.