Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Data Loss Prevention (DLP) , Governance & Risk Management

Ransomware Family Count Surpasses 200

More Police Join Battle, But Ransom-Loving Criminals Just Won't Quit
Ransomware Family Count Surpasses 200
The ID Ransomware site now counts more than 200 ransomware families.

Have you heard of BadBlock, Bart and Booyah? What about VenusLocker, WonderCrypter and Zyklon?

See Also: Realities of Choosing a Response Provider

Those are just some of the many different ransomware families that have been cataloged by the ID Ransomware service, launched in March by the security researchers known as MalwareHunterTeam. The researchers' site allows victims to upload ransom notes or encrypted files to help them identify the ransomware that's encrypted their data.

This week, in an unfortunate cybercrime milestone, the number of ransomware families counted by the service reached 200.

The increasing number of ransomware families - and their virulence - shows attackers are continuing to refine their art. Similarly, the emergence of what almost seem like joke strains of ransomware - named after horror films or given the Pokémon treatment, for example - demonstrates the increasing commoditization of crypto-locking attack tools and the need for developers to attempt to differentiate their wares in what's become an increasingly crowded marketplace.

Disruption Efforts Continue

The increasing number of ransomware families - to say nothing of what can be many different variants or strains of each, evolving over time - also complicates attempts to disrupt these attacks. Indeed, security firm Kaspersky Lab estimates that between April 2015 and March 2016, there were more than 715,000 ransomware victims worldwide, or an increase of 5.5 times over the preceding 12-month period.

Disruption efforts, however, are ongoing. The public-private No More Ransom project, which launched in July, reports this week that at least 2,500 ransomware victims were able to download the portal's free decryptor tools - mainly for CoinVault, WildFire and Shade - and recover their data, avoiding paying more than $1 million in ransoms, project organizers say. But that amounts to just 0.35 percent of the total number of ransomware victims seen from April 2015 to March of this year.

No More Ransom launched as a joint venture between the Dutch National Police and Europol, as well as security firms Kaspersky Lab and Intel Security, a.k.a. McAfee. Since then, law enforcement agencies from these 13 countries have also signed up: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

Police Response

From a law enforcement standpoint, more is more, says Steven Wilson, head of Europol's European Cybercrime Center. "Europol is fully committed to supporting the enlargement of the No More Ransom project within the EU and internationally to respond to ransomware in an effective and concerted manner," Wilson says in a statement. "Despite the increasing challenges, the initiative has demonstrated that a coordinated approach by EU law enforcement that includes all relevant partners can result in significant successes in fighting this type of crime, focusing on the important areas of prevention and awareness."

Focus: Prevention, Awareness

The focus on prevention and awareness is also the strategy that's been adopted by the FBI, which urges organizations to create "a solid business continuity plan" that includes the ability to restore backups in the event that systems get infected by crypto-locking malware.

That's because neither technology nor law enforcement - and arrests - will stop ransomware. The malware is easy to create and distribute, and it succeeds whenever it encounters a PC that a user has failed to prepare. The "skyrocketing" of ransomware attacks, as Kaspersky Lab CEO Eugene Kaspersky puts it, illustrates attackers' success.

Furthermore, criminals continue to refine their campaigns. Some attacks - often utilizing Locky - are being highly targeted, and they crypto-lock time-sensitive records inside organizations, leaving them with little choice but to pay.

In other cases - such as with the widespread CTB-Locker ransomware - attackers are tapping affiliate programs to distribute the malware. CTB-Locker is also part of an emerging trend; the ransomware can crypto-lock not just PCs but also web servers. Petya ransomware, meanwhile, now includes full-disk encryption - not just encrypting files - and encrypts the file system table, thus disabling a victim's ability to even boot their PC.

Prepare or Pay

The Petya ransomware lock screen. (Source: Kaspersky Lab)

Occasionally, ransomware developers feel guilty and spill their crypto schemes, or law enforcement agencies gain access to their malicious infrastructure, allowing them to crack attackers' crypto. Other times, developers fumble their crypto implementation, enabling security experts to build decryptors for victims.

No More Ransom, for example, was recently updated with a decryptor for Polyglot ransomware, a.k.a. MarsJoke, which has been designed to mimic CTB-Locker ransomware - apparently to make victims believe they were infected with an especially virulent type of ransomware, Kaspersky Lab says. But unlike CTB-Locker, Polyglot used "a weak encryption key generator," allowing its crypto to be cracked, using a standard PC, in less than 60 seconds, the security firm says.

So far, however, being able to decrypt ransomware for free remains the exception. For most ransomware victims, the paradigm remains depressingly familiar: Prepare, or be prepared to pay the consequences.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.