Ransomware operators innovate to maintain profits

• Criminals adopting normal business practices
• Call centers and tech support pages for victims

 

Successful ransonware attacks continue to make headlines as profits gained by cybercriminals increase. According to security company, Trend Micro, in 2015, a ransomware family called CryptoWall brought in an alarming US$325 million (RM1.34 billion) for its operators.
 
Ransomware works quite effectively, typically infecting computers through spam Email or infected web sites. Once installed, ransomware encrypts files in the victim's system and then asks victims for a certain amount for a decrypt key needed to restore access to the files. If the ransom is paid, the ransomware operator will supposedly send the needed key - though there is no guarantee.
 
Trend Micro says the increasing cases of ransomware infections could be partly due to the ransomware-as-a-service (RaaS) business model. This particular strategy has proven to be highly lucrative for cybercriminals, allowing malware creators to earn from their ransomware by enlisting a network of distributors.
 
Watch the video below to see an example of how ransomware infects a PC.
 

 
The RaaS scheme works because one type of ransomware can be sold and spread by multiple distributors, with the creator getting a cut from their profit. Potential distributors do not even need much capital or technical expertise to start; even those without coding experience can launch a ransomware campaign.
 
Thanks to the easy buy-in, the business model has allowed ransomware to enter the mainstream and grow. A new study by Trend Micro tracked a 172% increase in new ransomware families discovered in the first half of 2016 alone. More ransomware options mean more choices for distributors, which has led operators into using unique business strategies that will let them stand out from the pack.
 
Shark (detected by Trend Micro as Ransom_SHARKRAAS) is one of the more recent RaaS variants seen. Seen in early August this year, this specific strain targets a wider and less tech-savvy base of distributors.
 
RaaS operators typically use anonymous networks like Tor to host their files, mostly because they are perceived to offer anonymity. For operators, these online networks are more private and secure, but not readily available to casual internet users.
 
Shark operates differently though. Shark is hosted on a public WordPress site and is accessible to the internet at large. From the Shark site, interested distributors can download a zip file containing everything they need to start a distribution op: the ransomware configuration builder, the ransomware executable files and important warnings in a ReadMe.txt file.
 
This ransomware is particularly attractive because it can be customised easily without the need for advanced coding skills. The operators provided a base ransomware executable that allows distributors to change the configuration: the types of files to target, the countries to target, the folders to encrypt, and other specifics.
 
The Shark operators also went out of their way to make the process easy, providing detailed examples of how to configure and customise the ransomware, as well as suggestions on how much to charge victims in different countries. As seen in other reports, the payment is fully automated, with the operators receiving the full amount before dividing it. Operators take a 20% cut of the profit, while the distributors get 80%.
 
Shark operators are looking for new opportunities outside traditional ransomware distributors. By targeting distributors who have little-to-no experience with coding or malware, they are able to reach a larger client market. And as their client/distributors grow, so do their profits.
 
These ransomware operators are evolving the current business model and mirroring legitimate businesses with the way they attract clients. They are putting more thought into the user interface, making the service easier to use and outsourcing to a broader base of distributors.

An astonishingly low price - for a 'lifetime license'
 
The Stampado ransomware offers a “lifetime license” at an astonishingly low price - just US$39. The bargain comes at a time when other ransomware variants like Locky or the newer Goliath can go for thousands of dollars. It makes Stampado an attractive package for distributors with low capital. Like Shark, the creators have designed their product to appeal to a broader market.
 
Stampado deletes files after a certain period to force victims to pay and it will also lock down computers. However, the design and coding are not very sophisticated and it is easier to decrypt and analyse.
 
Stampado could be an inexpensive imitation sold at a bargain price - a familiar business scheme seen everywhere from the tech sector to major fashion brands. While not necessarily a ransomware "service" because it is sold as a single purchase, it is an effective business model nonetheless. For many distributors, the affordability of the ransomware will take priority over the quality.      
 
Encryptor RaaS is an older variant of ransomware that was first discovered in mid-2015. The infection numbers of this particular ransomware are not very high. In fact, compared to other popular variants, it has a small audience and limited success. Reports show that the rate of infected users who actually pay the ransom is only 0.044% or 8 out of 1818 victims. Nevertheless, it is still up and running.
 
The latest updates show that Encryptor RaaS is continuously being upgraded by its authors. Until now, it is still being actively developed to evade detection from security products. It seems low adoption (and an even lower success rate) is not a deterrent for the designers, as they still continue to refine and improve their product.
 
Other ransomware operators are also improving their business models, even providing customer service to ransom victims. Support pages are popping up as well as ransomware call centers that guide victims on payment plans. These operators have learned that smoother transactions will make the payment process easier and the victims could be more amenable to cooperating if they see how easy it is to pay.
 
According to Trend Micro, there are several reasons why victims should not pay. There is no guarantee that victims will get their files back. Paying the ransom is like funding these criminal operations. Also, knowing that a victim will pay makes them a more attractive future target.
 
Related Stories:
 
Cybersecurity: Why sharing is more than just caring
 
The high cost of the IT security talent shortage
 
New security threat to Android devices

For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.