Malware, like anything else, runs in cycles. And as of late, trends seem to be pointing to extortion as the latest developing theme.
The ransom theme was given center stage April of last year after an attacker targeted Hyundai Capital's network in South Korea and swiped copious data belonging to more than 420,000 customers. The attacker demanded a ransom of several hundred million Korean won, which, if not paid, would trigger a release of confidential customer names, residence registration numbers, mobile phone numbers and e-mail addresses.
The high-profile nature of the attack prompted an investigation into the breach, but not before Hyundai ended up paying part of the ransom.
But for many researchers, the case illuminated the fact that extortion in cyber crime--highlighted by a groundswell of scareware and ransomware-- doesn't seem to be going away any time soon and could be on its way to a strong revival as it adapts to fit other mediums and platforms.
“It's important because it's really damaging,” said Derek Manky, Fortinet senior security strategist, noting that in the past, viruses let users know that they were being attacked. “Most modern threats we see are transparent. But ransomware is both. They're monetizing it but they're very obvious about it.”
Ransomware, malware that typically encrypts victims' files and then demands a price, or ransom, to give users access to their own data, was first detected in 1989 and called the PC Cyborg Trojan (aka the AIDS trojan,) known for infecting PC floppy disks.
A more modern version of ransomware gained momentum in the mid 2000s relying on Gpcode, a Russian trojan that used different keys on each installation to encrypt users' data and hold it for ransom. However in 2006, Gpccode was limited in its scope and effectiveness due to the fact that it wasn't proliferated via botnets and didn't have a mechanism for widespread infection.
Beginning in late July through the end of August 2008, Fortinet and other security researchers detected a sharp spike of scareware, a ransomware predecessor. Specifically, two rogue applications, labeled XP Security Center, and Antivirus XP, trolled their way around the Internet, accounting for 15 and 17.9 percent of total malware respectively during that time period.
Like most scareware campaigns, the fraudulent security programs XP Security Center and Antivirus XP hooked users by offering to conduct a free security scan. The scan inevitably detected malware (whether there was any on the victim's machine or not) and then offered to eradicate it if the victims entered credit card information to pay the required fee of around $49.95 US. And even if fee was paid, the scareware campaigns would often install trojans that communicated with remote servers and downloaded malicious code, putting at risk victims' personal and financial information. The fake antivirus scams could potentially net their creators around $135,000 a month high end, Manky added.
But as more users started to catch on to the scams, scareware, which relied on a pay per purchase model, became less effective. (Specifically, the malware, which had allowed the cyber criminals to get paid once users actually purchased a product, faltered when victims failed to pay for the fake antivirus, Manky said.)
Scareware authors eventually changed their tactics and evolved the code into an attack that embedded itself on users' machines and didn't let them access their computers until the demanded fee was paid, a method that naturally forced hikes in pay per purchase rates. Even still, the attack relied on relatively weak encryption and could often be reversed, enabling some victims to decrypt and rescue their data without having to pay the ransom. Manky said.
Then, in 2011, researchers started seeing Gpcode resurface in scareware campaigns. But this time, the code contained a horsepower engine and strong encryption, while the ransom became higher--around $100 US.
Now, looking forward, Manky said that researchers have consistently seen more aggressive Master Boot Record attacks, which essentially hook into middle of the victim computer's OS and encrypt information on the hard drive.
And as mobile malware continues to rise exponentially, it is likely that ransomware attacks will target users' smartphones. While the ransom would likely be a bit smaller--in the neighborhood of $20—in exchange for encrypted mobile data, the attacks would become much more common, Manky projects.
“We're already seeing cases, but I think its the tip of the iceberg,” Manky said.