Ransomware authors continue improving file-encrypting programs and infection methods for Windows and Android, making these nightmarish attacks harder to avoid.
The biggest ransomware threat for Windows users is CryptoWall, a sophisticated malware program that encrypts a wide range of files and demands that victims pay a ransom in Bitcoin cryptocurrency to recover them.
CryptoWall uses uncrackable encryption algorithms and hides its control servers on the Tor and I2P anonymity networks, making it harder for security researchers and law enforcement to shut them down.
CryptoWall 3.0, the malicious program's latest version, was launched in January after a two-month break by its creators. One notable change: it no longer bundles local privilege escalation exploits, according to Cisco Systems.
Privilege escalation exploits allow attackers to execute malware programs with administrator or system-level privileges instead of using the victim's local user account, which might be restricted. CryptoWall needs this level of access to disable security features on the compromised systems, so the lack of privilege escalation exploits in its installer — or dropper — might be surprising at first.
In fact, this suggests that the CryptoWall authors plan to rely more on Web-based drive-by download attacks to infect systems, Cisco researchers said Monday in a blog post that includes a technical analysis of the new version.
Drive-by download attacks are launched from compromised websites or through malicious ads and usually exploit vulnerabilities in browser plug-ins like Flash Player, Java, Adobe Reader or Silverlight. The tools used for such attacks are known as exploit kits and they already have the functionality to achieve privilege escalation, according to the researchers.
Exploit kits can affect many users and can be hard to defend against, as highlighted by the recent malvertising attacks that exploited zero-day — previously unknown — vulnerabilities in Flash Player. They likely have a much higher success rate than other methods of malware distribution such as malicious email attachments.
That doesn't mean that ransomware pushers have abandoned email-based infection methods. Researchers from antivirus firm F-Secure reported Monday that they've observed a significant increase this month in infections with another file-encrypting ransomware program called CTB-Locker.
CTB-Locker is most commonly spread through emails with a malicious zip file attachment. The rogue zip file contains another zip file which houses a .scr or .cab executable file, the F-Secure researchers said in a blog post. Running any of those executable files will result in a CTB-Locker infection.
Like CryptoWall, CTB uses strong cryptography that makes it impossible for victims to recover their files without paying the ransom, if they don't have unaffected backups. The CTB ransom is 3 Bitcoins, or around US$650, higher than the $500 ransom asked by the CryptoWall gang.
Sign up for CIO Asia eNewsletters.