Subscribe

Ransomware runs rampant

Matthew Burbidge
By Matthew Burbidge
Johannesburg, 24 Oct 2016

During the second quarter of 2016, Kaspersky Lab saw over 83 000 mobile ransomware Trojans for devices running Android, over 3.5 million malicious installation packages and 27 403 mobile banking Trojans.

This was revealed by Marco Preuss, the director of the company's European research and analysis team, at a cyber-security meeting in Malta last weekend.

"Criminals tend to reuse their attacks that were successful on other platforms, like computers, on platforms like mobiles. They've been proved valid, so why not just reuse them on mobile platforms?"

Sergey Martsynkyan, a senior global B2B product marketing manager, said the FBI had recorded 994 ransomware attacks in the US over the past year. The ransoms ranged from $200 to $10 000.

The average ransom price was about $300 and about 40% of those affected are prepared to pay up, in part because it was judged to be a small price to pay for the return of their data.

But the costs to business could not only be measured in monetary terms: downtime was also a factor. In one example, a US clinic infected with ransomware had been forced to move all its patients to another facility. Time to recover from an attack was also a factor: less than half of, particularly small and mid-sized businesses were able to recover in a matter of days. The rest took weeks or months before they were back on their feet.

Catching the CoinVault criminals

Ton Maas, a member of the Dutch police, told journalists his unit had initially been overwhelmed by the number of different ransomware outfits in The Netherlands. One such piece of malware was known as CoinVault.

He said catching those responsible for ransomware presented its own problems; the attacks happened quickly and stealthily.

"Sometimes we needed a little bit of luck." This luck arrived in the form of a Swedish IT professional, who traced the attack to a compromised server in The Netherlands.

Maas said the company contacted the police, "so we jumped in the car and with its cooperation seized the data on the server". He added they were able to find the decryption keys on the server, which led to Kaspersky releasing the first ransomware decrypter.

The malware was spread using cracked software on the Usenet platform. The malware code also contained sentences in perfectly grammatical Dutch as well as two Dutch usernames, indicating the suspects were residents of The Netherlands. Digging deeper, they found the malware's command control interface, which showed about 14 000 people had had their computers compromised.

The hackers used a VPN to anonymise the traffic to the control centre, but the police found a lone IP address from a home in the Netherlands. They subpoenaed the information of the owner of the Internet connection, and while the surname matched that found in the source code, the first name didn't. Further investigation found a match between the names in the source code and two brothers, aged 18 and 20.

When they were arrested in September 2015 the brothers denied knowing anything about CoinVault but, in the face of the evidence, eventually confessed. All the while, their parents thought they were playing computer games, said Maas.

The Dutch police updated the command centre, making the files reflect that everyone affected had paid, effectively freeing their machines.

Share