After CryptoLocker and CryptoWall collected millions of dollars from its victims, warnings have been made that ransomware is proliferating through new attack vectors.
According to a report by Bromium, tactics such as malvertising, anti-analysis and persistence techniques to ensure system compromise are now being used, as well as advanced encryption algorithms.
Previously, a primary strength of crypto-ransomware was its ability to use well-known and reputable crypto libraries to perform encryption, and early families such as CryptoLocker and CryptoWall relied on Microsoft CryptoAPI, which may be considered a drawback since it is trivial to hook encryption routines. “That makes early detection easier and allows intercepting session keys. Other families switched to statically linking the encryption functions to address this problem,” it said.
Now though, the number and type of targeted files continues to grow as attackers carefully select which files to encrypt, and targeted files are not random and the latest crypto-ransomware families are aimed at enterprises and look for databases, CAD files and financial data.
Bromium said that the samples it analysed used fairly complex obfuscation and covert launch techniques, which allowed them to evade detection in the early stages of infection.
Rahul Kashyap, chief security architect at Bromium, said: “Crypto-ransomware is a particularly devious attack because of its potential to cause financial losses and irreparable damage to organisations that cannot access critical files.
“Crypto-ransomware lacks the subtlety of Trojan attacks that evade detection during infection, openly flaunting its compromise and demanding payment since antivirus is unable to reverse the process.”
The research found that the ransomware could be found by anti-virus, so now the communication protocols have evolved from plaintext (HTTP) to encrypted (TOR, HTTPS) and as a result, C&C domains changed from those based on a domain name generator algorithm (DNGA) to hardcoded URLs since encrypted communication is harder to track during efforts to take down servers.
However, apart from several flaws found in early samples of CryptoWall and TorrentLocker, the cryptography is common and appears to be implemented “by the book”, apart from CryptoWall, which encrypts whole files with RSA. “It is worth noting this process is quite intense on memory and CPU, which might be used as a behavioural detection indicator,” it said.
Bromium said that it is likely that we will see more crypto-ransomware families, and the threat will not go away anytime soon. “The only way to make it go away is to stop paying, thus rendering its business model unprofitable. But this unfortunately is much easier said than done,” it said.