Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Ransomware criminals attack SMEs using strong file encryption, ESET warns

Summer surge in complex attacks

Article comments

‘Filecoder’ ransomware that uses strong encryption to lock files and extort money from victims has spiked over the summer months, security firm ESET has reported. The reasons for the surge are not yet clear but probably include attacks on small businesses.

Using its LiveGrid cloud system, the firm recorded a 200 percent rise in the volume of incidents since July compared to the first six months of 2013, with a marked rising trend running from roughly mid-June to the most recent measurement in the first week of September.

ESET was unable to confirm the absolute numbers for these infections but it is clear that a particularly nasty type of ransomware has become more prevalent. What might be going on?

The overwhelming majority of today’s ransomware – popularly called ‘police Trojans’ after the official-looking warning screens they use – simply locks files or interferes with the victim’s PC in the hope that the ransom will be paid to avoid further hassle. The techniques are unpleasant usually relatively trivial to block and clean up.

File encryption ransomware is a completely different order of threat because it wields industry-standard forms of encryption to scramble data. As long as it’s been competently implemented, the victim can’t recover the files unless they have the key used to encrypt them and that is only known to the criminals behind the attack.

Curiously, file encryption Trojans are where the whole software extortion or ransomware industry started in 2005 with a Russian example called Gpcode based on RSA encryption. This approach has persisted at low levels ever since but has never gained much popularity.

The assumption has always been that while it's basically impossible to defeat encryption, ransom malware is simply overkill. Much easier simply to trick users into paying up using threats or social engineering than deploy more complicated and sometimes computationally slower methods.

Among the clutch of Trojan variants doing the round in the latest campaigns, ESET has noticed Win32/Filecoder.Q which goes back to 2010, and Win32/Filecoder.AA and Win32/Filecoder.W, which date from 2011. Another, Win32/Filecoder.BQ, even ramps up the pressure on its victims by “displaying a countdown timer showing how long it will be before the encryption key is permanently deleted.”

Some appear to be spread using the popular Poison Ivy Remote Access Trojan (RAT), which offers a clue that the targets might be small businesses whose systems are being targeted by criminals. Payment methods include the established channels of MoneyPak or Ukash but also now Bitcoins.

Criminals were also installing the crypto Trojans directly using compromised RDP credentials, ESET said. Some instances it had researched pointed to the manual setting of an encryption key after infection, a further hint that these are not attacks on low-value targets.

The sums being demanded ranged up to 3,000 euros ($4,000), with most of the victims in Russia with smaller volumes in Italy, Spain, the US, Germany, and other Eastern European countries. It’s not clear how much of this global picture can be explained by ESET’s customer base (the firm is based in Slovakia).

The security firm offers no clear  explanation for the sudden increase in crypto ransomware but one can infer from the inherent complexity of the attacks that suspicion should fall on criminals targeting vulnerable business rated as likely to pay up.

There has been a slowly increasing frequency of targeted attacks using encryption going back a couple of years, with a particularly good example the sustained campaign on Australian businesses in 2012. Victims reported paying up to $3,000 AUD to retrieve the key for encrypted database files they could not function without.

It is likely that many businesses have simply not been reporting incidents for fear of the reputational damage. Some will have paid up. But as with every extortion racket, the criminals don’t let up because a victim pays up. There is always another target to hunt down.

"I think the increase in numbers for encrypting ransomware is largely down to the increased awareness of non-encrypting forms of ransomware: as more people become aware of them, they become somewhat less effective and therefore less profitable," commented ESET senior research fellow, David Harley, by email. 

"Cybercriminals have developed increasingly sophisticated crypto methodology in other fields of malware, so it’s probably less bother to apply those techniques in this area and still make a profit. As so often, it’s about technological escalation driven by potential profit."



Share:

More from Techworld

More relevant IT news

Comments

Maars said: Hey friendsTARDIS BOX is secure online file storage back-up share amp access all your files photos and documents from any computer and mobile



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *