Ransomware: more than just file encryption [part I]

While most ransomware families prevent their victims from accessing their documents, pictures, databases and other files by encrypting them and offering a decryption key in return for a ransom payment, others use different - but no less creative - ways to extract payments. Here are some examples you may not have been aware of:
Ransomware: more than just file encryption [part I]

  • IoT ransomware
  • Smart devices are known to be a soft spot targeted by threat actors for various purposes. In August 2016, security researchers demonstrated their ability to take control of a building’s thermostats and cause them to increase the temperature up to 99 degrees Celsius.

    This was the first proof of concept of this kind of attack, showing a creative way to put pressure on victims and drive them to pay ransom or risk consequences such as a flood or an incinerated house.

    In November 2016, travellers in the San Francisco MUNI Metro were prevented from buying tickets at the stations due to a ransomware attack on MUNI’s network. In this case, the attackers demanded $70,000 in BitCoins.

    In January 2017, a luxurious hotel in Austria was said to suffer an attack on its electronic key system, resulting in guests experiencing difficulties in going in or out of their rooms. The attackers demanded $1,500 in BitCoins. Whether or not this story is accurate, it demonstrates how creative this type of attack can get.

    The growing use of IoT devices will likely make this attack vector more and more common in the future. For example, the potential exploitation of vulnerabilities inside smart, implantable cardiovascular defibrillators, can allow an attacker to put a victim’s life at risk until the ransom is paid. As IoTs become more widespread in our everyday life, threat actors will find new, horrifying ways to subjugate victims for profit.

  • Hostage data ransomware
  • A more direct approach is to steal data from victims and threaten to expose it unless a ransom payment is received by a certain deadline. This generic modus operandi has been used by different malware families and campaigns. For example, in May 2016, over 10 million customer records of a leading South Korean online shopping mall were stolen, including names, addresses and phone numbers. The attackers demanded a ransom of $2,664 in BitCoins to prevent release of the information online.

    Another example is Charger, a screen-locker Android ransomware discovered by Check Point researchers in January 2016. The attackers threatened to sell stolen data from targeted devices unless they receive a ransom of 0.2 BitCoins (approximately $180). The malware is embedded in a mobile app named EnergyRescue, downloaded from Google Play.

  • DDoS ransomware
  • Another method for attackers is threatening to conduct a denial of service attack unless a ransom is paid. With the growing use of botnets for DDoS attacks, this attack vector is especially common against banks, and is very attractive as it is far simpler than developing a ‘traditional’ file-encrypting ransomware. This attack vector made headlines in January 2017 when it was used in an attack against the web portal of the British Lloyds Bank. The attackers issued a DDoS threat with a demand of 100 BitCoins (worth approximately $94,000).

  • Screen lockers
  • Some ransomware simply prevent victims from using their devices by locking their screens. There are different ways to conduct a screen locking attack, but common features include cancelling all options to close a program or to shut it down. Examples of such ransomware are DeriaLock (December 2016), which targets PCs and demands a payment of $30 for unlocking; and Flocker (May 2015), an Android screen locker which targets smartphones and Android-run smart TVs, and demands an iTunes gift card worth $200 as payment.

We estimate that the use of alternative ransomware, especially DDoS and IoT ransomware, will keep on growing in the near future, as IoT devices and web services continue to become more widespread. In my next article, I will explain some steps you can follow as a business to make sure you’re protected or able to mitigate the effects of ransomware.

About Doros Hadjizenonos

Doros Hadjizenonos is Regional Sales Director Southern Africa at Fortinet
Let's do Biz