In early December, as most people were dealing with the stress of looking for the perfect holiday gifts and planning out their upcoming celebrations, police officers in a small New England town were under a different sort of pressure. The vital files and data the Tewksbury Police Department needed to go about its daily business had been encrypted and held for ransom, a scenario that is becoming increasingly common in enterprises and municipal agencies.
The threat posed by ransomware–especially crypto ransomware variants such as CryptoLocker, Crowti, Cryptowall and many others–for years has mainly affected consumers. Unsuspecting victims visit a compromised Web site or open an infected attachment in a spam email and soon discover that their PCs are locked up, or worse yet, their hard drives have been encrypted and the malware is demanding a payment in order to set the victims’ data free. It’s an incredibly frustrating and scary situation for the victims, particularly those who aren’t technically savvy and don’t understand what the consequences of the attack are.
Although security experts almost always recommend that victims not pay the ransom to get their files back, for many victims, there is no other choice. Variants like CryptoLocker are sophisticated pieces of malware written by professionals with one goal in mind: making money. And their revenue streams depend upon their victims having no other options but to pay the ransom. For an individual victim, a ransomware infection may mean the loss of photos, financial information and other important files, but for a government agency or enterprise, it could spell disaster.
When officers in the Tewksbury, Mass., police department first noticed that something was wrong on their network, they initially thought it was a typical malware infection. But it soon became clear that wasn’t the case. The department had been hit by crypto ransomware called Keyholder, joining the ranks of several other law enforcement agencies across the United States that have suffered similar fates. Some departments have paid, some haven’t, but like all ransomware victims, they’ve seen their lives disrupted one way or another.
“My initial thoughts were we were infected by some sort of a virus,” Tewksbury Police Chief Timothy Sheehan told The Boston Globe about the attack that hit his department on Dec. 8. “Then we determined it was a little bit bigger than that. It was more like cyberterrorism.”
That may seem like a strong word for a malware infection, but for victims, the feeling of being terrorized is real. Even for a police department. The Tewksbury police tried to clean the infection themselves, with no luck, and then tried sending the infected hard drive to outside experts. That failed, too. Eventually, department officials came to the realization that they had no choice but to pay the attackers’ $500 ransom, a decision that many, if not most, ransomware victims come to at some point.
Ransomware is a multimillion dollar business, and one that is growing quickly. CryptoLocker was perhaps the first ransomware variant to use strong encryption, but many others have followed suit in recent years, with newer variants using the Tor anonymity network for command and control to further hide their operations. Another ransomware variant is using the I2P anonymous network, which is similar to Tor. The attackers are evolving and constantly adapting their tactics and techniques to stay ahead of security defenses and law enforcement.
And their victim bases are changing, as well.
In March, researchers began noticing a new variant of CryptoLocker that specifically targets online gamers. This version is connected to a compromised Web site that is hosting the Angler exploit kit. When a victim hits the site, the kit uses an exploit for Adobe Flash to compromise the user’s machine and then download CryptoLocker. This particular variant looks for files specifically associated with popular games such as Call of Duty, Minecraft, Assassin’s Creed and others, and encrypts them before demanding the ransom.
“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,” Vadim Kotov of security firm Bromium wrote in an analysis of the attack. “Non gamers are also likely to be frustrated by these attacks if they lose their personal data.”
Like their brethren in other parts of the cybercrime underground, ransomware gangs are avaricious groups interested in generating as much profit as possible. That means that they must innovate and change their tactics constantly, as evidenced by the gaming-specific version of CryptoLocker. Some of these groups also are branching out into attacks such as malvertising.
In October, security researchers discovered that one group that was using the Cryptowall 2.0 ransomware was leveraging malvertising campaigns on popular sites such as Yahoo to push their malware. That specific operation was generating as much as $25,000 a day for the attackers, a tidy sum for a day’s work by any measure. This kind of campaign shows the close alliance that some of these ransomware gangs have with other parts of the cybercrime underground and also demonstrates their ability to adapt as the circumstances dictate.
Law enforcement agencies in the U.S. and around the world have been focusing more and more of their attention on cybercrime of late, and ransomware is an ever-growing part of that problem. Recent operations by the FBI, Europol and other agencies have targeted ransomware gangs, with the CryptoLocker-GameOver Zeus takedown being the most notable win to date. While the attackers behind these schemes have years of success to build on, law enforcement officials believe that they’re beginning to turn the tide.
“We get better and better after each such operation, and many more will undoubtedly follow,” said Troels Oerting, head of the European Cybercrime Center at Europol, after the operation that targeted CryptoLocker and GameOver Zeus.
You can find all of Threatpost’s ransomware coverage in our Ransomware section.