In response to the news that ESET has carried out analysis into TorrentLocker which has revealed key statistics around the global distribution of the ransomware, the number of infected systems and how much money the cybercrime gang behind the malware made, I have the following comments from security experts at Proofpoint, Tripwire and Imperva:
Ken Westin, senior security analyst at Tripwire, said: “The statistics do not surprise me and I believe we will see the number of infected systems and money made by the groups increase. Criminal syndicates have found a way to generate revenue from their exploits, paired with the anonymity of bitcoin making it difficult if not impossible for law enforcement to go after the culprits. We will see more sophisticated versions of ransomware in the future and not just individual’s systems, but also entire networks, once a group finds a way to turn a profit, more groups will follow in short order. Ransomware has already been seen available for sale on underground markets, so we can expect to see wider distribution and increased variation and sophistication of this type of malware over the next year.”
Kevin Epstein, VP of Advanced Security and Governance at Proofpoint, said: “The statistics aren't surprising -- if anything, they seem conservative relative to Proofpoint's analysis of a Russian Cybercrime infrastructure earlier this year. This further confirms what everyone knows: the weakest link in security sits between the mouse and the chair -- as Proofpoint's seminal work, The Human Factor showed, statistically after 100 email phishing messages enter a company, sufficient people will have clicked to download multiple copies of malware if no targeted attack protection is in place. The secret to protection? Don't click.
It's increasingly difficult for even sophisticated users to detect phishing emails -- so just don't click on URLs. Go directly to the name-brand websites in question, being sure you typed in the URL correctly and log in to your accounts directly to check orders -- or call the 800 phone number on the back of your credit card, not the one in the 'bank warning' email you received"
Tim Erlin, director of security and risk at Tripwire, said: “The absence of the United States on the list of targeted countries is notable, as it’s a target rich environment. It might be that targeting the US results in faster development of countermeasures, or simply that the hit rate on victims actually paying the ransom is lower, or that the US is further down the list and would have been targeted eventually.
It’s important to understand that the initial point of compromise for ransomware isn’t static or new. Attackers can use a variety of means to ultimately infect a computer system. SPAM with malicious links or executables are popular because they continue to succeed. Protecting yourself or your organization from ransomware should start by ensuring that your foundational security controls are as effective as they can be.”
Sagie Ducle, security researcher at Imperva, said: “We have seen similar malwares in the recent past such as CryptoWall and CryptoLocker. They seem to be gaining “popularity” among hackers, and become a somewhat common nuisance for us all.
In the past, a virus was something that usually damaged your computer in some way (deleted files, formatted the machine, or disrupted user experience in some form). These tools were written by technical enthusiastic, and were not made for profit. Later on, attackers learned how to make money by breaking into corporate data (SQLi, XSS, APT attacks etc) and stealing CCs, intellectual property or anything else that can be monetized.
Bitcoin (which is the preferred currency of ransomware) revived the old trend of a virus that targets endpoints (as opposed to bots / Trojans that use the endpoint as a “stepping stone”), because now attackers can easily make money of it in the form of extortion. As opposed to other criminal activities, such as stealing CCs and selling them (which could be time consuming, large companies pressure authorities to respond etc.), ransomware affect the lay person who can’t really do anything about it – much like being shaken down by the mafia. Most of the time it’s cheaper to pay the ransom for your data then to restore it somehow (which is not always possible).
The report demonstrates again that there is real money in these schemes. The amounts are even lower than I expected (~1M USD); CryptoLocker made about 30M USD for the hackers in 100 days!
The target of these attacks are usually western countries, where the citizens can afford the ransom. I believe that as Bitcoin becomes more popular, these attacks would become even more profitable – many victims don’t pay not because they don’t want to, but because they don’t know how.
The best way to avoid paying the ransom is to backup your data on a platform that is routinely backed up as well.”
Mark Sparshott, EMEA director at Proofpoint, said: “TorrentLocker's success stems from the use of advanced longlining and phishing emails to distribute the malware installer in a weaponized attachment or a link to a weaponized website. Proofpoint's Human Factor report showed just how successful TorrentLocker's favored themes of Delivery & Order Notifications can be with an average of 1 in 10 recipients clicking these types of malicious links. As more people shift away from paper copies of key documents to electronic ones, TorrentLocker's ransom may seem a small price to pay for many victims . As the threat of advanced phishing still remains unaddressed by most organisations, ransomware like TorrentLocker is likely to increase in 2015.”