By George Anderson: Director of Product Marketing - Webroot
By now, everybody has probably heard of CryptoLocker. It makes sense that CryptoLocker would get a fair amount of media attention, since it’s been involved in several high-profile hacks, but there are a number of other players on the ransomware stage that deserve a place of distinction among the list of players. Managed service providers (MSPs) like you know the value of staying up to date on the variety of different types of threats—in addition to their individual stats and characteristics—to keep clients safe.
Cast of Ransomare Players
CryptoWall 4.0
A bit like the Barrymores, the Sheens, the Coppolas, (the Kardashians?), the CryptoWall family gets more media coverage with every generation. Following in the family tradition, CryptoWall 4.0 uses phishing emails for distribution. This is hardly a surprise, since phishing is still the single most effective way to drop a malware payload. But CryptoWall 4.0 marches to the beat of its own drum; not only are the victim’s files encrypted, this ransomware randomizes the filenames so the victim can no longer tell which file is which. By fanning the flames to create confusion around how much file damage there actually is, the new CryptoWall increases its chances that victims will pay up.Additionally, CryptoWall 4.0 includes a free decrypt video to convince victims that the decryption steps they need to get their files back is effortless, and that handing over the ransom will get them their files back.- Phishing email attachment is source of payload
- Randomizes victim’s filenames to create confusion
- Offers free decrypt demo to add credibility
PadCrypt
Rather than hiding out and concealing its plans, what makes PadCrypt different from its contemporaries is its willingness to interact with the public. Embedded into the “product”, PadCrypt includes a chat interface. The ransom process of setting up a Bitcoin wallet, filling it with bitcoins, and sending payment can be complicated. By offering this chat feature, PadCrypt lends a more human support element to the ransomware process, providing so-called support to its victims. (How sweet!)- First ransomware with chat support
- Communicates via Darknet to avoid being traced
- “Helps” even less savvy victims pay up
TeslaCrypt
Because it targeted gamers specifically and encrypted the files they need for their games, TeslaCrypt is more of what you’d call a cult fave. The files it takes hostage included saves, mods, and profiles. But since TeslaCrypt was being sold by non-authors on the Darknet, the original authors leaked the master decryption key to the public to permanently diffuse the threat. While it’s laying low for now, we wouldn’t be surprised if TeslaCrypt showed up again next season.- Accounted for ~11% of distributed ransomware
- Attacked over 200 extensions on newer variants
- Targeted gamers (Valve, Bethesda, Unreal Engine files)
- Circumvented 3rd party defense to deliver polymorphic payloads at root level
RaaS (Ransomware-as-a-Service)
Not an actor, per se, but RaaS is more like a local theater company that encourages audience participation. Created for criminals by criminals, it opens up the ransomware stage to hackers of all skill levels. Thanks to RaaS, almost anyone can distribute encrypting ransomware payloads of their own design. In return, hackers pay for the service by sharing a cut of their spoils with the original author.- Enables almost anyone to make ransomware
- Portal for malware generation is exclusively in Darknet (typically invite-only)
- Intended for less-skilled cybercriminals who rent botnets
- The malware author who created the portal takes a commission
Conclusion
Even though the number of ransomware stars keeps growing, and their methods keep getting more diverse and advanced, managed service providers (MSPs) can take steps to maximize defense and help clients stay ahead. Keeping yourself and your customers in the know about the latest tactics and types of exploits favored by today’s ransomware is vital—as well as putting together an all-star cast with next-generation endpoint protection that utilizes collective threat intelligence to proactively protect against the rising stars of malware.
No comments:
Post a Comment