What’s Next In Ransomware?

Ransomware has been evolving quite rapidly for the past couple years. However, even though there have been several quite resonant stories in 2016, even more changes in this “industry” are coming in 2017. It is because we believe ransomware has not yet reached it’s final form as a computer threat. And here are top three reasons why.

1. The barriers of entry will still be decreasing

In the beginning it used to be hard to develop ransomware, distribute it and successfully infect a significant amount of computers. The entry required many steps including creating the source code, undetectable infection files, finding distribution channels and payment collection ways. It used to require a lot more knowledge and usually only a well-coordinated team could pull off something as successful and long lasting (with minor updates) as CryptoLocker.

Nowadays all this has changed. There are lots of open source premade solutions which makes it quite easy to launch your own version with just a few tweaks. Ransomware as a service websites (e.g. “Satan RaaS“) take this one step further and make it possible for every average person to launch their own ransomware “business” in just a few clicks. The only thing you still need is a good way to distribute the infected files and you can have your own active virus without even really knowing how it works.

This is definitely going to result in more RaaS sites who will try to utilize the potential of reaching more victims just by sharing a portion of profits and in more distributors who will want to try out this way of earning easy money. However, while it will increase the number of new threats, the potential profits to the creators are questionable. The ransomware will be distributed mostly by inexperienced affiliates and the successful infection rates might be low. Therefore, we believe that this method will be popular in the beginning but will slowly die out later without making a huge impact.

2. The criminals will need new ways of collecting payments

Contrary to popular belief, BitCoin is not anonymous. Public records are available to see where each BitCoin address transfers its balance to. This makes it almost impossible for the criminals to just conveniently cash out using legitimate exchange services. They need to use various laundering techniques. It becomes even harder when the balance is as high as several million dollars and has everybody’s eyes on it.

This is why so many successful ransomware campaigns cannot cash out their money easily, especially if they have been around for quite a while and already attracted attention. Law enforcement now shifts its focus on monitoring accounts and this means that new methods of collecting payments will be introduced. We are still unsure what will be the next step but we might see BitCoin slowly losing its popularity during the upcoming months.

In addition to this, we might see more cases of custom ransom amounts for each victim. We can already see Spora using this tactic: it determines the ransom amount based on the number of files encrypted and their extensions. This might be taken a step further and the ransomware will try to guess if the files belong to a business entity or a person and make ransom amount adjustments based on this information.

3. Ransomware will try to stay under the radar

Most currently popular ransomware has distinct features: a unique file extension given to the encrypted files; a payment website or email address; a custom ransom note or even a name given by the creators. Ransomware creators are finally learning that this approach is not good if they want to continue frightening potential victims. Sure, headlines like “CryptoWall Collects $1M+ in Six Months” boost their ego but also attract the unwanted attention from law enforcement, as mentioned before.

Therefore, the new evolved ransomware will most likely not have any distinctive features to make seeking for help almost impossible. It will not change file extensions, desktop background, redirect to websites or boast a frightening name. Instead, it will remain hidden, display a randomly named ransom note and use different address for each payment. It will not leave any contact information or generate a unique channel (e.g. using BitMessage) for each victim. The ransom notes might also have spun text which presents different text to each victim as well.

In addition to these three main changes, there will be other noticeable things like increased number in threats to make the stolen files public, social engineering and “referral” scheme implementations, new more effective encryption methods and fileless injections.

The law enforcement and antivirus software developers are fighting ransomware more actively than ever before. Therefore, in 2017 we should see a breakthrough in prevention measures as well. However, currently backups still remain the best way to protect yourself. Therefore, spare a moment to check if you have them enabled and safely stored on a different media.

Leave a Reply

Your email address will not be published. Required fields are marked *