Tech by VICE

​The Devilishly Creative Genius Behind the Latest Ransomware

The wealth and sheer cunning of extortion malware variants shows how inventive this space is

by Joseph Cox
Sep 14 2015, 2:10pm

The Tox homepage. Image: McAfee

The world of cybercrime is constantly evolving, but no area sees as much innovation and sheer creativity as that of ransomware: software designed to hold a computer hostage until the victim pays a hefty fine.

In recent months, as the use of ransomware has skyrocketed, cybercriminals have devised devilish new ways to entice targets, and even made paradigmatic shifts in how malware is spread and profited from.

First off, ransomware developers have started making use of a new tactic: crowdsourcing. It started in May, when a site called Tox launched on the dark web. Here, anyone could download a piece of ransomware for free to then distribute as they see fit. Once a victim paid up, that cash would be split between the Tox developer and his newly found partner. It was a truly genius idea: by giving away the malware for free, rather than selling it as many others have, the creator of Tox had outsourced its distribution.

That site shut down shortly after, when its creator apparently couldn't handle the pressure of possibly being on the FBI's radar.

But in July, another site based on the same crowdsourcing model as Tox popped up, this time dubbed "Encryptor Raas." And then another followed a month later, called "ORX-Locker." Crowdsourced ransomware is still in the early days, but it's clear that this is an idea that cybercriminals are keen to try out.

The wealth and sheer cunning of extortion malware variants shows how inventive this space is.

Although it dates back to the late 1980s, ransomware has only really caught on in the last few years. In 2013, a variant called CryptoLocker utilized the pseduo-anonymous digital currency Bitcoin, meaning that extortion campaigns could be successfully run on a never before seen scale. Hundreds of thousands of systems were infected in the first 100 days after the malware's release, and ZDNet traced over $27 million being funneled from CryptoLocker associated Bitcoin addresses.

From here, a myriad of copycats emerged, including CryptoWall and TorrentLocker. Others found new ways to attack targets, such as "drive-by downloads," which attempt to infect a victim if they simply browse a compromised website, or by directly targeting smartphones. By June 2013, security company McAfee had found nearly 250,000 unique samples of ransomware.

Over this short period, ransomware not only infected the computers of private individuals, but also those of institutions and even multiple police departments. The spread of ransomware became such a problem that in January of this year the Federal Bureau of Investigation posted a warning laying out what computer users should be looking out for.

But that was the last generation of extortion malware. Now, an even more lively and diverse scene of it exists, including versions with their own, idiosyncratic ways of getting victims to fork over wads of cash.

Several pose as pornographic apps, which are downloaded by the target before their device is then taken over. Some of these apps even snap a picture of the victim with their phone's front camera, to intimidate them further.

Other cybercriminals have changed their targets, moving away from individuals or small businesses to full-on corporate entities. Instead of focusing on a computer and encrypting all of its files, these attackers go for a company's virtual drives, replicate its contents, and then delete the originals. Although not strictly using a form of ransomware, the result is the same: extorting hefty sums out of victims.

"The difference is the fact that the attacker, instead of just keeping you from your data, has your data and threatens to publish (or delete) if the ransom is not paid," TK Keanini, CTO at Lancope, a cybersecurity company, told SC Magazine UK.

The wealth and sheer cunning of extortion malware variants shows how inventive this space is. As the popularity of ransomware increases, it's anyone's guess what they'll come up with next.

deep web
dark web
motherboard show
Encryptor Raas