Despite the arrest and conviction of scores of cyber criminals - including members of the Blackhole exploit kit, SpyEye and GameOver Zeus crews - malware and ransomware threats continue to grow.
A Russian judge this month sentenced members of the gang behind the notorious Blackhole malware to serve prison sentences of between 5.5 and 8 years. Among the men who were sentenced was Dmitry Fedotov, a.k.a. "Paunch," who security experts say was the chief developer behind Blackhole and other crimeware toolkits (see Russia: 7-Year Sentence for Blackhole Mastermind).
"Following the CryptoLocker disruption in May 2014, there has been a shift by cyber criminal actors to receive ransom payments solely using bitcoin."
Seeing a Russian court sentence Russian cybercriminals to serve jail sentences is unusual, says Sergey Nikitin, deputy head of the computer forensics laboratory and malicious code analysis team at Moscow-based cybersecurity firm Group-IB. That's because Russians generally only get found guilty of cyber-related crimes if prosecutors can prove that money was stolen from victims located within the Russian Federation.
Just as the arrest of the 2013 masterminds behind SpyEye didn't cause banking Trojan attacks to cease, Paunch's arrest the same year also didn't spell the end of exploit kits, malware or ransomware, which continue to generate massive profits for criminals who operate online (see I Believe in Cybercrime Unicorns).
Indeed, malware and ransomware attacks have continued to surge and are more lucrative than ever (see The Myth of Cybercrime Deterrence). For starters, attackers are continuing to develop and deploy more refined banking malware, which they often distribute via spear-phishing attacks .
Many malware campaigns also now target not just individuals, but also financial access codes used by medium and large organizations (see Bangladesh Bank Attackers Hacked SWIFT Software). And language barriers have been falling as attackers look beyond targeting just banks in North America and Western Europe (see Banking Malware: Big in Japan).
Crypto-Lockers Are Tough to Unravel
Ransomware has also continued to advance. Back in 2012 and 2013, for example, many ransomware programs were simple "winlockers," meaning they would lock a PC and demand a payment to unlock it. But the malware could be deactivated, using security software or other workarounds. Today, however, the vast majority of ransomware is of the crypto-locking variety, meaning it forcibly encrypts the vast majority of files on an infected system, then reboots to a screen that displays a ransom message encouraging victims to remit a payment via a displayed bitcoin address.
The use of bitcoins also represents a significant change. Back when Blackhole was in operation, many types of ransomware required victims who wanted a decryption key to remit payment to criminals using online payment systems such as Paysafecard or Ukash, according to 2013 research published by security firm Sophos. Both of those systems enabled users to buy a virtual payment card, which could be redeemed using a 16-digit PIN, which ransomware victims would duly send to attackers. (Both of those payment systems were acquired by Skrill Group in 2014, which ultimately merged Ukash into Paysafecard. The latter is still operational.)
Cryptocurrency Now Standard
Following the Blackhole bust, and especially since the June 2014 disruption of Gameover Zeus - which infected up to 1 million PCs with both Zeus banking malware as well as CryptoLocker ransomware - criminals have been adopting cryptocurrencies for ransom payments, according to a February intelligence memo on CryptoLocker provided by the FBI to Sen. Ron Wyden, D-Ore.
"Following the CryptoLocker disruption in May 2014, there has been a shift by cyber criminal actors to receive ransom payments solely using bitcoin," according to the FBI. While bitcoins offer a higher degree of anonymity than using private payment systems, security and law enforcement experts note that they're not truly anonymous. In particular, related transactions - though not always the actual identity of the person behind the transaction - can be tracked via the public blockchain ledger that's integral to bitcoin (see Tougher to Use Bitcoin for Crime?).
The FBI says CryptoLocker-using criminals attempt to obfuscate their transactions on the blockchain, then use exchanges based in countries with weak anti-money-laundering laws to convert the cryptocurrency into tough-to-trace cash. But the FBI notes that it is "committed to following the money in investigating all crimes with a financial component; ransomware is no exception."
Ransom Demands Increase
Meanwhile, the average ransom demand has increased. Back in 2013 when Nymaim ransomware was still being distributed via Blackhole, for example, security researchers say attackers were already varying their ransom demands based on geography. Typical prices ranged at the low end from €100 ($115) for Romanian victims, maxing out at $300 for U.S. victims. For comparison's sake, a recent campaign that used Locky ransomware demanded anywhere from 0.5 to 1 bitcoin ($213 to $426), according to Cisco's Talos security group.
Previously, ransomware was infecting not just individuals, but also many different types of organizations, including police departments and hospitals, although it wasn't clear if those were targeted or opportunistic attacks.
Recently, however, there's been a surge in what security experts say are highly targeted attacks against organizations in specific sectors, and which carry higher ransom demands. While multiple sectors have been targeted, many attackers currently appear to be focusing on healthcare. Security experts say that the sector's ransomware epidemic has been triggered by organizations' relatively immature information security practices as well as victims' propensity to pay ransoms (see Hollywood Hospital Pays Ransom to Unlock Data).
So long as that situation continues, there's a massive incentive for anyone with criminal leanings to pursue a life of cybercrime.