At least 0.25% to 3.0% of victims pay ransom to attackers holding data hostage
SecureWorks Counter Threat Unit (CTU) researchers have tracked the spread of several notorious ransomware families to the Asia-Pacific region, underscoring efforts by some attackers to localise their tools to target multiple geographies.
According to the CTU, the current top four ransomware families – Locky, Cerber, CryptXXX and TorrentLocker – are targeting computer users in APAC and have created localised versions of their threats for Japan. Additionally, CryptXXX has developed a localised version for South Korea
The top four ransomware families of August 2016 are:
- Locky — It is run by one single group who in turn utilises two main affiliate groups to seed out the ransomware.
- Cerber —The CTU saw Cerber emerge in February 2016, and the hackers who were using CryptoWall switched over to using Cerber.
- CryptXXX — TeslaCrypt ransomware developers ceased operations and voluntarily released its decryption keys, but threat actors migrated to CryptXXX (also known as UltraCrypter) and Cerber.
- TorrentLocker — It is the elder statesman of the ransomware ecosystem and is run by a single hacker group.
“Unlike other types of malware that are mostly designed to compromise the system covertly, ransomware requires end-user interaction to achieve its goal – collecting ransom,” explained Alex Tilley, Senior Security Researcher, SecureWorks Counter Threat Unit. “This makes localising the threat particularly useful to attackers.”
The most prolific families can each be responsible for millions of spam emails, hundreds of thousands of infected systems, and millions of dollars in ransom payments. “Generally, 0.25% to 3.0% of victims elect to pay a ransom to the attackers holding their data hostage. We ascertain the largest operations are making several million dollars per year and the annual losses from all ransomware families combined exceed $10 million annually. The cost of business disruption, lost data, and infection remediation due to ransomware likely extends into the hundreds of millions of dollars annually,” said Tilly.
This means that attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom.
The top ransomware families are being spread via malicious spam and exploit kits
Additional data collected by the CTU about CryptXXX (from June 6 to July 7, 2016), indicate an increase in commodity ransomware during June, 2016. CTU researchers observed ransom demands of 0.7, 1.2, or 2.4 BTC, with most victims receiving a demand for 1.2 BTC. CTU analysis revealed at least 69 victims who paid ransoms totaling more than 85.6 BTC (approximately $53,500) from June 6 to July 7, 2016.
Localisation of tools for attack
Localisation of tools can take one or all of the following forms: attackers can write ransomware messages in the local language; strategically compromise local websites; deliver the ransomware via spam campaigns in the local language; or provide payment instruments using local bitcoin wallet and exchange market lists.
The effort by cyber attackers to localise their weapons highlights the importance of information sharing and situational awareness, as a threat in one geographical region can soon become a threat in another.
CTU researchers discovered that the Locky ransomware was being used by threat actors to target computer users in Asia-Pacific during Q12016, the very same time the ransomware was being used to infect victims in North America and EMEA, indicating that the threat actors were targeting multiple countries during the same timeframe.
Localisation can happen at different paces. For example, despite the English version of CryptXXX being reported in the region in April 2016, a localised version of the ransomware was not reported in Japan and South Korea until May 2016.
In contrast, the CTU team noted that it took nearly a year and a half for a localised version of CryptoLocker to be identified in South Korea after the English version was reported in Hong Kong. This localised version is believed to be the work of a different group. However, in the case of CryptXXX, the CTU suspects that the localised variant that appeared in May is the work of the same threat actors using CryptXXX elsewhere in the region.
Any time gap between the discovery of threats in different regions offers an opportunity for other areas to proactively protect themselves against attacks. While “local” malware variants may use different infrastructures and network indicators, such as IPs and domains, countermeasures designed to detect/filter ransomware command and control (C2) packets will be still effective unless significant change in C2 protocol occurs.