Ransomware’s been making big headlines lately. It’s only been about a month since a Hollywood hospital was made famous after becoming infected by ransomware. Nobody in tinseltown (especially hospitals) wants to make headlines by getting a high profile infection, so the hospital paid nearly $17,000 to extortionists to have their files decrypted.
There’s no shortage of stories like these, although the average ransomware infection seems to usually run people a few hundred dollars. That’s an affordable amount for many. In fact, a recent Twitter poll by F-Secure found that many people (although not a majority) might be willing to pay that much to recover lost data:
The fact that the sum seems almost reasonable for some people, and paying that much is easier than trying to decrypt files without having the keys, has lead the FBI to recommend paying extortionists in order to recover data encrypted by ransomware. And people, even police departments, follow this advice.
So it seems like ransomware’s business model is paying off….for the attackers. And when a business takes off, you can bet it’s going to expand. Ransomware’s jump to OS X is a good indicator that’s what’s happening right now.
Ransomware Now Available for OS X
A crypto-ransomware family designed to infect Macs was discovered last weekend. The ransom trojan, dubbed KeRanger, infects OS X devices through the Transmission bitorrent client.
Yes, F-Secure Mac user, SAFE does detect and protect you from KeRanger.
Transmission is an app from a legitimate developer, so its certificate allowed it to pass Gatekeeper requirements without raising suspicion (although Apple has apparently revoked the certificate since discovering the problem). Furthermore, the trojan features a three-day delay between the time it’s downloaded and its activation. That’s a long enough fuse to ensure that many people downloaded the infected version of the app before anyone discovered the nasty surprise left by extortionists.
While crypto-ransomware has been a problem on Windows PCs for many years now, this is the first notable instance of it infecting Macs. According to this Wired article featuring F-Secure Labs’ Chief Research Officer Mikko Hyppönen, it’s a significant but unfortunate milestone for OS X, as the platform had previously lacked a large enough user base to warrant much investment from cyber criminals.
And that’s not the only indicator that ransomware has become trendier than reality TV. The Slocker ransomware family became more prominent on Android devices in 2015, showing that criminals are trying harder to bring the success of the online extortion business to mobile devices.
“The market for extortion is growing. And it’s competitive. As new players enter the field, they’ll be looking for ‘underserved’ customers (aka victims),” says Sean Sullivan, F-Secure Security Advisor. “Crypto-ransomware is proving itself to be a very profitable business model and as such, there’s very strong motivations to crossover to all available platforms.”
But ransomware authors haven’t forgotten about their roots. According to data from F-Secure Labs tweeted by Mikko, ransomware, particularly crypto-ransomware, continues to be thorn in the sides of PC users.
These statistics show that Cryptowall – a ransomware family that some claim has caused as much as $325 million in damages – was more prominent than any of its contemporaries in 2015. Late autumn/early winter saw spikes of other crypto-ransomware variants, showing that there’s enough opportunity in ransomware to encourage competition amongst cyber criminals.
I spoke with Sean in mid-December about what he thinks will happen in the threat landscape in 2016. “2016 will be remembered as the year of extortion,” he told me.
I checked back with him on this while I was writing this post to see how confident he felt about this prediction given what we’ve seen so far in 2016.
“Yes, quite confident. I don’t think we’ve seen the worst of it yet.”
[Image by Buster Benson | Flickr]
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017