Malware and cybercrime as a service

Steady increase of franchise-systems for so called ransomware

Author: Philipp Rogmann
Date: 08.07.2015
Read Time: 3 Minutes

Since 2004 there has been little malware which sole purpose was the destruction of data. And there is a simple reason for that: Lost data is not attractive to developers of malware as there is no financial gain. Nowadays it is all about stealing data through malware and selling this data on the black market. Another option for developers of this kind of harmful software is to use ransomware to extort money from users by locking their computers/encrypting their data. Ransomware is a breed of malware that encrypts the data of the infected computer and demands a ransom to unlock the data – if at all.

This whole scheme is based on monetary gains that the developers can achieve – and they would attack anything if it pays off. What is even more unsettling is that potential attackers do not even have to be able to program this kind of malware themselves or even know how network security works. All they need to do is: buy an exploit kit and franchised ransomware. Most popular is CBT Locker, which is sold to franchisees worldwide on a big scale.

cbt locker screenshot

CBT Locker and other ransomware:
A threat to companies worldwide

We have said countless times: every company has something to lose, no matter how large the company is. Ransomware is a very special problem to companies who can’t protect themselves, because the overall business is at stake as soon as information is not available anymore. While the first lockers could be cleaned pretty easily, the new generation of ransomware can’t be defeated that easily: All data is encrypted with changing algorithms and without the specific key the data can’t be recovered. This makes protection against an infection a top priority.

Business with malware:
Lucrative – and just about legal

The developers of the general tools usually come from Russia and break no laws in their home country. They only deliver a software solution and do not breach security or commit blackmail themselves. This is a very lucrative and mostly safe process for the developers. But the franchisees make a lot of money by blackmailing victims as well. On popular discussion platform “reddit” a user of the services did an Ask-Me-Anything and confirmed that he made more than 300,000 Euros in a couple of months. Those sums can be achieved by keeping the ransom relatively low, making them less valuable than the data at risk. The users, who are being blackmailed, usually pay rather than just accepting the data to be lost.

In the so called Deep Web, which exists outside of the usually used World Wide Web, every cybercriminal can buy exploit kits and malware for the crypto-currency Bitcoin. This gives him all the means necessary to start blackmailing users – without being traceable. The overall business model is very profitable and pretty much without risks.

The battle is won before the infection hits

Companies need a very well protected network and end-points to be safe from ransomware and blackmailing. As mentioned before, cleaning the infection and recovering the data is usually impossible, because the data is not available in an unencrypted format anymore.

This means that all security solutions and software needs to be up to date at any time. Automated patch management protects best against malware and other harmful software. It also means that ominous websites should not be accessible from the internal network. Limit the internet traffic (this has other advantages as we have proven in another article).

Always stay up to date and make sure that unfiltered web traffic can not breach your network. It will be much too late when CBT Locker and other malware pops up on your employees’ screens.


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s