Ransomworm: The birth of a monster

ransomworm futureThe last few weeks have seen two substantial attacks: one massive phishing attack that leveraged Google Apps and which tricked recipients to give OAuth access to their email accounts, and a large-scale ransomware attack that blanketed almost 100 countries a week later.

Now, consider the likely marriage of these two attacks, and the monster that would result from this unholy matrimony: the ransomworm.

You can predict the future – at least in cases relating to cybersecurity – by identifying what modifications would be the most explosive, the most powerful… the most profitable. And just like science is a process of constant improvement, so is crime. Criminals observe, test, and follow what they see others being successful with. So while we consider these two attacks as separate instances of evil, it is troubling enough, but if we interpret their success with an eye toward what the future holds, the result is truly terrifying. And that, of course, spells “desirable” to the attackers – which is why we need to expect it to happen,

The power of the recent phishing attack was that it was, in fact, a self-replicating worm. That means that as one account got compromised, the automated script identified all the contacts of the victim and sent each one an email. And when these people received that email – from a sender they know, mind you – many of them clicked through and fed the fire. This clever use of a known identity was what led to the explosive spread of the attack.

Now take the ransomware attack. With built-in language support for all major countries, and a powerful delivery mechanism, the attack is bound to inspire additional attacks. One success begets another, even for criminals.

The ransomworm

The marriage of these two attacks, let’s call this the ransomworm, would distribute itself using compromised accounts, and would therefore inherit the credibility of its phishing attack “father” by causing emails from friendly contacts to be received by the next round of victims. And the ransomworm would of course inherit the lingual fluency of its ransomware “mother” – making sure that the message the next round of victims received is in the same language as what the sender and receiver normally use to interact. Maybe it would even have the added sophistication of choosing a suitable topic of conversation – after all, the attacker has access to all previous emails and can automatically identify keywords in emails to select suitable topics. And then, of course, monetization. After a computer is compromised and all its contacts extracted and used, it would immediately be encrypted and a ransom note delivered. Because the ransomworm, like its mom, would corrupt computers, not accounts.

The most likely way the ransomworm would infect your computer is using a method that circumvents traditional security technologies – which is what most people and organizations rely on. WannaCry used unpatched vulnerabilities, but there are many other options – like social engineering end users to make a poor security decision and run malicious software.

Recently, one of the favorite ways for criminals to do this is to send emails with encrypted zip files containing the malicious file, as encrypted zip files aren’t typically scanned by Anti Virus software. When you decrypt the zip file and click on the malicious file, the ransomware takes control over your computer, and before you know if, generates messages for your contacts – appearing to come from you – and then locks down your computer. By the time you get the ransom note, it is too late.

Successive versions of the ransomworm are likely to experiment with the right balance of threat and payments. Just how much is it worth for you to get your files back? Maybe you would be willing to pay more if you got your files back and half of them were not published in a ransomwiki somewhere for everybody to see, or emailed to all your contacts for them to see? Maybe your willingness to pay depends on what type of files would be published?

There are several monetization avenues: What if the ransomworm silently modifies select files, introducing false evidence later to be leaked and used in a third-party lawsuit against your organization, offering you to pay for the evidence that this took place? We are still in the early days of digital extortion.

What should you do?

If you and your organization does not use security software that detects social engineering and identity deception, the only certain way of protecting yourself and your enterprise is to disconnect from the Internet. Of course, that is an entirely unrealistic response to the threat. Therefore, a decent rule of thumb is to avoid clicking on any link or attachment unless you can be sure it is safe – and to be very careful to avoid opening encrypted zip files. That holds even if – indeed, maybe particularly if – you receive these types of files from somebody you know. Give that person a call to verify that he or she sent the email, and ask what is in the attachment. Then you can open it.