Growth in the number of connected objects is bringing a whole new set of security concerns to consumers and producers alike. With 200 billion devices predicted to be connected to the cloud and each other by 2020, in what is called the Internet of Things (IoT), opportunities for cybercrime will rise rapidly. From TVs and watches to fridges and cars, every additional “smart” device will expand the attack surface through which criminals can hijack the lives of their victims. Ransomware, malware that prevents or limits access to a device until the user pays a ransom, has emerged as one of the biggest threats in this field.
There are two popular types of ransomware. The most common type is crypto ransomware, which hacks into connected devices and encrypts personal data and files. This makes them useless unless the victim obtains the decryption key by paying the ransom. CryptoLocker and its cousin CryptoWall are two infamous examples of ransomware that have gone after personal computers. In 2013, CryptoLocker infected over a quarter of a million PCs while CryptoWall held over 600 thousand computers hostage as it encrypted over 5 billion files. As connectivity and personal data collection grow, these types of attacks will likely worsen, spreading from individual endpoints to the IoT as a whole.
The other popular type of ransomware is often referred to as locker ransomware. This malware simply locks the targeted device to prevent victims from using it. It often disguises itself as a law enforcement authority and claims to issue fines to users for alleged online misdeeds or criminal acts. As demonstrated by the successful operation on a Moto 360 smartwatch, locker ransomware shows strong growth prospects in wearable devices and the IoT.
The business model of ransomware is simple: deny access to something that users want or need and offer to return what is rightfully theirs on payment of a ransom. Yet the methods of ransomware users have become much more complex. Current top ransomware families such as CTB-Locker and CryptoWall operate using one or more of these practices:
- Employ virtual currency as the method of payment to avoid traces
- Use the Tor network to hide control server locations
- Rent the ransomware infrastructure to other attackers to allow affiliate campaigns
- Target mass-storage devices such as network attached storage
- Utilize local firms and location-relevant topics to craft “credible” phishing emails
The incentives for criminals to use ransomware are strong and show no signs of waning. Recent data reveal that the number of ransomware incidents grew 165 percent in the first quarter of 2015. One of the factors driving this increase is higher-quality phishing emails. The use of local businesses and location-relevant filenames lead as many as 23 percent of recipients to open phishing emails. Similarly, hackers’ “reasonable” demands of about $300 to $500 from targeted small businesses have resulted in as many as 30 percent of victims simply relenting and paying the ransom in order to continue operating their businesses. On numerous occasions the attackers were even able to collect ransom from police departments.
While ransomware has to date inflicted tremendous financial costs on many victims, it has not yet put lives at risk. In the future, however, this prospect may become reality. Remote control of connected vehicles, for example, has the possibility of allowing extortion on a massive scale. Drivers who have lost control of their cars will certainly be more willing than most to succumb to the demands of hijackers.
Ransomware will continue to evolve its methods of propagation, encryption, and targeting. With this in mind, manufacturers of connected devices have a duty to engage with consumers and government partners to improve their security. The use of best practices and cyber awareness training programs would go a long way in helping consumers stay ahead of future ransomware campaigns.