DECEMBER 8, 2017

THE EVOLUTION OF RANSOMWARE: FROM ‘LOCKER’ TO ‘DOXWARE’

The threat of ransomware constantly keeps expanding into new territories, and its newest form is ‘doxware’. Whereas classic crypto-ransomware continue

The threat of ransomware constantly keeps expanding into new territories, and its newest form is ‘doxware’. Whereas classic crypto-ransomware continues to populate the headlines, new interesting threats are evolving. This post explores the evolution of ransomware, from the very initial ‘lock-screen’ variants, to the newest doxware families.

Locker ransomware denies access to the infected host and extorts the victim for money in exchange for ”unlocking” the host. Such variants are quite popular among mobile ransomware families. The first mobile ransomware families of this type “locked” the device by constantly bringing the ransom window to the foreground in an infinite loop, whereas newer variants often try gaining device administrator privileges in order to set the phone’s PIN lock.

Fake AVs, which are also known as rouge security software, are programs that “warn” the user against malware, which has already allegedly infected the host and can only be removed by purchasing the fake security software. While many of these fake AVs are harmless (just a bit annoying) and could be considered as PUA (Potentially Unwanted Applications), some variants are becoming more aggressive, leaving no choice other than purchasing the AV, often practically behaving as locker ransomware.

Crypto ransomware is currently the most common ransomware type in the wild. Such variants encrypt data on an infected host, and demand ransom in exchange for decrypting it. The data can arrive from all drive letters on the PC, including removable drives, network shares, and even DropBox mappings. The malware also removes backup files to prevent the option of restoring the encrypted files (shadow volume copies).

MBR overwriters are a more recent type of variants, that prevent the operating system from booting by overwriting the MBR (Master Boot Record). The consequences of this type of ransomware are similar to those caused by locker ransomware, but the mode of operation is more sophisticated.

Data wipers are an additional ransomware type which has recently gained popularity among attackers. Data wiping ransomware variants render all data on a hard drive unreadable, and demand ransom for recovering wiped data, instead of for encrypted data.

Hybrid ransomware are the most aggressive variants, using all possible means to maximize profits. Such ransomware families may possess banking Trojans’ capabilities, along with worms’ spreading methods. IoT exploitation is yet another destructive capability that can be leveraged by attackers; In the last DefCon, the security firm Pen Test Partners demonstrated a PoC ransomware for a smart thermostat. Such ransomware could set extreme temperatures, waste vast amounts of power, and even cause physical damage, unless the ransom is paid.

Doxware is the newest ransomware type in the wild (as we predicted a few months ago in our ransomware white paper). ‘Doxxing’ (derived from ‘docx’ – documents), means gathering and publishing information about a person/organization, for the purpose of extortion/harassment/shaming. Also known as ‘extortionware’, doxware threatens to publish victims’ sensitive data unless the demanded ransom is paid, rather than just encrypting it. The data could contain private photos, fake/real subscriptions (e.g. mobile doxware variant Ackposts), or confidential documents, collected from end-users/businesses (e.g. Windows doxware variant Chimera).

What’s next?

The popularity of ransomware is not going to decline anytime soon. Available for sale on the dark web in the form of CaaS (Crime as a Service), easy to operate and distribute, ransomware has become accessible to any inexperienced attacker. Furthermore, ransomware has proved its efficiency and potential for gaining large-scaled profits in several major attacks on hospitalsfinancial institutions and even an electric and water utility. Therefore, attackers are expected to target more businesses, which are more likely to pay large amounts of money, in comparison to private users.

In our latest white paper on ransomware, we predicted that we expect to start seeing ransomware focusing on data collection rather than data encryption, and we hit the mark. To read more about ransomware trends and forecasts, as well as how to protect your organization, download our comprehensive ransomware white paper.