Ranscam ransomware and the advent of the cut-rate cybercriminal
Ranscam encrypts and deletes the victim's files.
The increasing effectiveness of ransomware's ability to force individuals and businesses to pay up is convincing a horde of new cybercriminals to enter the field with some wielding what can be only described as inferior malware in their attempt to make a few quick bucks.
A trend security industry professionals say will continue to increase.
“As the barrier to entry for the ransomware space decreases, we will likely continue to see more and more threat actors of varying skill levels, access to resources, etc. entering the market in an attempt to make money. It remains to be seen what the approach of choice will be for lower level threat actors moving forward,” Earl Carter, a security research engineer at Cisco Talos said to SCMagazine.com in an email.
One of the latest pieces such low-budget malware to come down the pike is called Ranscam and was spotted by Cisco Talos' researchers. Unlike traditional ransomware, which locks up a computer's files and then demands a bitcoin payment, Ranscam infects a computer, deletes the files and then demands a payment from the victim even though the files are gone and cannot be recovered.
The reasons behind development of Ranscam and its brethren is how lucrative the ransomware business has become, about $1 billion per year along with how little it can cost a criminal to enter this space.
“We have been observing a rapid growth in the quantity of new previously undiscovered ransomware families recently, and now even those who can't implement the idea are talking about trying to scare the victims into paying. I believe, if the current trend continues, we are going to observe more new ransomware variants, both ‘real' and ‘deceiving' (like Ranscam), Fedor Sinitsyn, senior malware analyst, Kaspersky Lab told SCMagazine.com in an email.
Ranscam by itself is an interesting case study. Compared to the better known, and more dangerous Locky or CryptXXX, Ranscam the code is quite simple. The fact the malware simply deletes the victim's files indicates the developer is not very sophisticated and simply made use of a Windows process already located on the device said Carter.
Sinitsyn agreed, saying, “In the particular case of ‘Ranscam' the malware samples look like they were created by someone not capable of developing a ‘real' encrypting ransomware, so it might be not even ‘being lazy', but probably just lacking skills.”
The malicious actors may have also purchased the software from one of the many vendors that advertise on the dark web. Watchdog Technologies recently noted that even custom ransomware can be had for about $1,200.
Another twist that having newcomers running malware like Ranscam is that it damages the ransomware industry. If victims realize that there is a good chance that paying the ransom will not bring back their files then they simply won't bother.
“As more attention is brought to the fact that ransomware threat actors cannot necessarily be trusted to recover or restore victim's files, it may result in decreased revenue for more established ransomware operations. It's difficult to say what the response to this will be from these more established ransomware operations,” Carter noted.
If this becomes the case then business and individuals may realize the only true way to ensure their information is recoverable is to set up a back-up system, Sinistyn and Carter said, along with taking the usual precautions the prevent malware from being downloaded onto a computer.