The ransomware threat and its impact on critical infrastructure has dominated cybersecurity news headlines since the onset of the pandemic. In 2020 alone, ransomware affected more than one-third of global healthcare organizations. These attacks are becoming more sophisticated, making it difficult for public and private sectors, as well as individuals, to defend themselves.

As these attacks continue to succeed, more threat groups are jumping into the game. They’re either deploying their own campaigns or offering ransomware as a service (RaaS) in an effort to take advantage of the opportunity. The FBI’s Internet Crime and Complaint Center (IC3) has reported an increase in this “professionalization” of ransomware as more threat actors adopt the RaaS business model and outsource their campaigns.

The European Union Agency for Cybersecurity (ENISA) has dubbed these last two years as a “golden era of ransomware.” In my work as a threat intelligence researcher predominantly focused on mobile threats, I can attest to the spikes. Over the past two years we’ve seen a significant uptick in the number of RaaS offerings sold on the internet and more sophisticated mobile ransomware families.

They now target mobile devices

For much of its history, ransomware was largely viewed as a desktop-targeting threat. Lookout has been tracking mobile ransomware for a number of years, but many of the early families, such as Android.Locker.38, were crudely designed. Security teams can eradicate them by restarting the infected device and uninstalling the malicious app.

While some did encrypt the device filesystem (such as Simplocker, discovered by ESET in 2014), most of the ransomware Lookout researchers have encountered simply overlayed a ransom note that they couldn’t dismiss. They exploited an Android permission called “SYSTEM_ALERT_WINDOW,” which was supposed to only be used by system-level apps to display important notifications to the user. To stop this abuse by malware authors, in 2020, Google revoked access to it for apps running on Android 10 and above.

Around that time, Microsoft released an advisory for MalLocker, a sophisticated Android ransomware family that got around the restriction by abusing the notifications displayed when users receive a phone call. Since calls are prioritized by the device, the malware hijacks this to display their ransom note on top of other app activity. The attackers combined this with overriding a special callback method, “onUserLeaveHint()”, which the operating system uses when the user attempts to dismiss or move an app to the background, to continuously display the note.

Ransomware has become a low-cost service business

While threat hunting for new campaigns, I’ve encountered a staggering number of RaaS for sale online. Many of these are bundled alongside set-up and maintenance services to attract buyers without technical expertise. Some of these bundles cost as little as a few hundred U.S. dollars.

At Lookout, we saw a greater than 200% increase in the number of mobile ransomware detections between Q1 2020, which was before the onset of COVID-19-related lockdowns, and Q2 2020. Although recent quarters have seen a reduction in detections, the numbers are still higher than those pre-COVID.

How to protect users from ransomware

If there’s any silver lining to this “golden era” of ransomware, it’s that users are becoming increasingly aware of the risks and how their mobile devices can be compromised. Here are some tips for how to deal with a compromised device and how to proactively protect user devices:

  • Always download and install the latest security patches and operating system updates for devices when they become available.
  • Once a device becomes compromised, try restarting the device to see whether the ransom note continues to be displayed and whether any of the files are accessible. Older mobile ransomware families often did not encrypt device filesystems or implement persistence after a device reboot.
  • If restarting the device doesn’t remove the ransom note or suspected malware, reboot the device in “Safe Mode” or perform a factory reset.
  • Consider using a mobile antivirus app to detect known mobile malware families and prevent them from being installed from malicious websites.
  • Only install applications from official app stores, like Google Play or the Apple App Store.
  • For Android users, prevent applications from installing unknown apps by revoking access in the device Settings within “Install Unknown Apps.”

While overwhelmed security teams may not have put dedicated people on mobile devices yet, it’s more than time to take these simple steps and educate the staff on mobile security. Before the pandemic this was a “nice to have” measure. Some two years later, with mobile devices proliferating on corporate networks and work-from-home policies, companies can no longer overlook mobile security.

Kristina Balaam, staff security intelligence engineer, Lookout