As Stephen King once put it, “Sometimes they come back.”
Like a dormant volcano that may suddenly awaken at any moment, ransomware programs are an unpredictable lot. They may lay low for a while, or fall out of favor. But then they reemerge, often with new tricks up their sleeve.
Indeed, ransomwares never truly die – at least, not until a decryptor renders their powers useless. But what is it about certain ransomwares that make them so viable for multiple comebacks? And why with each surprise return do they remain so difficult to protect against?
“Malware, especially ransomware, seems to run in cycles,” says Derek Manky, global security strategist at Fortinet. “We'll track a large number of triggers and exploit attempts for months. Over that time, a number of variants will be launched that either change the attack vector, improve the malware payload, refine its ability to avoid detection, or change how it communicates with its command-and-control server. They can lie dormant for a while, and re-activate in microseconds once attackers decide it is time to launch a new campaign.”
Locky is a prime example: The ransomware made waves when it debuted in early 2016 and soon after infected Hollywood Presbyterian Medical Center, triggering a scourge of similar attacks against the health-care industry. Then in 2017 it fell mostly quiet, until the Necurs botnet pushed it heavily in April, and then once again in August with the two newest variants (as of this printing), Diablo6 and Lukitus.
Cerber, a ransomware-as-a-service (RAAS) product, has also played hide-and-seek since its 2016 debut, periodically popping up with new features such as anti-detection and anti-sandboxing techniques, as well as the ability to steal cryptocurrency wallets and passwords.
“Every time it returns, it comes back stronger and smarter than ever,” says Manky. “Both Cerber and Locky now have a large number of variants that have been developed, and quite often there are several running simultaneously in the wild.”
TorrentLocker dates back even further. According to Kaspersky Lab, the ransomware has experienced at least five significant releases since 2014. “Its authors have made several major changes…and it is still spreading, although not as aggressively as Cerber and other ransomware strains,” said Ondrej Vlcek, Avast CTO and EVP and GM, consumer. Vlcek also cited Hidden Tear, a ransomware that began as an open-source project but was turned malicious by amateur developers. “We continue to see new offspring of this ransomware on a regular basis, despite the fact that it known for its poor code quality.”
There are any number of explanations for why Locky, Cerber and even older ransomware programs seem to wax and wane in activity. One key reason is that the malware authors are using their downtime to improve their weapons, evolving them with new key features for the next round of infections.
“Each campaign reveals a new trick, and is responded to with a new counter-defense,” says Sean Sullivan, security advisor at F-Secure.
Take Locky, for instance: “It started out with as a simple ransomware that phoned home to its command-and-control servers and downloaded an RSA key to be used along with the AES encryption algorithm for encryption of files,” says Vincent Weafer, VP of McAfee Labs. “Over time, the attackers made quite a few changes to it, including changes in the names used in the encrypted files to evade existing detections, using hardcoded RSA keys so that a target system will be encrypted and held hostage even if the system does not have internet connectivity, and changes to the types of executables from PE files to DLLs.”
Weafer said that Locky's operational model tends to be to build up the attack infrastructure, then run massive malspam campaigns, collect the resulting ransom payments, and finally “cut and run,” using the ensuing quiet period “to work on the next evolution of the ransomware.”
However, Vlcek, argues that Locky's most recent disappearing and reappearing act likely wasn't due to development cycles or major code changes, as there are “virtually no new modifications in the latest version of the strain.” Perhaps, then, the explanation is far more simple: “Ransomware operators and authors are… humans that take time off from their work” like everyone else,” said Vlcek, also suggesting that they might be using the time off to “experiment with different distribution methods.”
Indeed, a ransomware's activity can also depend on the availability of distribution channels such as malspam botnets and exploit kits. “If one distributor uses a hot exploit on a high-traffic site, for example, [a ransomware program] is able to jump to hundreds of thousands or possibly over million victims in a short period of time,” says Manky.
Ransomware developers may also temporarily close up shop – only to reopen later – because feel they are attracting too much attention, or believe the authorities are breathing down their necks.
“Media and market attention are likely catalysts for any ransomware strain. Financially motivated attackers will often try to strike a balance between obtaining maximum revenues while staying under the radar of the security industry and the media,” says Rich Barger, director of security research at Splunk. “In fact, public awareness of various ransomware strains can be counterproductive to hackers, who do not want to bring undue attention to their schemes. Staying under the radar helps hackers maximize efficacy and longevity of their exploit capabilities and payloads.”
In the cases of RAAS offerings, certain popular ransomware services may suddenly take a back seat to a seemingly bigger, badder new kid on the block – or a cheaper one – before building up its user base again. It's all part of the ebb and flow.
But not all ransomwares are destined for longevity. So what makes the most enduring ransomwares so hard for users to protect against, while others are more of a flash in the pan?
The primary quality of any type of ransomware which makes it viable, new or old, is its efficacy,” says Barger. “So, variables such as anti-virus or email gateway detection can impact how effective ransomware campaigns might be.”
Clearly, one of the keys to long-term efficacy is how advanced the encryption is. “The first versions of ransomware used very weak encryption and didn't last very long,” says Manky. “More successful ransomware uses public/private key pairs for each victim making it much stronger. The ransomware families that do this are the most profitable because they do not use weak encryption, meaning the key cannot be reverse engineered with ease.”
“Asymmetric encryption techniques used by these ransomwares make it difficult to create reliable decryptors by AV companies,” says Weafer. “This, coupled with the fact that ransomware like Locky… provide excellent victim support and make decryptors available if the ransom is paid, contributes to their success, since a high likelihood of decryptors being distributed will lead to more victims paying the ransoms.”
Indeed, the creation of an effective decryption tool is very likely the death knell of a ransomware program. “Authors will either stop investing in the ransomware strain or try to create an entirely new strain that leverages the lessons the author learned with the previous strain,” says Vlcek.
The ability to leverage a wealth of different proliferation techniques, including exploit kits and spam emails, also contributes to a ransomware's success, as does having an established infrastructure and operational model in place. “Mature, standardized development infrastructure and practices are already in place for ransomware like Locky. Thus, running new campaigns is easier which leads to periodic resurgence of new variants,” said Weafer. “In the case of RaaS models, distributors are more likely to go with established Ransomware which is more likely to ensure a payout.”
Experts also cited a ransomware's persistence mechanisms, secure payment methods, and profit-sharing terms (in the case of RaaS agreements) as additional factors affecting its long-term effectiveness and overall survival.
Of course, a lot of the above boils down to the skills of the developer. Indeed, “Some strains vanish shortly after their initial appearance because their authors lack the skills to implement a proper chain of encryption, payment, infrastructure, and delivery, said Vlcek.
As established ransomware families continue to evolve, the onus will be on organizations to keep pace and maximize their protection.
“We are sometimes our own worst enemy. Most organizations do not have a proper detection and segmentation strategy, which means they can't see malware that is operating deep in the network or prevent it from spreading,” said Manky. “And because ransomware is beginning to spread using worm-like behaviors, they are much more difficult to defend against, especially if patches are not in place.”
Still, Sullivan at F-Secure believes the security professionals are better at stopping ransomware than they get credit for. “Success is quiet. Failures are noisy. I would suggest at least part of the issue is perception,” says Sullivan. “It's not significantly more difficult to defend against ransomware than banking trojans from five years ago. It's just that the stakes feel higher because people having their pockets picked isn't as dramatic as those being extorted at gunpoint.”