In the ever-changing world of ransomware, there are two animals that are always leading the pack. According to new research from security company Malwarebytes, the Locky and Cerber ransomware families are neck and neck with hackers constantly developing new strains of the malware.
The report, which tracked ransomware activity between July and October, first found that Cerber was in a dominant position before being overtaken by Locky.
We’ve seen both families adapt to the times recently, trying to stay fresh and dangerous by adding new features and tactics. In November, Check Point revealed how cybercriminals were exploiting holes in Facebook and LinkedIn to download Locky onto victims’ computers via an image file. Also last month, Trend Micro published findings that showed how Cerber was encrypting users’ database files.
Malwarebytes noted that the United States was by far the most infected country when it came to ransomware, with more strains avoiding detection by traditional antivirus software.
The company is looking at Russia as the most likely source of Locky and Cerber ransomware, either from Russian criminals or those with some affiliation with Russia.
Adam Kujawa, director of malware intelligence at Malwarebytes, pointed to the evidence that these forms of ransomware rarely infect Russian computers, using built-in functionality to detect if a user is based in Russia.
“They both recognize certain Russian IP addresses and say, ‘alright, we’re not going to infect you’ if you’re likely coming from Russia,” he said.
“I believe that is because if Russian law enforcement were to identify Russian people being hit by them, they’ll go after the attackers and take them down. If it’s going toward Western countries and the United States, they’re less likely to do anything about it.”
Of course, attribution is always hard when it comes to cybercrime. The Russia angle could very well be a smokescreen to deflect attention.
What is certain though is that ransomware is becoming increasingly sophisticated and surreptitious, avoiding detection and trying new tricks. Ordinary antivirus which still relies on signature detection to identify threats isn’t up to scratch.
One of the latest incarnations of ransomware has been so-called “doxware”, which as its name may suggest merges malicious encryption methods with doxing, the publishing of personal data online.
“It’s basically ‘we’re going to take your files, we’ll encrypt them, we’re demanding you pay us and if you don’t we’re going to throw it up on the internet’,” Kujawa said. “For an individual person that might not be a bad problem but for a company that could be huge.”
This is a devious but interesting workaround for the cases where a victim has a backup of their data and is unfazed by not paying. This all fuels the arms race between cybercriminals and security software vendors and regular people.
“There’s light at the end of the tunnel and this is a double-edged sword. The need for malware to develop further comes from the security community and the public at large ability to defend against these attacks,” explained Kujawa but every time we get better at security, cybercriminals change their tactics.
This isn’t likely to change in 2017. “They’re going to change their methods, I promise you that.”