View All R&D Articles

Holiday Sale on Ransomware

December 5, 2017

“One-time payment at the cheap price of $40 for a lifetime subscription. Buy it now! You’ll never get another offer like this.” It sounds straight from an infomercial or a magazine ad, but this sales pitch (with corrected grammar) came from a site on the dark web hawking a new ransomware called Halloware. The surprisingly low cost shows what a competitive ransomware-as-a-service market has done to malware prices.

Admittedly, $40 is on the low end of the spectrum for this type of service, and as ransomware experts have reported, Halloware is somewhat of a cut-rate product. Still, the proliferation of easily obtained malware is not good for computer users.

Various researchers discovered Halloware on Dec. 1 and reported on it shortly after. Security experts at Bleeping Computer managed to extract the source code of the ransomware and analyze it. They found that the ransomware could encrypt files but it would not be able to decrypt them. This makes it dangerous and destructive but ultimately unprofitable for distributors.

With the source code in hand, security experts are already working to create a decryptor for this ransomware if any distributors do buy a subscription to it.

The discovery of Halloware follows McAfee’s prediction of a boom in “off-the-shelf” dark-market ransomware sales.

The news about Halloware came shortly after McAfee released their 2018 Threats Predictions report. The IT security firm believes that the new year will bring fewer variants of ransomware due to distributors relying on ransomware-as-a-service products. Despite this, McAfee still predicts an overall increase in attacks.

The report noted that defenses against ransomware have been improving. Because of this development, attackers could shift from wide-ranging phishing schemes to focused attacks on high-value individuals or specific businesses.

Open-source ransomware continues to hold a significant share of the market.

Open-source ransomware offers a middle path between creating original ransomware and using ransomware-as-a-service. Modifying and distributing open-source malware requires much less expertise than creating a product from scratch. Still, some knowledge and legwork is necessary to create working ransomware from open-source software.

An analysis from IT security company Zscaler described two open-source ransomware strains making the rounds. Vortex ransomware was based on the open-source AESxWin encryption/decryption utility, and BUGWARE used Hidden Tear. Both source codes are freely available on GitHub and offer a head start to would-be attackers.

IT defenses are improving, but ransomware will adjust.

After the WannaCry and NotPetya attacks, security cooperatives like the Cyber Threat Alliance have gotten serious about thwarting future attacks. Of course, as with any profitable criminal enterprise, the bad guys will likely find new ways to reach victims.

To protect yourself from ransomware, use good internet hygiene, like avoiding suspicious links and attachments (even from known senders). Keep current backups, and keep them offline, so they are unreachable by malware.

Install updates when they become available. Even if this sometimes creates new problems (as was the case with a recent macOS update), it protects you from many more. Lastly, use trusted antivirus software to head off threats before they reach your computer. The attackers will continue adjusting their tactics, and so should you.