Ransomware is a strain of malware that blocks users or a company from accessing their personal data or apps on infected computers, devices or servers. Then the exploit demands cryptocurrency as payment to unblock the locked or encrypted data and apps. This form of cyber extortion has been increasing in frequency and ferocity over the past several years. Seemingly, a week does not pass without hearing about the latest ransomware exploit attacking government agencies, healthcare providers (including Covid-19 researchers), schools and universities, critical infrastructure and consumer product supply chains.
According to the Q3 2021 Ransomware Index Spotlight Report that Ivanti conducted with Cyber Security Works and Cyware, ransomware groups are continuing to grow in sophistication, boldness and volume, with rising numbers across the board since Q2 2021. This last quarter saw a 4.5% increase in common vulnerabilities and exposures (CVEs) associated with ransomware, a 4.5% increase in actively exploited and trending vulnerabilities, a 3.4% increase in ransomware families and a 1.2% increase in older vulnerabilities tied to ransomware, compared to Q2 2021.
The most common delivery mechanisms are email and text messages that contain a phishing link to a malicious website. By tapping on the link, the user is redirected to an infected website where they unknowingly download drive-by malware onto their device. The malware can contain an exploit kit that automatically executes malicious programmatic code that performs a privilege escalation to the system root device level, where it will grab credentials and attempt to discover unprotected network nodes to infect via lateral movement.
Another common delivery mechanism are email attachments that can also contain malware exploit kits that affix themselves to vulnerable apps, computer systems or networks to elevate their privileges in search of critical data to block.
There are four main types of ransomware. First is the locker ransomware, where the earliest form on mobile devices was found on Android. It was detected in late 2013 and called LockDroid. It secretly changed the PIN or password to the user’s lock screen, preventing access to the home screen and to their data and apps.
The second type is encryptor ransomware that employs encryption of apps and files, making them inaccessible without a decryption key. The first exploit using this type of ransomware was found in 2014 and called SimpLocker. It encrypted the personal data contained within the internal secure digital (SD) storage of an Android device. Later, an official-looking message showing criminal violations based on scanned files found in the device is displayed to the victim. This is followed by a demand for payment message that would allow the victim to resolve the fake violations and receive the decryption key to unlock their blocked data and apps.
Extortion payments are often made with Monero cryptocurrency because it is digital and often untraceable, ensuring anonymity for cybercriminals. Bitcoin is still sometimes used, but lately companies like CipherBlade have been able to track down ransomware gangs using Bitcoin and return the money back to victims. Rarely, mobile payment methods like Apple Pay, Google Pay or Samsung Pay are also used, but cryptocurrency is still the preferred payment for ransomware.
Within the past several years, cybercriminal gangs have added other types of ransomware exploits including Doxware, which are threats to reveal and publish personal or confidential company information onto the public internet unless the ransom is paid. Another is ransomware-as-a-service (RaaS). Cybercriminals leverage already developed and highly successful ransomware tools in an RaaS subscription model, selling to lesser skilled cybercriminals to extort cryptocurrency from their victims and then share the ransom money.
Android exploits: anatomy of the SimpLocker attack
Here is an example of how a ransomware attack works.
Installation: The victim unknowingly lands on a malware compromised or Angler hosted web server and wants to play a video or run an app. The video or app requires a new codec or Adobe Flash Player update. The victim downloads the malicious update software and installs it, requiring device administrator permissions to be activated. The mobile device is infected and the ransomware payload installs itself onto the device.
Communications: The malware scans the contents of the SD card. Then it establishes a secure communications channel with the command and control (C2) server using the anonymous Tor or I2P proxy networks within the darknet. These networks often evade security researchers, law enforcement and government agencies, making it extremely difficult to shut them down.
Encrypt data: The symmetric key used to encrypt the personal data on the attached SD card are kept hidden within the infected mobile device’s file system, so the encryption can persist after reboots.
Extortion: An official-looking message from a government agency is displayed, informing the victim that they are in violation of federal laws based on data found on the device after a scan of their personal files.
Payment demand: A demand-for-payment screen with instructions on the method of payment is then displayed. The fine was normally US$300 to US$500 and commonly paid in cryptocurrency.
If the ransom payment is made, the symmetric key is provided and used to decrypt the personal data. If the victim is fortunate, they can retrieve all their personal files intact, although there have been reports that some if not all the data are corrupted and no longer usable after they are decrypted.
Android devices are especially susceptible to ransomware because of several factors. Firstly is its global adoption with 71% of the worldwide market share and more than 3 billion devices worldwide. Next is the 1,300-plus original equipment manufacturers (OEM) along with the fragmentation of the Android operating system. Devices running versions from 2.2 to 11.0 means a very large number of them did not receive a critical security update, leaving them vulnerable to malware.
The last factor is Android users routinely root their devices and install apps that are unverified by Google. There are now more than 3 million apps available for download from the Google Play Store, with potentially another million more that can be downloaded from unknown and possibly malicious sources. Any one of these apps can be used to host malware that can lead to ransomware exploits.
