Intelligent Machines

Holding Data Hostage: The Perfect Internet Crime?

Thousands of people will have their personal files held hostage this year, by software that uses virtually unbreakable encryption.

Feb 4, 2015

Every so often someone invents a new way of making money on the Internet that earns wild profits, attracts countless imitators, and reshapes what it means to be online. Unfortunately, such a shift took place last year in the world of online crime, with the establishment of sophisticated malicious software known as ransomware as a popular and reliable business model for criminals.

After infecting a computer, perhaps via an e-mail attachment or a malicious website, ransomware automatically encrypts files, which may include precious photos, videos, and business documents, and issues an electronic ransom note. Getting those files back means paying a fee to the criminals who control the malware—and hoping they will keep their side of the bargain by decrypting them.

The money that can be made with ransomware has encouraged technical innovations. The latest ransomware requests payment via the hard-to-trace cryptocurrency Bitcoin and uses the anonymizing Tor network. Millions of home and business computers were infected by ransomware in 2014. Computer crime experts say the problem will only get worse, and some believe mobile devices will be the next target.

Ransomware has been around for more than a decade. Older examples tended to be ineffective or relatively easy to defeat. But a new, more potent wave of ransomware emerged in late 2013 beginning with a version dubbed Cryptolocker. That malware infected Windows computers and in about 30 minutes would encrypt nearly all the data stored on them, as well as any external or network drives, locking up photos, music, and videos. Then it would display a message with a 72-hour countdown timer telling the victim to pay a fee (usually around $300) to retrieve the data. Step-by-step instructions explained how to send the money by buying bitcoins or using a prepaid debit card.

Cryptolocker was professional in its design, and it used an essentially unbreakable encryption system developed by Microsoft. At its peak, around October 2013, Cryptolocker was infecting 150,000 computers a month. And over the course of nine months, it is thought to have generated about $3 million in ransom payments.

The criminals behind Cryptolocker were taken down in June last year, after collaboration among the FBI, U.K. and E.U. law enforcement agencies, security companies, and academic researchers. Investigators broke into the network used to control the malware and uncovered a stash of encryption keys that were then used to create a free service to rescue data belonging to victims of the scam.

Because of the breakout, if temporary, success of Cryptolocker, the problem of ransomware seems sure to get bigger.

Uttang Dawda, a malware researcher with security company Fireeye, who worked on the Cryptolocker rescue tool, says computer criminals have identified ransomware as a valuable new business model. If well designed, it provides easier profits than stealing credit card details or banking information and then selling that data on the black market. The crooks “get anonymity, faster profit, and don’t have to spend time and money finding middlemen,” Dawda says.

The most successful ransomware circulating today copies Cryptolocker’s basic design but adds technical and interface-design improvements.

One of the first pieces of ransomware to gain traction last year, Cryptowall, added the twist of using the Tor anonymity network, allowing its operators to hide the location of their computers. Between mid-March and late August last year, Dell SecureWorks logged nearly 625,000 Cryptowall infections, including more than 250,000 in the U.S.

Another piece of ransomware, CTB Locker, is the fastest-growing today, says Dawda. It uses stronger encryption than previous specimens, the same Tor trick as Cryptowall, and even a clever “freemium” design: victims get a chance to decrypt some of their data for free to demonstrate that paying up really will work. CTB Locker comes in several versions, in languages including Italian, Dutch, German, and Russian, as well as English. It is spreading most rapidly in Germany, Poland, Mexico, and South America, says Dawda.

“Things are getting worse and worse, and we’re seeing more and more infections,” says Bogdan Botezatu, a senior threat analyst at security company Bitdefender. Botezatu’s says ransomware now takes up most of his team’s time. He generally advises victims not to pay but admits he understands why many do. “Once you fall victim to ransomware, there is absolutely no way to get your data back without paying,” says Botezatu. “But if you pay, you are only encouraging this business and funding their research and development.”

The recent rise of ransomware prompted the FBI to issue a report last month in which it warned that the crime poses a threat not only to home computer users but also to “businesses, financial institutions, government agencies, academic institutions, and other organizations.”

Some security researchers predict that 2015 will see significant efforts by criminals to get ransomware working on smartphones and tablets as well. These devices often contain highly prized personal files such as photos and videos.

The first ransomware able to encrypt files on a smartphone was picked up last summer by researchers at the company ESET. That malware, known as Simplocker, targets Android phones and encrypts photos, videos, and other data. Robert Lipovsky, who leads the security intelligence team at ESET, says Simplocker is “quite widespread” in the U.S. but most prevalent in Russia, Ukraine, and elsewhere in Eastern Europe. It is hard for malware to spread on mobile devices, because most people download software only from official app stores. Simplocker is typically spread through downloads of apps from pornography websites.

The best way to keep ransomware off your computer, experts say, is to follow best practices by keeping software updated, using antivirus and other security software, and being careful about where you click and what you install. Backing up data on a separate hard drive or using a cloud service could save you from being held for ransom if an infection does occur.

“Ransomware could be just a minor nuisance if people could just restore the data from the backup,” says Lipovsky. However, like other security researchers, he is resigned to discovering many more cases of ransomware in coming months. “Even though the advice is quite simple, lots of people don’t listen to it.”