by: Matt Haring


If you haven’t embraced backups yet because you think you are so tech savvy that you wouldn’t open spam email or fall for social engineering tricks, then brace yourself for cryptoworms. Security researchers warned that self-propagating ransomware, the semi-autonomous kind that doesn’t need any help from humans to spread, is coming in the future.

The Cisco Talos report, “Ransomware: Past, Present, and Future” first delves into the “traits of highly effective strains of self-propagating malware” before discussing how ransomware could evolve to include powerful, built-in, self-propagating traits like those in worms and botnets.

As for history, let’s just look at one ransomware variant from February. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center. When Locky, which used infected Word files to spread ransomware, was brand new, there were reportedly 100,000 new infections per day; at one point there were between one to five new endpoint infections per second. If only one-fourth of the daily 100,000 victims paid the ransom of .5 bitcoins, which is about $213 today, then the cyber-thugs were pulling in over $5 million per day. Even if Cisco Talos suggested about 2.9% of 90,000 daily victims paid the ransom, which means crooks pulled in $546,795 daily, that’s an impressive haul. So it’s not too hard to see why criminals are jumping on the ransomware crazy train to cash in.

Back in the day, worms were extremely effective and could quickly infect millions of computers and cripple corporate networks with linked workstations. Heck, there are even some businesses which are still infected with Conficker. Now if you imagine those self-propagating features built into ransomware, it’s like a nightmare scenario. The Cisco Talos researchers examined some of the vicious propagation traits of old-school malware and then incorporated some of them into what they described as a potential framework of next-generation ransomware.

Advanced attackers in the Cisco Talos hypothesis would “prefer to use software with a modular design” so they could use certain functions only when needed and have “the ability to switch tactics as required in the event one method is discovered or is found to be ineffective.”

Examples of modules that could be used in the crypto-ransomware of the future included one that scans for “executable files that are not protected by built-in security features.” Another module would hunt for mapped local and remote drives and then have an autorun feature “to request any computer that the drives are connected to in the future to run these infecting programs.” A different module would exploit “known weaknesses in popular authentication infrastructures” and then use those credentials to provide access to other systems. Other modules might help keep the cryptoworm from being discovered, so forget about discovering it via regular Command and Control and ransomware that uses too much CPU or network resources.

It is important to note that it’s not digital black magic and the ransomware doesn’t just appear out of nowhere; the researchers’ scary scenario involves a skilled, financially motivated adversary having previously gained initial access into the network. But once the cryptoworm is launched, “the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3200 workstations are compromised; half the organization’s digital assets, and the vast majority of the company’s data are encrypted.”

* * * *  Cryptoworm ransom starts at $1 million  * * * * 

The researchers described the payload:

The payload generated demands 1 million dollars USD in bitcoin to be delivered in 8 days, tripling to 3 million dollars if payment is not made in 8 days. The instructions mention a .onion address (hidden service) and provide instructions on how to use tor2web or the Tor Browser Bundle, and how to purchase bitcoins. Since the attackers know where all the important applications, drives and data are located, they have included custom directories and file extensions for the ransomware to attempt to encrypt as a part of the core implant.

If you don’t regularly backup, then you might want to rethink that life choice. Williams told Threatpost, “The cryptoworm’s Achilles Heel is a reliable backup, so you don’t have to be extorted.”