Ransomware Goes Mobile

Ransomware is the fastest growing threat online today, raising many millions each year (and not for charity). After infiltrating a system, it encrypts or locks files and demands a ransom be paid for the key. Regularly, decoders are produced by analysts, though the best (uncrackable) ransomware models greatly outnumber the variants that can currently be decrypted. Over the last year, there has been a rise in the targeting of business and corporate systems by established professional cyber gangs (almost 50% of the Locky ransomware victims last year were small-to-medium-sized businesses), though the individual user has not been forgotten. Ransomware packages and franchises are readily available for sale on the TOR network, and these are purchased by apprentice cyber-robbers who cut their teeth on the less lucrative though easier private market. Malware is indeed fast developing into a vast twilight industry and as such, specialization and divergence occurs – just like in legitimate daylight commerce. As a result, in the past two years, there has been a steady rise in mobile ‘phone ransomware specifically aimed at the individual’s growing reliance on the device.

The ‘phone manufacturer Ericsson estimates that two-thirds of Americans now own smartphones and they predict that this figure will reach 70% world-wide by 2020. Many people keep enough data on these devices to allow a hacker to reconstruct a person’s whole identity and seize control of many daily applications – even their finances. Increasingly, people complete every conceivable task on portable devices which function in much the same way as a PC operating system. It is little wonder that the malware and ransomware expansion into this area has happened. Research by Filip Chytry of Avast suggests that thirty percent of mobile ransomware is spread by amateurs, and the remainder is distributed by organized cyber-crime gangs. He determined this figure by monitoring the communication between Command and Control servers used for the sending of encryption keys to infected devices. These internationally distributed servers are systematically rotated to make it more difficult for security companies to block the malware connections.

The Birth of Mobile Ransomware

Before the emergence of Simplocker in 2014, there were only prank ransomware attacks that perhaps made a little cash through scaring or confusing the user, though the hack was the only technical aspect as no actual encryption was carried out. But perhaps this was a dry-run for Simplocker which was the first actual mobile encryption ransomware, and used an AES algorithm. This encryption was dealt with when it was learned that it wasn’t unique key encoding used – that there was a master key, so this was quickly cracked.

However, a few months later in 2015, the new Simplocker variant was released onto the ransomware market. The malware authors had realized that their product needed stronger and unique incryption. This time, each device was uniquely encrypted using AES 256 bit which, whilst only 20% of the strength of most PC ransomware, is still unbreakable without a key. Avast say that last year more than 20 000 of their customers were subjected to mobile ransomware. To present, they have observed a 5-6% rise in the last quarter. Very often even if the ransom is paid there is no decryption forthcoming.

How Ransomware Mobilizes

How mobile ransomware is usually spread is using social engineering and graphic deception. Since it is difficult to place malvertising (placing malicious links on legitimate user interfaces) on Google Play Store, other ‘sites are created to catch the eye, with adverts to download wonderful apps. These ads divert the user to a page that looks very like the Google ‘site – apart from the domain name (which is usually something like google.xyz instead of .com). This is often missed by people trying to go through life doing the important things while also trying to download a fab app, or chattering on social media. Infections can also happen as a result of vulnerabilities in apps or operating devices such as Certif-igate trojan in Android and Stagefright in the Google operating systems (Stagefright infected nearly 1billion Android users and needs only a device’s ‘phone number to infiltrate).

Where Mobile Ransomware is heading, and how to prevent it?

Although these last two infections are not ransomware, it is only a matter of time before a vulnerability other than user attention is targeted to deliver mobile ransomware. It doesn’t mater if the device is smaller and perhaps cheaper than a PC – it is the things they carry that are being ransomed, and if a person wishes to write their life to a ‘phone’s memory, then this is a responsibility to be carried also. There are several anti-virus apps currently on the market for mobiles, and Avast make one of these.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.