Tales of the Cyber Underground: Inside the Underground Ransomware Market

Cerberus was the three-headed hellhound in Greek and Roman mythology that guarded the gates of the underworld
Cerberus was the three-headed hellhound in Greek and Roman mythology that guarded the gates of the underworld

Ransomware has been a growing menace in the minds of users over recent months, largely because of the Cryptolocker saga, which reached its pinnacle in May when a global police effort saw the malware’s command-and-control servers taken offline.

It might seem odd that ransomware gets people in such fits of panic, given it’s actually on the decline. According to a McAfee report released in June, the number of ransomware samples has dropped for three straight quarters. Meanwhile, more esoteric malware like bootkits, which aim to get low-level access by taking over the master boot record and which grew in number by 50% in the first quarter of 2014, are on the rise.

Haggling among Thieves

But these trends miss a key point: criminals love ransomware. On the underground forums, the market for buying and selling the malicious kit, which locks up people’s data before asking for payment to unlock it, is buzzing. Numerous sellers are offering variants for a range of sums, many pushing into the thousands of dollars.

One seller, in a blatant act of aggressive salesmanship, told a certain forum that he thought the $850 price tag for his “Exaction Crypto Locker” was way too low, given he’d seen other types going for $5000.

For that price, the dealer promised “military grade” AES 256-bit encryption to lock up victims’ files, which would take “millions of years to brute force”. The key, they said, would be sent to the user’s command-and-control server, which would mean the crook was truly in control (older ransomware tended to store keys on the local machine, making it possible to find them and decrypt the data without paying).

Written in C, the malware also deletes the targets’ recycle bin, presumably to remove any useful files that might be kept there, such as some kind of backup recovery. The malware maker claimed to have tested their malicious tool across Windows platforms, from 2000 up to 8.1, the latest version of Microsoft’s OS, with compatibility on 32- and 64-bit systems too. There was also full support delivered over Jabber, the IM client that uses cryptography to hide user identity.

Are Three (or Four) Heads Better than One?

Over on another forum, a large advertisement titled The Gates of Cerberus (the portentousness of which was undone by the use of Comic Sans) promised a significant ransomware project. The seller, after explaining the choice of name (Cerberus was the three-headed hellhound in Greek and Roman mythology that guarded the gates of the underworld), explained the user would be able to update their malware with fresh modules once they’ve made a purchase.

What was most interesting about Gates of Cerberus was the “proprietary” encryption method the ad promised, which would make files inaccessible to the victim using four different algorithms and four separate keys. Then comes the apparently impressive master key generation, used to access the other four keys, which is stored remotely.

“It takes the top five most trending topics (hourly) from Facebook, Twitter and MySpace. It puts them together, randomizes the key into a 128 character string, takes the local PC’s name, throws that string into the median of the current buffer, dynamically assigns every other character to a random address… then attaches a private key to the string (using a function I will not publically [sic] disclose)”, the forum post reads.

The dealer also notes the use of an associated bookit that can be used to access that private key, which indicates it would be stored somewhere on the users’ BIOS. It looked like an interesting evolution of ransomware, but who knows if these outlandish encryption mechanisms actually work. That’s probably why the malware was on offer for a low, low cost of $500.

Quality Over Quantity

Whatever the quality of Cerberus, it points to the innovation going on in this space among digital criminals. The quality of ransomware is clearly improving, even if numbers are waning, says Kaspersky Lab senior security researcher Sergey Lozhkin. He claims he has seen ransomware types using multiple keys, as Gates of Cerberus offered, but also using the Tor anonymizing network to host connected domains and keys.

Lozhkin believes Cryptolocker, despite its sophistication, is just the start of things to come because crafting ransomware is much simpler than with high-profile trojans, such as banking malware that performs web injects and works alongside bespoke mobile versions. If the source code for Cryptolocker leaks, then innovation will only spike, as it did with Zeus when its insides we exposed, Lozhkin adds.

“Cryptolocker is not the best we will see… when you get the source code, a lot of bad guys start developing new kinds of malware”, says Lozhkin. “I think it's possible that the source code of something like Cryptolocker could leak and then someone could develop a completely new version with new algorithms. I think it's not the end.”

Crooks are also finding it much easier to access delivery methods for their ransomware. Just as Cryptolocker was disseminated by Gameover Zeus, other strains are being spread by cheap yet effective botnets. “It's not like a few years ago when it was difficult to set up a botnet. You can go to these forums, buy a botnet with Bitcoin fully prepared... you will get a lot of infections and you simply need to collect the money”, Lozhkin adds.

Innovation is taking place among mobile ransomware types too, which is attracting the attention of underground forum users. The Simplocker malware, which targeted files on SD cards of Android devices – largely focusing on Russian and Ukrainian users – was selling for $5000 on the forums.

Yet Windows PCs remain the most popular target. “There’s not much on the mobile ransomware side. Infection is still a little challenging (though there are services for this). It’s still a lot easier to go after PCs, hence the low interest”, adds Daniel Cohen, a cybersecurity strategist with RSA.

“I am sure it will pick up though….”

What’s hot on Infosecurity Magazine?