Ransomware operators are offering viruses to beginner hackers in exchange of splitting their profit on the underground black markets.
Ransomware Are The Malware Of Choice For Hackers
Security experts have uncovered that a new ransomware distribution scheme has become very popular among computer criminals. The experts have discovered that in the last few months experienced hackers have started to lure in beginners into infecting various targets. The proposition is that the more experienced hackers customize viruses from one of the famous families of viruses (in most cases the ones belonging to Hidden Tear/EDA2) to the newcomers under the condition that the profit is shared equally. Ransomware pricing strategies to this date have included the following options:
Fixed Price Viruses – The criminal developers sell ready-to-use viruses at fixed prices on the underground markets.
Tier Pricing – Virus developers create several different “packages” of a single virus. The price gets higher as advanced features are added to the final order. This allows for the creation and trade of dangerous iterations.
Malware Families Code Trade – Most of the famous ransomware strains are descendant from one of the well-known families such as Hidden Tear, Cerber and Locky. In a variety of high-priced trades and auctions we have seen that hackers offer their complete code which has allowed programmers to create their own versions.
Customization – Inexperienced programmers can pay ransomware creators to create customized versions of provided ransomware code by paying a small fee.
Subscription Service – Some of the ransomware variants are offered as a subscription service. The hackers who pay a monthly access fee receive support and updates for the supplied viruses.
We have seen a wide variety of threats that have proliferated due to the use of such “business” deals. A popular threat which has been used by a lot of hackers worldwide is Sage 2.0 (read our complete removal guide here). The reason why such services are offered are due to the proliferation of income generation by bulk infecting computer users. There are a number of reasons why ransomware have practically become a first-choice tool among in the hacker’s arsenal.
Ransomware Infections Are Easy To Operate
It is very easy to infect computer users who do not know the basics of protecting themselves of such threats. An example of their success are the most popular virus spread methods:
Bulk Spam Messages – Hacked or hacker-controlled email accounts and web servers are configured to send out infected messages. Probably the most dangerous type is the phishing campaign. In recent times the hackers employ infected Microsoft Office documents which utilize dangerous macros. As the message pose as originating from famous companies or government institutions, the users are encouraged to interact with the document by enabling fake prompts. Upon activation the payload is executed and the ransomware is downloaded to the local computer.
Exploit Kits – Automated attacks against unpatched software installations are done mainly through the use of exploit kits.
Infected Application Installers – One of the most frequently used infection methods is through software installers. They are bundled with the ransomware samples and they can often be found on various untrusted download portals or P2P networks. The majority of them pose as legitimate commercial or freeware versions of well-known productivity software, games, patches and utilities.
Dangerous Web Scripts – Malicious browser extensions (hijackers), ad networks and redirection scripts are also used to boost the infection ratio. The ad networks and redirects can cause the users to navigate to a malicious download portal and infect themselves with all sorts of viruses, while at the same generate income for the operators. Browser hijackers on the other hand can also cause significant damage, as they modify the settings on the installed web browsers – Mozilla Firefox, Google Chrome, Microsoft Edge, Internet Explorer. They change the default new tabs page, homepage and search engine to point to hacker-controlled sites. In addition they pose a privacy threat as they can harvest and transmit the stored account credentials, browsing history and user activity to the hackers.
The Dot Ransomware Is The Perfect Example
The ongoing campaign which offers the Dot Ransomware (read all about it here) is one of the most popular examples. The ransomware itself is fairy dangerous and it can only be removed by using a quality anti-malware solution. It can modify important Windows files which can prevent the normal operation of the computer. The most important characteristic is that the virus itself is marketed as a RaaS, a Ransomware as a service – its criminals have created it specifically to fit into this specific payment model. This has allowed it to become a popular commodity in the underground markets.
By using such affiliate schemes the hackers have been able to cause serious and widespread attacks against all major industrial sectors and individual computer users around the world and even government institutions. We constantly report about large-scale attacks that have a high infection ratio not because of their complexity, but volume. Here are some of the facts when it comes to ransomware attacks:
The volume of attacks causes the higher infections – Simple strains that are sent in a high volume of messages can statistically produce more damage to the predefined targets. As the hackers often target ordinary computer users who may know how to protect themselves, they have a high degree of success.
Some industrial sectors are not well-equipped to handle even the basic ransomware infections. This makes it relatively cheap and easy to launch a large-scale attack with simpler ransomware variants against them in the hope of infecting whole networks and taking away a large sum of ransomware payment in exchange for the promise of decryption.
It is relatively easy to spread bulk email messages by infecting hosts and then using harvested information or Trojans to recruit them into a botnet or overtake their servers.
All of this showcases the need of a strong network and host protection mechanisms to ensure that computer users, companies and organizations protect themselves in efficient way. For more information read our Ransomware Removal Guide.