Computer hackers continue to develop and distribute ransomware strains, lately independently created viruses have surged in popularity.
Ransomware Attacks Are A Major Cause of Virus Infections
Malicious users continue to spawn new iterations of dangerous ransomware families. The security community constantly notes the independent creation of new malicious code. So far there are two primary types of viruses:
Descendants of Malware Families – The hackers base the code of their virus on well-known “families” of malware that share the same code base. Based on the complexity and the changes there are two main types – major and minor releases. The major ones update the core code with new features that require the anti-malware vendors to issue completely new definition signatures. Minor updates on the other hand modify non-essential components such as the ransomware note or the affected file type extensions.
Independent Creations – These are viruses which have been created from scratch. Most of them are relatively simple and share the same typical behavior strains. However the most complex ones can require serious analysis and may cause as much damage as any serious virus coming from the famous malware families such as Cerber, Spora and etc.
Ransomware have become one of the most popular types of computer virus as their direct goal is to generate revenue for the attackers. While other malware are more focused on instituting sabotage, spying on the victims or stealing their files, ransomware are efficient and follow a set infection and behavioral pattern.
The Ransomware Underground Trade
The popularity of the viruses is also linked to the easy acquirement of the necessary samples. Almost all underground black market forums contain the most popular malware strains, some even feature tutorials and in-depth guides on customizing them. Custom editions and programmers for hire are also readily available for anyone who has the needed money. To a large extent the campaign operators (who may not necessarily be the ones who have created the ransomware) can achieve an almost immediate return of investment if they can employ an efficient infection strategy. The most popular methods include the following:
Email Spam Messages – The ransomware are usually delivered in bulk phishing campaigns. The hackers attempt to lure the victims into infecting themselves by including the malicious code in scripts or macros inserted in attached documents that appear as legitimate and of user interest. Other tactics include directly placing hyperlinks that lead to the dangerous executable files or even attaching them directly to the emails. The computer criminals employ hacked email servers an accounts.
Dangerous Software Installers – Dangerous bundles that include ransomware viruses are often distributed on hacker-controlled or untrusted download sites and BitTorrent trackers. They are primarily advertised as pirate copies of legitimate and famous applications and games.
Scripts and Hijackers – Malicious ads and browser hijackers are a very popular source for virus infections. They link or directly initiate downloads of arbitrary files as instructed by the criminal developers who are controlling them. Browser hijackers are a dangerous threat as they also endanger the user’s privacy by forwarding their cookies and sessions through third-party sites.
Download Sites and BitTorrent Trackers – Various hacker-controlled and BitTorrent trackers can be used to distribute dangerous ransomware or infected bundles.
The diversity of ransomware infection techniques is a significant factor when it comes to overwhelming success of the infections.
Localized Ransomware Strains Are Becoming Much More Popular
While the majority of the malware strains that we observe on a daily basis are mainly against English-speaking users, we have seen a rising trend among virus creators in spreading geographically localized iterations. These are ransomware that target only specific countries or speakers of predefined languages. A good example is the recent CYR-Locker ransomware which is actually a scareware threat. These viruses operate using by scanning the settings of the infected hosts. If they meet certain criteria (language settings and keyboard layout configuration) then they are activated. In all other cases the malware stay idle or deletes themselves.
Some of the localized ransomware strains also deliver additional threats as instructed in their configuration.