DOCSLIB.ORG

Kaspersky Security for Linux Mail Server Receives Highest Vbspam+

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Kaspersky Security for Linux Mail Server Receives Highest Vbspam+ THE POWER OF PROTECTION KSN Report: Ransomware in 2016-2017 www.kaspersky.com Contents Executive summary and main findings ..................................2 Introduction: A brief look at ransomware evolution over a year .............................................................. 3 Part 1. PC ransomware: ransomware – conveyor of targets .................................................................. 4 Ransomware intra-species massacre .................................. 11 WannaCry pandemic .............................................................. 14 Part 2: Mobile ransomware Statistics.................................................................................. 19 Part 3. How it is all orchestrated ........................................... 24 Conclusions and predictions ................................................ 26 1 Executive summary and main findings Ransomware is a type of malware that, upon infecting a device, blocks access to it or to some or all of the information stored on it. In order to unlock either the device or the data, the user is required to pay a ransom, usually in bitcoins or another widely used e-currency. The term ransomware covers mainly two types of malware: so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption ransomware. The term also includes select groups of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of a PC. This report covers the evolution of the threat from April 2016 to March 2017 and compares it with the period of April 2015 to March 2016. Methodology: This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled, who encountered ransomware at least once in a given period, as well as research into the ransomware threat landscape by Kaspersky Lab experts. Main findings: • The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4% compared to the previous 12 months (April 2015 to March 2016) – from 2,315,931 to 2,581,026 users around the world; • The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by almost 0.8 percentage points, from 4.34% in 2015-2016 to 3.88% in 2016-2017; • Among those who encountered ransomware, the proportion who encountered cryptors rose by 13.6 percentage points, from 31% in 2015-2016 to 44.6% in 2016-2017; • The number of users attacked with cryptors rose almost twice, from 718,536 in 2015-2016 to 1,152,299 in 2016-2017; • The number of users attacked with mobile ransomware fell by 4.62% from 136,532 users in 2015-2016 to 130,232. 2 Introduction: A brief look at ransomware evolution over a year The rise of Ransomware-as-a-Service In May 2016 Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive's master boot record (MBR), leaving infected computers unable to boot into the operating system. The malware is a notable example of the Ransomware-as-a-Service model, when ransomware creators offer their malicious product ‘on demand’, spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain “protection mechanisms” into their malware that do not allow the unauthorized use of Petya samples. While Ransomware-as-a-Service is not a new trend, this propagation model continues to develop, with more and more ransomware creators offering their malicious product. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own malware. Notable examples of ransomware that appeared in 2016 and used this model were Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom. The growth of targeted attacks In early 2017, Kaspersky Lab’s researchers have discovered an emerging and dangerous trend: more and more cybercriminals are turning their attention from attacks against private users to targeted ransomware attacks against businesses. The attacks are primarily focused on financial organizations worldwide. Kaspersky Lab’s experts have encountered cases where payment demands amounted to over half a million dollars. The trend is alarming as ransomware actors start their crusade for new and more profitable victims. There are many more potential ransomware targets in the wild, with attacks resulting in even more disastrous consequences. The analysis in this report attempts to assess the scale of the problem, and to highlight possible reasons for the new angles of ransomware developments globally. 3 Part 1. PC ransomware: ransomware – conveyor of targets The numbers for the observed period show that ransomware is still on the rise – albeit at a slower growth rate. The total number of users who encountered ransomware over the12 month period from April 2016 to March 2017 grew by 11.4% in comparison to the previous year: April 2015 to March 2016 – from 2,315,931 to 2,581,026 users around the world. This is a weaker pace compared with 17.7% increase in the previous period. The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by almost 0.5 percentage points, from 4.34% in 2015-2016 to 3.88% in 2016-2017. The following graphs illustrate the change in the number of users encountering ransomware at least once in the 24-month period covered by the report. As can be seen in Fig. 1, the volume of ransomware attacks has been rather sporadic, rising and falling with two peaks in October 2015 and March 2016. These periods were marked with Locky ransomware activities. 450000 400000 350000 300000 250000 200000 150000 100000 50000 0 CY 2015 July 2015 CY CY 2015 May 2015 CY CY 2015CY April CY 2015 June 2015 CY CY 2016 March 2016 CY CY 2015 August 2015 CY CY 2015 October 2015 CY CY 2016 January 2016 CY CY 2016 February 2016 CY CY 2015 November 2015 CY December 2015 CY CY 2015 September 2015 CY 2015 2016 Fig. 1: The number of users encountering ransomware at least once in the period from April 2015 to March 2016 The following year, the situation looks slightly different – yet still filled with anxiety. Between April 2016-March 2017 the volume of ransomware attacks remained stable, at 200,000-250,000 hits per month on average. This is higher than in the previous period and could indicate an alarming trend – a shift from chaotic and sporadic actors’ attempts to gain a foothold in the threat landscape to steadier and higher volumes. Also of interest was the peak between June and July. During these months there were many detections of the Onion ransomware family. 4 400000 350000 300000 250000 200000 150000 100000 50000 0 CY 2016 July 2016 CY CY 2016 May 2016 CY CY 2016CY April CY 2016 June 2016 CY CY 2017 March 2017 CY CY 2016 August 2016 CY CY 2016 October 2016 CY CY 2017 January 2017 CY CY 2017 February 2017 CY CY 2016 November 2016 CY December 2016 CY CY 2016 September 2016 CY 2016 2017 Fig. 2: The number of users encountering ransomware at least once in the period from April 2016 to March 2017 However, two things may be considered positive. Firstly, the modest growth rate could be a sign of success for the collaborative retaliation from vendors of security solutions, various law enforcement agencies, and other actors. It could also be due to increasing threat awareness, fueled by global media coverage on the most prominent fraudulent campaigns. Secondly, the end-of-the-year status also changed, from a rise in March 2016 to a fall of March 2017. 14000000 12000000 10000000 8000000 6000000 4000000 2000000 0 Fig. 3: Number of users attacked with any malware 2015-2017 5 As seen in Fig. 3, the behavior of ransomware does not reflect overall attack trends. While we witnessed peak of ransomware in autumn 2015 and a fall in autumn-winter 2016, malware statistics show the opposite fluctuations. To discover the possible reasons behind the peaks and troughs, we need to look deeper into the ransomware attack statistics. Main actors of crypto-ransomware Looking at the malware groups that were active in the period covered by this report, it appears that a rather diversified list of suspects is responsible for most of the trouble caused by crypto- ransomware. In the first period, from April 2015 to March 2016, the most actively propagated families were the following: Bitman, Cryakl, Cryptodef, Onion, Shade, and Mor. They were able to attack 223,782 users around the world, yet accounted for less than 31% of all users attacked with crypto-ransomware during the period. Lortok Scatter Locky 0,42% 0,32% 0,62% Aura 0,65% Mor 1,56% Other Shade 68,86% 2,86% Onion 4,43% Cryptodef 5,21% Cryakl 7,13% Bitman 7,94% Fig. 4: Distribution of users attacked with different groups of encryption ransomware in 2015-2016 A year later the situation had not changed considerably. Most widespread families, including Locky, CryptXXX, Zerber, Shade, Crusis, Cryrar, Snocry, Cryakl, Cryptodef, Onion and Spora, together hit about 33% of all users attacked with crypto-ransomware during the period. 6 Snocry Onion Spora 1,47% 1,31% 0,97% Cryptodef 1,49% Cryakl 1,61% Cryrar 1,87% Other 67,33% Crusis 1,96% Shade 2,20% Zerber 3,62% CryptXXX 7,04% Locky 9,13% Fig. 5: Distribution of users attacked with different groups of encryption ransomware in 2016-2017 Interestingly, the high share of “others” indicates that the list of crypto-ransomware actors becomes more and more diversified. This is due to crypto-ransomware downloaders that are not linked to specific families. This could be a sign of the development of criminal-to-criminal infrastructure that is fueling the emergence of easy-to-go, ad hoc tools to attack users and extort money.
Load more

Recommended publications
  • Mind Your Own Business: a Longitudinal Study of Threats and Vulnerabilities in Enterprises
    Mind your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises Abstract—Enterprises own a significant fraction of the hosts to, financial assets, and security investment. Thus, it is very connected to the Internet and possess valuable assets, such as likely that the best practices mentioned above do not equally financial data and intellectual property, which may be targeted apply to all of them. by attackers. They suffer attacks that exploit unpatched hosts and install malware, resulting in breaches that may cost millions Currently, it is not clear how the security posture of in damages. Despite the scale of this phenomenon, the threat and enterprises differ according to different factors and whether vulnerability landscape of enterprises remains under-studied. The enterprises are indeed more secure than consumer hosts, i.e., security posture of enterprises remains unclear, and it’s unknown if their security investment is paying off. In this paper, we aim whether enterprises are indeed more secure than consumer hosts. to throw light into these questions by conducting a large-scale To address these questions, we perform the largest and longest longitudinal measurement study of enterprise security. We an- enterprise security study up to date. Our data covers nearly alyze the enterprise threat landscape including the prevalence 3 years and is collected from 28K enterprises, belonging to 67 industries, which own 82M hosts and 73M public-facing servers. of malware and PUP in enterprise hosts and how common security practices, such as vulnerability patching and operating Our measurements comprise of two parts: an analysis of system updates are handled.
    [Show full text]
  • View This Article on Online Activity Summaryаннаweek Ending January 13, 2017 This Week, the World's Attention
    5/22/2017 FortiGuard Threat Intelligence Brief ­ January 13, 2017 | FortiGuard View this article on online Activity Summary ­­ Week Ending January 13, 2017 This week, the world's attention has been focused on US President­elect Donald Trump and the allegations that purport to connect him to data stolen by Russian hackers during the 2016 US election. While there is still not enough information to determine whether Trump or his staff were in any way involved with this attack ­­ named GRIZZLY STEPPE in a report jointly produced by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) ­­ it is clear that they had access to classified and confidential information that had been stolen during a spear phishing campaign that took place between 2015 and 2016. It is generally harder to detect a spear phishing email from a regular phishing email as the attacker impersonates someone close to the victim, possibly someone in a position of authority. To avoid becoming a victim to this sort of attack, we at FortiGuard Labs advise you once again to instruct employees to be extremely careful when handling email attachments and links. Of course, that will not always be enough. In some cases, such as HR staff who are sent resumes from potential candidates, it is actually their job to open attachments from people they don't know. Even the least capable person at your company has an email address, and they are likely to click on attachments regardless of how many times you warn them. Implementing a secure email gateway is the best protection mechanism in these cases.
    [Show full text]
  • 2016 ICIT Ransomware Report
    Expert research contributed by the following ICIT Fellows: Danyetta Magana (ICIT Fellow – President, Covenant Security Solutions) Igor Baikolov (ICIT Fellow – Chief Scientist, Securonix) Brian Contos (ICIT Fellow – Vice President & Chief Security Strategist, Securonix) John Menkhart (ICIT Fellow – Vice President, Federal, Securonix) George Kamis, (ICIT Fellow – CTO, Forcepoint Federal) Stacey Winn (ICIT Fellow - Senior Product Marketing Manager, Public Sector, Forcepoint) Thomas Boyden (ICIT Fellow – Managing Director, GRA Quantum) Kevin Chalker (ICIT Fellow – Founder & CEO, GRA Quantum) John Sabin (ICIT Fellow – Director of Network Security & Architecture, GRA Quantum) 1 Contents Introduction: .............................................................................................................................................................. 3 Origins of Ransomware: ........................................................................................................................................ 6 Overview of Ransomware: ................................................................................................................................... 8 Types of Ransomware: .......................................................................................................................................... 9 Locker Ransomware: ........................................................................................................................................ 9 Crypto Ransomware: .....................................................................................................................................
    [Show full text]
  • Ransomware As a Service
    EXECUTIVE SERIES Ransomware as a Service Cybercrime-as-a-Service Series Cybercrime as a service (CaaS) is an important trend in Deep Web forums because it puts cybercriminal tools and services in the hands of a wider range of threat actors—even the nontechnical, such that anyone can become a cybercriminal with minimal investment. At the same time, cybercriminals are now seeing the advantages of expanding their targets from home users to larger enterprise networks. This is a matter that IT administrators need to be ready for. Ransomware as a Service Ransomware1 use one of the more chilling widespread cybercrime models today. Victims get ransomware through the Internet and ! ! Spam Botnet Ransomware Bulletproof Spam Botnet Ransomware Bulletproof once installed, they hold victims’ documents hostage in exchange hosting, etc. hosting, etc. for money. PEDDLERS PEDDLERS The fear factor works. In 2015, CryptoWall operators raked in US$325 million from individuals and businesses worldwide through this modus operandi. Several ransomware families continue to do Ransomware Operator RaaS Operator so today. Ransomware Ransomware Ransomware Operator A Operator B Operator C Hollywood Presbyterian paid Victims US$17,000 to decrypt files encrypted by Locky. Victims Victims Victims Once exclusively a home user problem, ransomware’s social engineering tactics and technical capabilities have since evolved Figure 2. In RaaS, the operator gets a cut from each victim’s payment, resulting in more potential profit than from the to dip into enterprise networks as well. We confirmed this through traditional ransomware business model. the increase in focus of crypto-ransomware on office-related documents such as database files, web pages, SQL files, and other file types not typically found on home computers.
    [Show full text]
  • Malware Primer Malware Primer
    Malware Primer Malware Primer Table of Contents Introduction Introduction ...........................................................................................................................................................................2 In The Art of War, Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This certainly applies Chapter 1: A Brief History of Malware—Its Evolution and Impact ..............................3 to cyberwarfare. This primer will help you get to know cybercriminals by providing you with a solid foundation in one of their principle weapons: Chapter 2: Malware Types and Classifications ....................................................................................8 malware. Chapter 3: How Malware Works—Malicious Strategies and Tactics ........................11 Our objective here is to provide a baseline of knowledge about the different types of malware, what malware is capable of, and how it’s distributed. Chapter 4: Polymorphic Malware—Real Life Transformers .............................................14 Because effectively protecting your network, users, data, and company from Chapter 5: Keyloggers and Other Password Snatching Malware ...............................16 malware-based attacks requires an understanding of the various ways that the enemy is coming at you. Chapter 6: Account and Identity Theft Malware ...........................................................................19 Keep in mind, however, that we’re only able here
    [Show full text]
  • Security Predictions for 2018 Skills and Resources — These Are the Two Elements That Make up an Attacker’S Arsenal
    PARADI G M SHI FTS Trend Micro Security Predictions for 2018 Skills and resources — these are the two elements that make up an attacker’s arsenal. An attacker, however, cannot set out to break security or even perform sophisticated attacks without finding weak points in a system first. Massive malware attacks, email-borne heists, hacked devices, and disrupted services — all of these require a vulnerability in the network, whether in the form of technology or people, in order to be pulled off. Increased connectivity and interaction over insecure networks are a given. Unfortunately, poor implementation of technologies adds to the likelihood of threats being realized. Having protection where and when it’s needed will become the backbone of security in this ever-shifting threat landscape. In 2018, digital extortion will be at the core of most cybercriminals’ business model and will propel them into other schemes that will get their hands on potentially hefty payouts. Vulnerabilities in IoT devices will expand the attack surface as devices get further woven into the fabric of smart environments everywhere. Business Email Compromise scams will ensnare more organizations to fork over their money. The age of fake news and cyberpropaganda will persist with old-style cybercriminal techniques. Machine learning and blockchain applications will pose both promises and pitfalls. Companies will face the challenge of keeping up with the directives of the General Data Protection Regulation (GDPR) in time for its enforcement. Not only will enterprises be riddled with vulnerabilities, but loopholes in internal processes will also be abused for production sabotage. These are the threats that will make inroads in the 2018 landscape.
    [Show full text]
  • HC3 Sector Alert TLP White
    Health Sector Cybersecurity Coordination Center (HC3) Sector Alert July 10, 2020 Top 3 Malware Detections for May 2020 and Relevance to HPH Sector Executive Summary Top malware detections for the month of May 2020 by the EINSTEIN national IDS included NetSupport Manager RAT, Kovter, and XMRig. According to CISA, these three threats accounted for more than 90% of active signatures. Both NetSupport Manager RAT and XMRig have links to threat actor(s) which have previously targeted the United States healthcare and public health (HPH) sector and Kovter continues to be a top malware used by threat actors. General mitigations, indicators of compromise (IOCs), techniques (TTPs), and Snort rules are provided. Analysis On 30 June 2020, analysts at the Cybersecurity and Infrastructure Security Agency (CISA) released the top malware detection signatures that were the most active for the month of May in the national Intrusion Detection System (IDS), known as EINSTEIN. The most prevalent malware detections involved three (3) cyber threats including: 1) NetSupport Manager RAT, 2) Kovter, and 3) XMRig. NetSupport Manager RAT is a legitimate program that, once installed on a victim’s machine, allows remote administrative control and may be used to steal information. In May 2020, Microsoft warned of an ongoing COVID-19 themed campaign, in which hackers were sending phishing emails pretending to be from the Johns Hopkins Center as an update on the number of Coronavirus-related deaths in the United States. In this massive campaign, NetSupport Manager RAT was being distributed via COVID-19 phishing emails containing malicious Excel attachments. In February 2020, hackers were found spreading a malicious Microsoft Word document disguised as a password-protected NortonLifelock document to install and Figure 1.
    [Show full text]
  • A Constant State of Flux: Trend Micro 2020 Annual Cybersecurity Report
    A Constant State of Flux Trend Micro 2020 Annual Cybersecurity Report TREND MICRO LEGAL DISCLAIMER Contents The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The 4 information contained herein may not be applicable to all situations and may not reflect the most current situation. Targeted Attacks Focus on Critical Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the Industries and Lucrative Victims particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. 15 Translations of any material into other languages are intended solely as a convenience. Translation accuracy Covid-19 and Remote Work Cause is not guaranteed nor implied. If any questions arise Major Shifts in Cybersecurity related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 23 Although Trend Micro uses reasonable efforts to include Organizations Face Threats in Cloud, accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as IoT, and Mobile Environments to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied.
    [Show full text]
  • The Reign of Ransomware
    The Reign of Ransomware TrendLabsSM 2016 1H Security Roundup Contents TREND MICRO LEGAL DISCLAIMER 4 The information provided herein is for general information and educational purposes only. It Ransomware Dominates is not intended and should not be construed to constitute legal advice. The information contained the Threat Landscape herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or 7 acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed BEC Scams Spread otherwise. Trend Micro reserves the right to modify Across the World the contents of this document at any time without prior notice. 9 Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any Exploit Kits Take On questions arise related to the accuracy of a New Vulnerabilities and translation, please refer to the original language official version of the document. Any discrepancies Ransomware Families or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 12 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information Rising Number of Vulnerabilities herein, Trend Micro makes no warranties or Found in Adobe Flash Player representations of any kind as to its accuracy, currency, or completeness. You agree that access and IoT Platforms to and use of and reliance on this document and the content thereof is at your own risk.
    [Show full text]
  • Ransomware: What You Need to Know a Joint Report by Check Point and Europol
    Europol Public Information Europol Public Information Ransomware: What You Need to Know A Joint Report by Check Point and Europol Cyber Intelligence Team The Hague, 15/12/2016 Europol Public Information 1 / 16 Europol Public Information Contents 1 Introduction .............................................................................................................. 3 2 The Founding Fathers ................................................................................................ 4 3 The Current Top Tier ................................................................................................. 5 4 Latest Advancements ................................................................................................ 7 5 Statistics .................................................................................................................. 12 6 The ‘No More Ransom’ Project ............................................................................... 14 7 Tips & Advice – How to Prevent Ransomware from Infecting Your Electronic Devices .................................................................................................................... 15 2 / 16 Europol Public Information 1 Introduction Ransomware are malware designed to extort money from users whose computers they infect. Recent innovative methods for infecting, monetising and targeting lucrative targets show that this attack vector is growing in sophistication since its primitive yet effective origins. In recent years, there has been a surge of ransomware.
    [Show full text]
  • Ransomware: Past, Present, and Future in Late 2013, What We Know Now As “Crypto-Ransomware” Led by Variants Like Cryptolocker8 Came to the Fore
    Ransomware Past, Present, and Future Technical Marketing Team TrendLabsSM Ransomware Roundup Contents TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not 4 intended and should not be construed to constitute legal advice. The information contained herein may Ransomware: not be applicable to all situations and may not History and Evolution reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this 7 document at any time without prior notice. 2016: The Year Ransomware Translations of any material into other languages Reigned are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies 14 or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Ransomware: Mitigation and Prevention Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access 17 to and use of and reliance on this document and the content thereof is at your own risk. Trend Appendix Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof.
    [Show full text]
  • No Stone Unturned: Fighting Ransomware on Workstations and Servers Alike
    NO STONE UNTURNED: FIGHTING RANSOMWARE ON WORKSTATIOns ANd SERVERS ALIKE www.kaspersky.com 2 No Stone Unturned: Fighting Ransomware on Workstations and Servers Alike Ransomware is one of the fastest growing classes of malicious software. Attackers don’t even have to bother stealing and selling the data that you or your business relies on – they just encrypt it and demand a ransom. Over the years, ransomware has evolved from simple screen blockers demanding payment to a huge wave of far more dangerous software. You cannot afford to leave any stone unturned in the fight against crypto-locker attacks. WHY IS RANSOMWARE SUCH A PROBLEM? How does ransomware work, and why is it so lethal? This malware class is now based on cryptors – Trojans which infiltrate as you open a malicious e-mail attachment or innocently follow the link to a specially crafted website. The module then quietly encrypts any data it finds that could be of value to you. This might include personal photos, archives, documents, databases, diagrams, etc. The crypto-lockers then demand payment – often a significant sum – to decrypt these files again. Clearly, anonymity at all times is important to the attackers. So payment may be demanded in Bitcoin, and the attackers’ command and control servers may be hidden in the anonymous Tor network. If traffic is intercepted between the Trojan and its server, the use of unorthodox cryptographic schemes, such as using Tor or customary encryption algorithms, makes file decryption impossible (Trojan-Ransom.Win32. Onion, for example, uses all these techniques). Nowadays, some crypto-lockers demand payment not only for decrypting the users’ data but also for some additional “services”.
    [Show full text]