After many years of evolution, ransomware has emerged as one of the most troublesome malware categories of our time. The threat is known for locking computers or encrypting files to trick users into handing over their money. Ransomware has had a global spread as, according to Symantec’s telemetry, 11 of the top 12 countries impacted by ransomware in the past 12 months are all direct or indirect member states of the G20 organization. The most affected nations include the US, Japan, the UK, and Italy.
With the increasing spread of connected devices, such as wearable computers and the Internet of Things (IoT), ransomware may be on the cusp of another evolutionary jump forward. In our latest research, we learned that it would not be difficult for current-generation ransomware to make the leap from mobile phones to wearable devices such as smartwatches. Before we get into that, let’s take a look back at where ransomware came from, where it has been, and where it is likely to go next.
Before there was ransomware…
It’s easy to think of ransomware as a modern problem but the concept dates back to 26 years ago. The first documented case of ransomware was the AIDS Trojan from 1989. The threat spread through snail mail containing 5¼" floppy disks, encrypted files on the computers, and then asked users to pay to decrypt them. Of course, the AIDS Trojan wasn’t presented as ransomware but it used the same trick that we see today—punishment for allegedly using unlicensed software.
While the AIDS Trojan may be the first ransomware, it was actually misleading applications and the later fake antivirus (fake AV) products that really kicked off the digital extortion trend that we see today. Like ransomware, misleading applications and fake AV scams were designed to fraudulently generate revenue from the user.
Misleading apps were common in 2005. The apps present fake computer problems to the victims and ask them to pay for licenses of software to fix them. Fake AV gained popularity between 2008 and 2009, evolving from misleading apps’ tactics. These scams attempt to convince users that their computer is infected with malware and push them into paying for fraudulent software licenses.
Over the years, the public became more educated on misleading apps and fake AV scams. As a result, between 2011 and 2012, attackers moved to ransomware as their cybercrime of choice. Attackers started with locker ransomware campaigns, which lock the computer from use and demand payment to unlock it. From 2013, they moved to crypto ransomware, which encrypts important files on the computer and asks for payment to decrypt them.
Both locker ransomware and crypto ransomware use different techniques to achieve the same ends— forcing the victim to pay to restore access to something they already own.
Locker ransomware: “Pay US$200 fine or go to jail”
Locker ransomware tends to rely more heavily on social engineering than crypto ransomware does to convince victims to pay. In particular, locker ransomware frequently uses law enforcement-type ploys, displaying official-looking notifications accusing the victim of serious criminal offenses while at the same time, locking the computer and demanding the payment of a fine to unlock the system. Conveniently, the ransomware claims that if the user pays the alleged fine, then any charges for criminal prosecution will be dropped. Locker ransomware uses official law enforcement imagery and authoritative wording to try to persuade the victim that the accusations are legitimate.
Figure 1. Typical words used in locker ransomware demand screens
Locker ransomware also typically requests victims to pay the ransom using money-payment vouchers. The victim can go to a local bricks-and-mortar store and exchange cash for a voucher code. The code can then be used to pay for goods and services, usually online. The average amount demanded by locker ransomware is around US$200.
Users should note that no jurisdiction currently has laws that allow for the electronic issuance of fines for offenses committed on a computer. Be aware that conviction for crimes requires careful gathering of evidence and representation in court before a judgment can be passed. Be very skeptical of messages or warnings indicating otherwise, as this is a sign of a scam.
If you are infected with locker ransomware, then consider the following advice
- Don’t pay the ransom as even after paying, the ransomware may not unlock your computer.
- Most locker ransomware can be removed cleanly from impacted computers using free tools such as Norton Power Eraser or SymHelp.
Crypto ransomware: “Pay US$300 fee or lose your files”
Instead of making up non-existent laws to threaten victims, crypto ransomware simply announces itself as an extortion attempt by asking the victim to pay a fee to have their files decrypted.
The reason that crypto ransomware attackers can do this is because they believe that have a vice grip on the victim’s files. Modern crypto ransomware uses industry-standard encryption techniques, combining both symmetric and asymmetric encryption algorithms, to enable them to perform encryption faster and more securely. This means that once the files are encrypted, there is no practical way to decrypt the files without the necessary keys.
Crypto ransomware typically takes more technical know-how to pull off. Along with using strong encryption, the cybercriminals behind these schemes are aware of the need for operational security and take steps to hide their network infrastructure in the dark web. They also force victims to communicate with them through anonymity networks, such as Tor or I2P.
In terms of payment, crypto ransomware tends to command a price premium over locker ransomware too. It typically demands a ransom of US$300, although actual amounts can vary from country to country. Crypto ransomware almost exclusively asks for payment using bitcoins. This is undoubtedly done to help protect the identity of the cybercriminals behind the scheme.
The key to protecting against crypto ransomware is to prevent the encryption from happening in the first place.
- Use a good multi-layered security solution to prevent the ransomware from being installed on the computer or from communicating with a remote server.
- Behavioral-, heuristic-, and reputation-based protection systems can help block suspicious files from executing.
- Always back up files and data that are important. Do it regularly and make multiple copies in online and offline media to be sure.
- Unfortunately, in many cases of crypto ransomware infections, a backup is the only practical recovery solution if the computer should become infected. We do not recommend paying the ransom as doing so will perpetuate the problem. Bear in mind that even if you do pay, the cybercriminals may not be able to decrypt your files.
Figure 2. The two sides of ransomware: fine versus fee
Ransomware on your wrist
Earlier, we noted that technological trends are now beginning to present new opportunities to cybercriminals to increase the reach of ransomware. Just witness the rising proliferation of technology in our homes, for entertainment, HVAC, security, and more. Our transport has also been affected, as there are smart cars that are vulnerable to hacking.
One trend that has recently caught the public’s attention is that of the smartwatch. While Google first introduced the Android Wear smartwatch OS to the public in early 2014, the recent arrival of the Apple Watch has given this sector a significant boost. This is creating a fledgling market for smartwatch apps which developers have started to cater to.
Android Wear devices are designed to be paired with a more function-rich device such as an Android phone or tablet. The OS allows existing Android apps to use certain features of the Android Wear device with no extra work. But if developers want to really take advantage of the features in the smaller wearable devices, they can write apps specifically for it.
The process of installing an Android Wear app is designed to be a seamless experience. If an installed Android mobile app has an Android Wear component or if it was created for Android Wear, the app will automatically be pushed from the mobile device onto the Android Wear smartwatch.
Figure 3. Android Wear apps are installed on the phone and then pushed onto the smartwatch
Given that there are already ransomware threats in circulation for Android mobile devices, we decided to test how an Android Wear device might be impacted by typical Android ransomware. To do this test, we simply had to repackage a current Android ransomware .apk file (Android.Simplocker) inside a new Android Wear project to create a new .apk file.
Next, we took a Moto 360 smartwatch and paired it with an Android phone. When we installed the new .apk file on the phone, we found that the phone became infected with the ransomware as expected. As the smartwatch was paired with the phone, the ransomware was also pushed onto the smartwatch. Once installed on the smartwatch, the malware could be executed by the user if they were tricked into running it, thinking it was a useful app.
After the ransomware was executed, it caused the smartwatch to become generally unusable. Simplocker has a routine that checks for the display of the ransom message every second, and if it is not shown, it will push it onto the screen again. This activity prevented us from using the device. Simplocker also encrypted a range of different files stored on the smartwatch’s SD card.
So far, we have not seen any ransomware in the wild specifically designed to target smartwatches but this situation could easily change. This scenario could give rise to the term “ransomwear”—ransomware that you can wear.
Recovery and mitigation
Once Simplocker is running on the smartwatch, you can only uninstall it from the paired phone. If you can do this, then Simplocker will automatically be removed from the smartwatch. If this is not possible, you can reset the phone to its factory settings and then do the same on the smartwatch. The factory reset option is only accessible through the watch menu but this is not accessible while Simplocker is running.
In our testing, we found that by holding down the hardware button on the watch for 30 seconds, the device will shut down. When the device is restarted, there is a time window of approximately 20-30 seconds before Simplocker restarts again. This is just enough time to initiate the factory reset process which will wipe the smartwatch clean. The downside is that all files on the watch will be lost, though those files would have been encrypted by the threat before this.
To reduce the risk of malware infections on wearable devices, users should take some basic precautions:
- Avoid installing apps from unknown/untrusted sources
- Check permissions when installing apps to make sure that they are appropriate for the type of app being installed. For example, does a game really need to be able to access your contacts list or send an SMS?
- Use a suitable security solution on your mobile device
- Keep your software up to date
- Make frequent backups of important data
Want to find out more?
If you would like to find out more about the different aspects of ransomware mentioned in this blog, please download and read our whitepaper: The evolution of ransomware
Watch our video
If you would like to see how ransomware might work on a smartwatch, we have created a video to show how the Simplocker ransomware is installed onto an Android Wear smartwatch and how it behaves once on it.