Ransomware criminals are growing more sophisticated in their use of encryption, as criminals increasingly use asymmetric encryption methods, according to security pros.
A report by ESET security researcher Cassius Puodzius published on the WeLiveSecurity blog detailed the use of encryption to secure communication between malware and command and control (C&C) servers. Dual encryption is used by ransomware criminals for “performance and convenience,” Puodzius wrote. “Symmetric and asymmetric encryption are combined in order to get the best of both methods, in a technique that resembles a digital envelope.”
Ransomware groups have moved into “more advanced encryption schemes,” according to ESET security researcher Cameron Camp. The trend has accelerated recently “as the good guys spend more effort at pushing decryptor software out to thwart the threat, thereby cutting into the profits for those scammers who don’t stay ahead in this cat-and-mouse game,” he wrote in an email to SCMagazine.com.
Asymmetric encryption is especially useful to criminal groups as crypto-ransomware criminals scale their activities and refine their processes, industry professionals told SCMagazine.com. Joram Borenstein, VP of Marketing at NICE Actimize, is not surprised that criminals are using asymmetric encryption. “Asymmetric encryption lets criminals rely on a single key,” he told SCMagazine.com, noting that asymmetric encryption allows groups to move away from “a focus on operational overhead” so they can focus on growing “more widespread in their mayhem.”
Rahul Kashyap, executive vice president and chief security architect at Bromium said criminals are investing in “continuous upgrades” to ransomware campaigns because they are a direct – and profitable – business. “It’s a cleaner business model than other kinds of malware,” he told SCMagazine.com. “There is no middleman involved.”
Finland-based security firm F-Secure studied the growth of the ransomware “industry” in a study published in July. “It‘s a fascinating paradox,” the report stated. The cybercriminals are “concerned about offering good customer service – including support channels and reliable decryption after payment.”
The ESET report also highlighted common errors in how ransomware encryption. Four common ransomware families were examined: CryptoDefense, TorrentLocker, TeslaCrypt, and Petya. Only two of these strains, TorrentLocker and TeslaCrypt, were found to use dual encryption.
Camp noted that ransomware groups now use more sophisticated communication channels to avoid being tracked by researchers. The groups are “utilizing more sophisticated encryption since their activities are attracting so much more attention from researchers,” he wrote.
Most ransomware strains use public and private key cryptography to “scramble” the data of ransomware victims, Tripwire senior security research engineer Travis Smith wrote in an email to SCMagazine.com. “More often than not this is done using RSA and AES to encrypt files, requiring the victim to pay for the decryption key to be able to access data,” he wrote.
Plixer director of IT and services Thomas Pore noted a similar trend. Ransomware will “continue to be a problem until it stops being profitable,” he wrote in an email to SCMagazine.com. “Since ransomware is very profitable, authors are required to evolve their tools in an effort to keep the money rolling in.”