ELEC-E7470 Cybersecurity
Case study - Ransomware abusing trust
The latest trends of ransomware
Group O
Pete Lyly (​[email protected]​)
Antti Majakivi (​[email protected]​)
Olli-Mikko Ojamies (​[email protected]​)
Ransomware is quite a new form of malware, in the modern form. Infected users files are
encrypted by using strong cryptography. To decrypt the locked files, user has to pay a
ransom to the attacker. If the files are valuable to the user -- and there are no backups -- the
user generally has no other options to restore the files than paying the ransom. After paying
the ransom, the user gets a decryption key to unlock the files. Usually there’s also a time
limit for payment which after the decryption key is permanently deleted. This increases the
pressure and narrows down the time to find other solutions (backups, ways to trick the
malware to decrypt files etc.) New technology has enabled this type of malware to be
effective. E.g. payments are almost always asked in bitcoins. Bitcoin is a relatively new
decentralized digital token system suitable for payments. The decentralized nature of Bitcoin
allows pseudonymous usage, which makes it an attractive tool for shady use cases. The
decentralization of Bitcoin also means that funds cannot be frozen. Anyone is free to use
Bitcoin and bitcoin transactions however they want to. Generally, law enforcement is very
hard when bitcoins are involved. Before the existence of a truly digital money that Bitcoin is,
criminals had to ask payments e.g. via cash in mail, which was a lot more risky and also very
inefficient.
According to TheRegister.co.uk article [2], the FBI estimated ransomware market size to be
around one billion dollars in 2016. More sophisticated ransomware criminals have even set
up help desks to e.g. help people buy bitcoins and pay the ransom. The ransomware
concept is proven to be very profitable. Propagation seems to be the main thing to improve,
as it is for almost all other malwares too. Trust hasn’t yet been abused at large to spread
malware, but it may change now when the incentive exists and the payout is instant. One of
the ways to combat this, and likely the most effective, is to educate people. No More
Ransom -project (​https://www.nomoreransom.org/​) is one of the educational sites to
increase awareness of ransomware and how to react if infected.
Lately there have been reports of a malware called Popcorn Time. [1] Popcorn Time is a
variation of common ransomware. The twist in Popcorn Time is that it gives infected users
two options: pay the ransom in bitcoins or send the malware to friends. If two friends pay
their ransoms, the user gets his decryption key for free. This is a very nasty malware, as it
basically gives the user an option to “cash-out” a friendship. Generally, having a digital
near-anonymous payment system enables criminals to extract value from all sorts of
valuable things. One of these things is trust between people.
Antivirus software or firewall can’t detect ransomware very well especially when transmitted
from person to person via a trusted, secure channel, because the transmissions are often
considered trusted by default. Quite a large part of communications and file transfers rely
solely on counterparty trust. Having safety measures means more complexity, and free
market (=users) tend to go with the path of least resistance. This means that security is
sacrificed if it harms usability. It seems likely that some of the end-to-end encrypted instant
messaging applications will be used to spread Popcorn Time -like ransomware in the future,
at large. “Trust everyone by default” internal communication systems are likely to be targeted
too.
Popcorn Time was made allegedly by Syrian computer science students. The malware
started spreading in the late 2016. The authors of the malware stated that they made the
malware to help the local poor people who are suffering from to the ongoing war. While this
reasoning may be appealing and encourage infected users to pay the ransom, it may all be
fake to get more money. If this kind of reasoning increases the income for the malware
authors, others are going to say the same.
Popcorn Time malware is not really very widespread, but it’s an interesting sneak peek into
the future of malware. The method to spread the program to friends is quite elementary in
Popcorn Time. We’ll likely see much more clever propagation methods in the future. For
example, someone could send this kind of malware to someone without the other party
knowing what was the source of the infection. The malware could even work similar to a time
bomb. There are likely many yet unheard variations to come in the future. Spreading
ransomware secretly to the people who trust you would enable extracting money by abusing
the trust without harming the trust immediately. This could have huge implications in the
business world too. Pseudonymous payment system allows plausible deniability. There are
numerous examples in the non-digital world about abusing trust when it can be done in
hidden or when denying the abusement is plausible.
As Popcorn Time malware is not very widespread, it is not a big cyber security violation by
itself. However, the idea to extract money from relationships and trust is quite a big thing.
People have been able to trust friends in online communications quite easily and risk-freely.
There have been little risks and no gains for abusing the trust. There are huge trust networks
which are worth a lot. Most people and businesses are honest and would never send
malware to others, even if they were paid significantly to do so. However, some people are
in a very bad situation, just like the authors of Popcorn Time claim to be. When spreading
the malware can be done secretly, it’s likely to propagate much better. Ransomware may
even turn into a pyramid or multilevel marketing -type of business where spreading the
malware is rewarded based on results. All in all, the technical boundaries are becoming less
and less the reason for online trust relations to be safe and not abused. In the future we’ll
likely see severe cyber security violations where trust is transformed into concrete money.
Figure 1: Popcorn Time malware. [1]
References:
[1] https://www.wired.com/2016/12/popcorn-time-ransomware/
[2]
https://www.theregister.co.uk/2017/03/29/the_evolution_of_ransomware_how_a_nuisance_t
urned_into_a_business_menace/