Today’s ransomware looks nothing like the ransomware of 2013, when it was born. We are not simply talking about its structure, which has obviously evolved, but rather about the purpose of the malware itself, as the direction in which hackers are moving has changed. The criminals who spread such malware obviously have the sole objective of making a profit, and what was profitable years ago is not necessarily profitable today. Starting from the beginning and talking about malware in general, in the 2000s an attractive source of profit was the illicit appropriation of credentials from online banking sites via banking Trojans, which is hardly done nowadays as it is considered risky. Fishing’ is not always profitable: factors such as the cybercriminal’s ability to extract money and the size of the hacked bank account come into play. As a result of these difficulties and the popularity of cryptocurrencies, ransomware developed, which is nothing more than a safer and more efficient way of making money. In fact, cryptocurrencies – bitcoin to name the most famous – being totally anonymous do not have to pass through the bank during the transaction, a delicate and risky moment for the hacker.

As is well known, ransomware, once it has infiltrated the victim’s computer and recovered a significant amount of personal data, encrypts the files making them unusable; a ransom is then demanded to be paid in bitcoin. For some time now, however, even this method, which is still widely used today (see wannacry), has been considered outdated by some hackers. Despite the fact that contamination takes place by opening infected e-mails sent in large numbers, only some of the people who receive such e-mails ‘take the bait’, and only some of them pay the ransom.

The evolution of ransomware consists first and foremost in the means of propagation: huge numbers of network users are infected through critical website security issues and, once installed on computers, the malware uses their hardware to mine cryptocurrencies. The other aspect that can be considered a major upgrade of the malware is the incognito factor: when present on the computer, the malware acts almost completely invisible; no messages or warnings appear as there is no need to do so in order to mine. Cryptocurrency mining is an energy-intensive activity that pushes the computer’s components to their limits; to recognise an infection, therefore, one must pay attention to the electricity bill and abnormal use of CPUs and fans. But why is this mode of attack only now spreading? Bitcoin is continuing to rise in value against the dollar – it has risen from 2000% against the dollar to 4000% in the last two years – and is becoming a favourite with criminal syndicates. The real cause, however, is not bitcoin, but the Monero, another virtual currency with a high value and characteristics that are more suited to the aforementioned mode of attack: to mine bitcoin, one needs very powerful equipment, specially built with high-end components, which Monero does not need. With a normal home computer, a value of 0.25 cents per day of this currency can be mined. In January, Palo Alto Networks identified a Monero mining campaign that had infected some 15 million systems, mainly in developing countries. If these computers had remained active for even one day, the earnings would have exceeded $3 million! To defend yourself against this type of attack, the advice is, as mentioned above, to watch out for abnormal power consumption and exaggerated use of PC resources. In addition to this, it will be necessary to install a good antivirus and keep it constantly updated: the battle between cybercrime and antivirus companies is eternal and the evolution of one goes hand in hand with the evolution of the other.

Marco Serico