Trend Micro senior architect Jon Oliver (below, right) says that since the advent of the rash of malware — which he traces back to 2014, with a big increase in 2016 — there has been no need for scare tactics, commonly used in the tech industry, to boost sales.
Sales are booming, he told iTWire during a casual chat, in what appears to be a seller's market.
Ransomware is malware that infects systems running Windows and encrypts files. Typically, a ransom note then pops up on the system, indicating how much is to be paid and to whom, in order for the encrypted files to be decrypted.
For instance, on the messages that were displayed after file encryption took place, there were now often links to helplines which the victim could contact to understand how Bitcoin works.
Most ransomware attackers sought payment in this crypto-currency and anyone who did not know how to pay up would be made aware of the methodology.
Oliver said this would just be a general line that offered this kind of help to anyone for a fee, and hence it could not be targeted by law enforcement.
The one thing he had noticed in ransomware code was that in some cases it had been modified to encrypt just a portion of a file and not the complete file.
"This is standard behaviour for many ordinary functions when you are using a computer," he said. "And hence, your A-V software will not detect this as potentially malicious behaviour."
One strain of ransomware, known as Cerber, had gone through numerous mutations, Oliver said, adding that this was more a reflection of the fact that the authors were making money off it and could hire someone to make changes to avoid detection.
He said the business model of demanding payment had proved the most successful because it was the least complicated and had the lowest overheads.
"They (ransomware authors) could steal IP and then hawk it; that would take time and effort and open them up to being detected. They could try to transmit trojans and steal banking details, but then the bank could get involved and mean one more adversary to tackle," Oliver explained.
So the simplest method was to ask for money, explain how it could be paid, pocket the proceeds, and honour the promise of decrypting the victim's files without any fuss. It would also be easier to get a second victim to pay up without making a noise.
Additionally, ransomware authors generally picked targets that were not high-profile, he said. For example, small hotels and hospitals often had IT staff who were not as well qualified and savvy as those in, say, a large financial services firm. They would just want to get their systems back in working order.
While the ransom demand had, thus, to be kept to a smaller figure than if one were attacking a big company, it was much less messy and low-profile.
But even these low-profile attacks were doing what the ransomware authors intended, Oliver said: creating awareness that when ransomware struck, the best and quickest remedy was to pay the thousand or few thousands demanded and stay mum.
He said the ransomware authors were using Web hosts that were commonly used and then moving on when the possibility of being detected arose. They were even using Dropbox.
Ransomware attacks were helped by the fact that victims who were in businesses that transacted online would keep quiet about an attack, for fear it would affect their bottomline. Thus, it was difficult to find out the actual extent of attacks.