No More Ransom is an international scheme to stem payments to criminals who use ransomware to extort money from individuals and enterprise. Kaspersky Lab working with Europol and the Dutch Police and more have had success. Paul Peachey with Security News Desk and SecurityMiddleeast.com takes a look.
No More Ransom
“The first concerted international effort to stem payments to criminals running ransomware rackets has successfully cut the income to targeted gangs in the first few months of operations,” researchers responsible for the scheme have told Paul Peachey with Security News Desk and SecurityMiddleEast.com.
The scheme known as No More Ransom – run in concert between Dutch police, the European policing agency Europol and cybersecurity companies Kaspersky Lab and Intel Security – published more than 160,000 tools in July to help users retrieve data encrypted by criminals who demanded payment for unlocking the files.
The non-profit initiative was announced in July amid recognition that victims needed a one-stop shop where they could get help on retrieving data without contributing to the problem by paying criminals behind a rapidly growing illicit industry that is estimated to net more than 0.9 billion euros a year. The results of the project so far represent only a limited strike-back against the burgeoning crypto-ransomware industry which grew more than five-fold in a year to an estimated 718,000 attacks in 2015-16, according to Kaspersky Lab.
The decryption tools on the No More Ransom site have been published for seven malware families and do not include the main ransomware threats identified by law enforcement for 2016. The tools are a potential solution to 20 to 30 per cent of known ransomware threats and are not always effective, said Jornt van der Wiel at Kaspersky Lab. But officials behind the scheme believe the collaborative approach between industry and the police is the only way forward for a campaign against the ransomware industry, which has surpassed traditional malware threats such as banking Trojans.
The No More Ransom project’s successes included securing tools to decrypt the Shade ransomware which infected 250,000 computers. The scale of the infections was revealed after Dutch police seized the command and control server of the criminals in the Netherlands based on information supplied by cybersecurity experts who were then able to unpick the malware and publish the keys.
A second small and uncomplicated programme, Wildfire, was broken and codes published within a month after an alert from a victim, said Mr van der Wiel, a ransomware specialist. The publishing of the codes on the No More Ransom website has resulted in three times as many people unlocking their computers than those that paid the ransom. It meant the difference between the gang securing 70,000 euros and nearly 300,000, he said.
“The tools have been downloaded tens of thousands of times,” he said. “We just hope if we work together, it will become less popular. The only thing we can do is to go after servers, go after the bad guys and help the police as much as we can. Hopefully after some arrests, it will stop.
“It’s always difficult for police forces to share information, and that’s why we try to work together. I don’t need to know or want to know who the suspect is. But if they say – you should look at this sample, that’s the information I want.” The task is formidable, with attempts to identify and break ransomware programmes taking from a week to multiple years, said Mr van der Wiel, enough time to allow criminal start-ups to make millions of euros before shutting down operations to avoid capture and restart new scams.
The criminals have taken advantage of the willingness of individual users to pay money to get back precious photos and documents. If they fail to pay the gang and have not backed up their files, they face the prospect of losing them all. A Twitter poll run by F-Secure suggested that more than one third of people would pay a ransom to retrieve their data, with a small minority willing to pay a gang more than 800 euros for the service.
The prospect of such rich pickings has meant that three of the top four malware threats facing European states are ransomware, according to Europol’s organised crime internet threat assessment published last month. One security company F-Secure said that it was tracking some 100 ransomware gangs, the majority from Russia and Ukraine.
Attempts to limit their activities has been hampered by Russia’s unwillingness to cooperate in cybercrime investigations. It has opposed the 2001 Budapest Convention of Cybercrime, which binds the 50 signatories to seizing servers within 24 hours if requested by another country, and allow researchers to analyse the threat.
The head of Britain’s new national cyber security centre, Ciaran Martin, has spoken of adopting a more vigorous strategy against unnamed but “large-scale, non-sophisticated attacks” by using “offensive cyber capabilities”.
While most victims are individual desktop users of Windows, Europol warned of targets within industry, government and health care. Earlier this year (2016), a Californian hospital paid the equivalent of 15,000 euros in bitcoin after being targeted.