Back to Basics: What is Ransomware-As-A-Service?

We often dig deeply into the details of specific strains of ransomware. However, sometimes we like to try and engage a wider audience by hitting the basics. Today, we’re going to get back to basics and talk about ransomware-as-a-service.

Let's get back to basics


You’ve probably heard about something “As-A-Service” before. The term most often comes up in relation to Cloud services, and examples include Software-As-A-Service (SaaS – e.g., Microsoft Office 365, Google Apps, etc) and Infrastructure-As-A-Service (IaaS – e.g., Amazon Web Services (AWS), Rackspace Managed Cloud). In short, the “something” is owned by someone else and provided to you when and where you need it.

By simply using the service, someone else can be responsible for its maintenance, security and correct operation.

Service - with a smile?

So Why Ransomware?

All of the above “As-A-Services” seem useful, so why Ransomware-As-A-Service? A quick read of our article on Halloware gives a hint. Writing ransomware is not hard, but ensuring that this malicious software runs stably across every possible distribution of Windows takes significant skill.

Ransomware-As-A-Service is for attackers who don’t want (or lack the technical expertise) to deal with software maintenance and interoperability issues. By outsourcing the technical challenges of writing ransomware, attackers can focus on other issues including distribution and collecting their ill-gotten gains.

What’s the catch? Like most other “As-A-Services”, there’s a cost. Attackers typically have to either pay up-front for their own variant (most common) or pay a portion of each ransom to the original authors.

How Do You Stop It?

Ransomware-As-A-Service is increasingly common. Well-known families include Satan, Halloware, Saturn, and Data Keeper. Unsurprisingly, CryptoDrop was able to stop each and every one of these strains on the first time that we encountered them. Even when such ransomware employs sophisticated mechanisms and defenses, CryptoDrop stops it.

CryptoDrop stops Saturn

The ransomware space moves quickly. Professional software developers build, maintain and update custom families that regularly evade traditional anti-virus detection systems. That means you need protection beyond what you probably have in place.

Give CryptoDrop a try. Download us for free today, and consider trying our Fast Recovery Edition (which can get back any files lost before detection in seconds).

Join us – We Stop Ransomware.



Halloware Ransomware is Dead

A few months ago we did a deep dive on Halloware ransomware. Halloware was notable for both being ransomware-as-a-service and for its low, low price to wanna-be attackers ($40). While most other folks have moved on, we continued our monitoring of this ransomware for the last few months. Today, this campaign appears to be dead.

Halloware – We Totally Knew Ye

Why Do We Care About Dead Ransomware?

Ransomware is a fast-moving space, with new samples and variants popping up almost daily. Accordingly, in order to fully understand the threat landscape, we need to understand what worked for attackers, and what didn’t. Halloware is a case of the latter.

A snapshot (taken in Feb 2018) of the Bitcoin wallet used in the Halloware campaign.

We feel comfortable calling Halloware dead for a few reasons. First, we have been using multiple email accounts to talk to the author of Halloware since we first reported on it in December. All communications have broken off, and the author has not responded to any new requests in over a month. Second, our sensors have not detected any new infections since our original article, meaning that the author does not seem to be actively pushing this variant. Finally, it doesn’t seem like the author of this piece of ransomware was making any money (more on this later).

Who Was This?

A number of outlets reported that the likely author of Halloware was a teenager going by the name Lucifer. Researchers quickly determined that the author was likely a student living in Northern India. By playing the part of ransomware victims, we were able to learn a lot more from Lucifer. We were able to confirm much of this simply by talking to him.

Problems with OPSEC continued during our interactions with Lucifer. For instance, we received the same Bitcoin wallet address in response to every  unique personality we used to contact him. That allowed us to monitor Lucifer’s campaign from inception to death. To the best of our knowledge, Lucifer didn’t receive any payments (see the picture above).

Like every other piece of ransomware we have ever seen, CryptoDrop stopped Halloware.

We believe that this was in large part due to the unstable nature of Halloware. As mentioned in our previous article, this particular strain of ransomware crashed on most of our test machines. That means that very few machines even had an opportunity to be impacted. For the few configurations that did allow Halloware to run, CryptoDrop stopped it in every case.

In our communications with Lucifer, it was pretty clear that things were not going well. While we encouraged him to release a decryptor, he insisted that he needed to make a small amount of money first for school expenses.

Shortly after that, all communication with Lucifer ended across all accounts. Additionally, nobody (including us) has seen any updates to this variant.

Lessons Learned

Building ransomware is easy – all you have to do is create an executable that traverses the file system and encrypts every file it sees. This isn’t outside of the skillset of a first year computer science student. Getting that code to work in a stable fashion across many different Windows systems without the necessary dependencies is harder and takes some practice.

Actual error message from Halloware execution.

The point is that you should expect to continue seeing ransomware. Even though Halloware was poorly written, it accomplished its mission if you happened to be unlucky enough to have a system with the right configuration. With slightly more experience, Halloware could have been a much bigger deal. Assuming that Lucifer keeps up his studies, he might very well be back in the near future.

Don’t have the money to pay ransom? Don’t have the time to deal with your files being stolen from you? Give us a shot. CryptoDrop has stopped every single piece of ransomware that we have seen, and on the first time we tested them. You can try us for free today. When your antivirus fails, We Stop Ransomware.



CryptoDrop Interview: Anatomy of a Ransomware Attack

Stop Ransomware with CryptoDrop

We’ve all heard about ransomware – the bad guys lock up your files using strong encryption and then force you to pay thousands of dollars to get them back. That sounds scary in theory. But what does a real ransomware attack look like?

Our CEO sat down with an old childhood friend whose business was recently hit by ransomware. We’ll protect his and his company’s name, but let’s call this friend Robert. Everything else about this interview is true.

Robert works for a software company that employs approximately 100 people, and serves as a manager for the software team. He doesn’t explicitly work in security, but regularly interacts with his company’s security team. Robert’s story should be best-case – a knowledgable staff with the resources to prevent such attacks.

Unfortunately, as you’ll see, ransomware causes unbelievable damage to even the best-prepared companies.

Do you have anti-virus software running in your company?

Yes, we run [a major AV program] on all of the workstations. We are also running the same company’s products on our servers. We keep that software up to date, but it was unable to prevent our systems from being infected with ransomware.

Lots of people point to backups as a solution to ransomware. Do you have backups?

We are supposed to have warm and cold backups of all of our critical infrastructure. In the case of our database server, the warm backup was also corrupted and the cold backups were not there. To this day, we don’t know for sure whether they were deleted as a part of the attack or if they weren’t being created and simply no one noticed.

People think that backups are a simple solution. They aren’t. Actually making sure that all important data gets backed up is hard. I’m still surprised how much data in devices like laptops just doesn’t make it into the backup schedule. Even when they do, restoring full systems can take days.

Ransomware Protection

What was the impact on your company?

We were offline for 3 days, which means customers had no access to the site. It crippled not only our production infrastructure but also our development servers and even our individual workstations, all of which had to be rebuilt. It probably set development back on major projects at least 8 weeks.

We still aren’t 100% back (three months later), although part of that is due to the (necessary) stricter network security that was put in place after this that development now has to work around.

How long did it take to recover, and approximately what did it cost?

Well, as previously mentioned we are still dealing with the aftermath, although at this point it is mostly minor things. It took us about 60 hours to bring the production site backup. That involved our IT staff (4 people) working pretty much around the clock. After that, I’d say it was a good 3-4 weeks of rebuilding critical infrastructure to get us at least 90% of the way back. We’re still working on the last 10%.

Between lost sales, the new infrastructure we needed to buy, and person time, I’d say this easily cost us in the $500k range. If you add in the lost development time and the delay in delivering major projects, you could probably argue it’s closer to $750k or more.


Did your IT staff make any changes afterwards? How are you protecting yourselves against the next attack?

Yes, the network and all production infrastructure was rebuilt from scratch. The production network is now much more isolated than it was before. We changed our patching policies so that critical patches get applied pretty much immediately. We are also engaging with a firm to do a full security audit of our IT infrastructure and will make additional changes based on the outcome of that.

Do you have any advice for others who may have this problem?

I think the thing that we realized very quickly after the initial attack ended was that we were in a true disaster recovery (DR) situation. We thought we had a good DR plan in place but when faced with executing it, it was clear we were completely unprepared. We had antivirus software from a top firm and we were infected anyway. Our backups failed to protect all of our data. Even without paying the ransom, the real costs and lost revenue of this attack were huge.

My advice for another firm is to take DR seriously, to make it a priority, and to actually practice executing your DR plan on a regular basis to make sure that it will actually work.

TastyLock Ransomware – A Closer Look

We hope that you took some downtime over the last few weeks. Unfortunately, ransomware campaigns did no such thing. Let’s take a look at one of the nastier variants we have seen lately: TastyLock.

TastyLock: Technical Details

TastyLock is not an entirely new breed of ransomware. Instead, it appears to be part of the CryptoMix/CryptoWall family tree. Like CryptoMix/CryptoWall, TastyLock encrypts files on victim machines using AES in CBC mode with a random 256-bit key. The ransomware then changes the filetype/extension to “.tastylock”, before displaying the victim a text file ransom note called “_HELP_INSTRUCTION.txt”.

When all of these factors are taken together, you shouldn’t expect to see a decryptor available for this particular variant.

TastyLock Ransom note.
TastyLock Ransom note.

Communications and Network Behavior

Like many other pieces of ransomware, TastyLock tells victims to email them a specific code (shown above). We’ve heard that the malware authors were originally requesting one Bitcoin (roughly $16,000 on Jan 1, 2018) for the decryption keys.

Even if you decide to pay the ransom to get your files back (and we hope you don’t need to consider that because you’re running CryptoDrop – see our results below), you’re unlikely to be able to actually do so. While the email address used by the attackers still seems to be receiving email, none of our requests were responded to by the authors. That means that while the ransomware is still lurking out there (we’re seeing it in a small number of our sensors), no payment will get your files back.

How Did CryptoDrop Do?

As always, we ran this sample of ransomware against CryptoDrop. TastyLock wasted no time trying to encrypt our files, but it was no match for our software. We had no difficulty detecting the attempts to encrypt files, and put the system into lockdown mode.

CryptoDrop stops TastyLock

TastyLock aggressively attempts to kill Windows Defender, making any new versions of this ransomware particularly dangerous. Better to protect yourself against this variant than to just hope it simply goes away.

CryptoMix/CryptoWall has been around for quite some time, and is one of the more successful campaigns. While we do not expect many people to be hit by this particular variant, it is safe to bet that new variants will be seen in the near future. Not to worry though – CryptoDrop will protect you against those, too.

Still not running CryptoDrop? Give us a shot – we’ve stopped every piece of ransomware that we and independent lab AV-Test has thrown at us. When traditional anti-virus products fail (or are attacked, like we saw here), CryptoDrop gives you an extra layer of protection. Try out our Free version today, and use our Fast Recovery version to restore any lost files and get back in business in seconds.

We Stop Ransomware!

Napoleon Ransomware – A Worldwide Danger

Napoleon Bonaparte is well known for conquering large parts of Europe in the early 19th century. Napoleon ransomware looks like it is trying to do the same in the 21st.

CryptoDrop spent part of our winter vacation studying this piece of ransomware. Let’s take a look under the hood together.

Technical Details on Napoleon

Napoleon is believed to be a variant of the Blind family of ransomware. Files on infected machines are encrypted and have their type/extension changed to “.napoleon”. This strain uses AES to encrypt files on the infected machine, and previous weaknesses in the Blind family that allowed for victims to decrypt without paying seem to have been addressed.

Our tests of Napoleon also exhibited no outbound DNS resolutions, meaning that network-based defenses are unlikely to help.

Bottom line: Prevention is the only defense against Napoleon.

Ransom screen
Napoleon ransom screen.

Communications and Network Behavior

Unlike many other recent samples of ransomware, Napoleon does not rely on the use of Tor hidden services (a.k.a. “The Dark Web”) to hide the activities of its administrators. Instead, this ransomware makes use of two different anonymous email services: and is a free, read-only email service that bills itself as a free and easy means of performing account sign-up without giving up your real email address. As such, it is not possible to send emails using this service. randomly generates addresses and has no passwords. Instead, users simply go to the page and bookmark their account, which attempts to refresh every few seconds. If a user navigates away from the site for more than 24 hours, the service deletes all.

That’s a fairly precarious way to set up a payment network – failure to refresh or a lack of login means that payment requests may be lost. Still, the authors of this ransomware appear to be having no problem finding vulnerable machines.

The administrators of Napoleon also offer a back-up email address at the domain, “[o]nly in case you do not receive a response from the first email address witit [sic] 48 hours”. has been used for anonymous communications in the past, including fake bomb threats against Los Angeles County and New York Public schools. That doesn’t mean that this website doesn’t have legitimate uses; rather, that it has regularly been the subject of subpoena and is still being used by adversaries for bad behavior.

Either way, you’re unlikely to be able to track down who is responsible for Napoleon any time soon.

CryptoDrop to the Rescue

CryptoDrop stops Napoleon
CryptoDrop stops Napoleon

As always, we ran this piece of ransomware against CrytoDrop. And again, as always, CryptoDrop detected Napoleon and stopped it before it could do much damage. Specifically, our Free version detected Napoleon after it encrypted 15 files. Our Fast Recovery Edition restored all of those files in about one second.

Napoleon Bonaparte was ultimately stopped by a coordinated defense (with the help of a cold, Russian winter). Protect yourself against ransomware with the same thing (but please, skip the frostbite). Grab a copy of CryptoDrop today! We Stop Ransomware!


Who Is Writing Ransomware?

In this post, we’re looking at why ransomware is being written and who is doing it. We think you’ll agree after reading this, you’ll see why it’s necessary to have CryptoDrop running on your computer as well.

Nation States

Perhaps the most newsworthy event regarding ransomware over the past few days was when President Trump’s administration declared that North Korea was behind the WannaCry ransomware attack. You might have been surprised to hear this, and you may be even more surprised to know that this was something that many in the security community had assumed to be the case for the past few months. In fact, an article in the New York Times looked at how North Korea has been using the Internet for criminal enterprises including writing ransomware. It is estimated that the amount of money per year made for the North Korean government ranges from hundreds of millions up to a billion dollars per year. This represents one-third of the value of all of North Korea’s exports. It’s clear that ransomware not only brings in money but funds the country’s military ambitions.

It also appears that North Korean hackers can be found in countries around the world. While physically stationed in India, Malaysia, and other location, these hackers use proxies around the world to obscure from where their traffic truly originates. What is particularly damaging about these reports is that the ransomware exploits being written have been in some cases built on top of cyber-weapons stolen from the National Security Agency.

Criminal Gangs

Ransomware isn’t just coming from national governments. International gangs of cyber criminals have partnered with botnet owners to launch ransomware attacks. Botnets, or a network of compromised machines controlled by an attacker, make many things difficult for defenders. For instance, the identity of the real attacker not immediately obvious because the source of attack traffic is likely a compromised desktop machine owned by someone else. Additionally, because some botnets contain millions of compromised hosts, shutting down one source does little to stop the overall campaign.

One particularly successful example is the Necurs botnet. While Necurs is years old at this point, it is regularly being used to distribute new ransomware variants, such as the GlobeImposter ransomware that we discussed a week ago.

Regular Programmers

Not every piece of ransomware that we’ve examined comes from a sophisticated attacker – some come from novice programmers.

As we showed in our analysis of Halloware, some pieces of ransomware are so badly written that a victim couldn’t pay a ransom if they decided to do so. In Halloware, the payment link to buy the decryption key was broken and a “Failed to execute script virus” message appeared on victim machines! It seems likely that the author, in identifying himself as a 17-year old college student, wasn’t lying. We’ll provide more information on this case soon.

However, Halloware proves the exception, rather than the rule. The days of malicious attacks being made solely by a teenage kid in their parent’s basement are over. Nowadays, ransomware is being written by  well funded attackers. From criminal gangs running sophisticated international operations, to attacks such as WannaCry that have the power of a nation-state behind them, ransomware is a global threat.

What can you do against such sophisticated attackers?

Protect Yourself

CryptoDrop stops not only WannaCry, but every other ransomware exploit we’ve tested against. But we can only help keep your machine safe if we are running before the attackers arrive. Save yourself the headache and cost of trying to get your data back – download our Free or Fast Recovery versions today!

Ransomware is a real and serious threat, but with CryptoDrop, you can rest easy. At CryptoDrop, We Stop Ransomware.

Globeimposter Ransomware – CryptoDrop’s Analysis

This week, we took a deeper look at Globeimposter ransomware. Let’s start off with a quick look at how CryptoDrop fared against it:

Globeimposter Ransomware
Globeimposter Ransomware

Unsurprisingly, we were able to stop Globeimposter the first time we saw it (just like every other sample we have ever tested). In our experiments, this ransomware was able to encrypt 9 files before CryptoDrop intervened, and we were easily able to get them all back in seconds with Fast Recovery.

Source and Background

Like Scarab before it, Globeimposter is being distributed by the Necurs botnet. If you’re not familiar with Necurs, this is a fairly large botnet that has been the source of signifiant malicious behavior since at least 2012. Between spam and a long history of ransomware, you don’t want to receive anything this botnet might be sending out. IBM has a nice write-up about its history here.

Globeimposter has been seen during 2017, but new variants are popping up regularly throughout the final months of the year. As such, while traditional anti-virus engines may protect you from the previous variants, they may not yet have seen yesterday’s or today’s samples.

Technical Details

Globeimposter is different than the other strains of ransomware we have discussed so far on the blog. Previous strains have all required a network connection, with most connecting over Tor to a hidden service (a.k.a. “The Dark Web”). The Globeimposter samples we analyzed had no network behavior.

Personal ID generated by Globeimposter (intentionally obscured). Victims must provide this code to the attackers in order to get their data back.

Why is that important? Many available ransomware solutions rely on identifying malicious traffic and dropping it, generally causing the ransomware to stop its operation. Globeimposter easily circumvents such defenses. When the attack completes, victims are provided a “Personal ID” that they must include in their email to the attackers. That ID is then used by the attackers to regenerate the AES-256 key used to encrypt the victim’s data.

Ransom notice from Globeimposter

Victims also receive the above ransom message, which includes instructions on how to contact the attackers. So what’s different here? The attackers have established a private email account with the service ProtonMail. ProtonMail bills itself as a secure and private alternative to Gmail and other traditional services. Located in Switzerland (intentionally outside of US and EU jurisdiction, and allegedly “underneath 1000 meters of solid rock”), legal requests against accounts at ProtonMail must pass through the Swiss court system. Account holders targeted by such requests are alerted and may appeal, thereby delaying any action.

The take-away here is that bad actors may be able to use ProtonMail for long periods of time before legal takedown methods can be applied. In short, you can expect this campaign to run for quite some time.

There is some irony in ProtonMail playing unwitting host to the Globeimposter ransomware campaign. In 2015, ProtonMail was hit by a massive distributed denial of service (DDoS) attack by a group known as the “Armada Collective”. ProtonMail ended up paying the ransom of 15 Bitcoins (worth approximately $6,000 at the time, and over $250k today). The bad news? The DDoS attack didn’t stop after the ransom was paid.

That should serve as a useful reminder when it comes to ransomware: If your strategy incude is paying the ransom, you will not necessarily get your data back.

Final Thoughts

We’d rank Globeimposter as one of the more sophisticated pieces of ransomware we’ve analyzed. The fact that variants keep appearing and that Globeimposter is being pumped out by the Necurs botnet means that this ransomware is likely being regularly updated and maintained. That means that you should expect to see future variants ending up in your inbox or download folder.

Want to stop this and all other variants of Globeimposter? Give CryptoDrop a try. Think of us as your first line of defense against this increasingly nasty and common strain of ransomware. Installing our Free or Fast Recovery editions today could eliminate the massive headache and cost associated with recovering from a ransomware attack.

At CryptoDrop, We Stop Ransomware!


How Does Ransomware Infect Your System?

We’ve had a few questions here at CryptoDrop about how we protect your files once ransomware is on your system. The previous blog entry points to an article that we wrote that talks about this in some detail. But a more important question you might have is, how can ransomware infect my computer in the first place?

We’re going to talk about some of the ways this can happen in this article. Ransomware writers are very crafty and use all sorts of techniques to find their way onto your computer. We’ll consider a few approaches, or “attack vectors” as we call them, now.

Infecting You From A Remote Connection

Some ransomware that we have analyzed tries to make connections with services running on your computer. You typically use your computer to connect to others in order to get information, for example through the Web or email. In some other cases though, you might have software running on your computer that allows others to connect to you. For example, you might have a program running that lets you access your computer’s desktop from your work computer, or you might be running a program such as BitTorrent. You may not even know such programs are running.

Some ransomware finds systems that are advertising these remote services and looking for vulnerabilities in them, so that they can attach to your computer and exploit those vulnerabilities to infect your system. In short, ransomware can get on your system without you doing anything but turning on your machine.

Infection Through Attachments

In other cases, you aren’t presenting any remote services to the outside world, but ransomware still finds its way in. This can happen through malicious attachements in your email. You might open a Microsoft Word file, or a PDF document, that contains malicious data. The act of opening the file can cause scripts to run that allow ransomware embedded within these files to infect your computer.

Sometimes the emails can appear to be very legitimate, looking as through they come from someone you know with personal information about you in order to make them more believable. It only takes the one click on those files to start up the ransomware, no matter how honest the file appears to be.

Infection Through Websites

Just like with email, sometimes malicious code can be downloaded to your computer without you realizing it. You might see a web forum posting disguised as helpful information to download a file, and sometimes the fact that you’re downloading something isn’t even clear in the first place. Once the code is on your computer, the ransomware can begin encrypting your information.

Infection Through Devices

Sometimes the infection might not be because of anything that you accessed from your computer, but can be the result of malware being transmitted from something that you received from someone else, such as a USB flash drive. When you plug in the device, that process can cause the malicious code to run and the ransomware to be installed on your system.

Be careful when using USB devices – attackers have been known to drop them in parking lots outside of targets!

How To Protect Yourself

There are ways to minimize your exposure to malicious code. However, it is often the case that information looks completely legitimate and yet contains ransomware. While it is important to be careful about what gets transmitted and run on your computer, it is very difficult to be right all of the time. Even experts get fooled!

Fortunately with CryptoDrop protecting your system, we provide the layer of defense that will stop a ransomware infection whenever it starts running on your machine. We have tested our software against huge numbers of ransomware variants and have never failed to stop them quickly. With our Fast Recovery Edition, we can roll back any changes that ransomware might have made to your files, ensuring that none of your data is lost.

We know how hard it is to defend against all of these threats, so let CryptoDrop be your protection, because at CryptoDrop, We Stop Ransomware.


Soaring Bitcoin and Its Impact on Ransomware

Just about everyone has heard about the soaring price of Bitcoin. The value of this cryptocurrency has risen over 1500% in 2017 (nearly tripling in the last month alone), and its growth shows little hint of slowing.

We’re not taking a position on the value or utility of  any cryptocurrency. Ultimately, the market will decide if Bitcoin will continue to grow as decentralized and un-censorable platform or simply fade away rapidly if/when the bubble pops. That said, we think you have reason to care.

Bitcoin and Ransomware

Like it or not, Bitcoin matters to you today for one main reason: ransomware. It’s the favorite payment platform of ransomware authors because it’s pseudo-anonymous (there are lots of ways to determine identities affiliated with Bitcoin wallets, but we leave that discussion to another day). Unlike traditional payment methods, Bitcoin is also difficult to block. While law enforcement and traditional financial institutions long worked together to stop payments to criminal operations, such cooperation has had little success in the cryptocurrency ecosystem.

Bitcoin is not the only cryptocurrency ever used by ransomware. CryptoLocker used LiteCoin through at least 2015. CradleCore (a “Ransomware-as-a-Service” platform) has built-in support for Ethereum and Monero. There’s no technical reason why any of these “alt-coins” can’t be used for ransom payments.

So why is Bitcoin king of cryptocurrencies for ransomware payments? Two reasons: First, Bitcoin is a brand, just as much as Visa, Mastercard or Western Union. Granted, Bitcoin isn’t owned by any single centralized entity, but ransomware authors benefit from regular people knowing about this particular payment platform. If ransomware victims have faith that Bitcoin is a reliable means of getting funds to their attackers (and ultimately getting their data back), payments are more likely to be made. Second, with the price of Bitcoin skyrocketing, a payment of $1000 today may be worth far more in a month. That means that every Bitcoin paid to the attackers is likely to be worth far more when they eventually decide to cash out. Imagine if your bank account accumulated interest at the same pace as the price of Bitcoin has surged!

The Problem with Success

The skyrocketing price of Bitcoin may not actually be a benefit to the ransomware ecosystem. To understand why, let’s start with a look at the Bitcoin Mempool over the past few days.

Johoe’s Mempool Statistics:

If you’re not familiar, the Mempool is basically the waiting area for Bitcoin transactions. All unconfirmed transactions wait here until a miner decides to include them in a block (which is ultimately included in the public ledger or “blockchain”). All that talk about Bitcoin in the past few days has dramatically increased transaction volume, and the graph above shows between 100k and 225k transactions waiting to be made official.

Is this normal? Let’s take a more historical perspective:

Johoe’s Mempool Statistics:

The three-month view shows us that volume is exceptionally high at the moment; however, there is no reason to believe that we have not reached a new normal. The trend-line continues moving upwards.

Ok, so Bitcoin is being exchanged more often. So what?


This graph shows the average confirmation time for Bitcoin transactions over the past month. The most critical points in this graph are the spikes up around 1,200 minutes. That’s 20 hours. Remember, too, that this is an average, meaning that larger transactions tend to be serviced in the Mempool more quickly, whereas those for just a few hundred dollars (i.e., fractions of a Bitcoin) may languish for much longer.

That is one busted clock… goodbye, decryption keys…

Most ransomware has a hard deadline of 24 hours before the bad guys delete the decryption keys. That means that even if you are sitting at your computer when the attack happens and immediately decide to pay the ransom, you may not be able to pay the attackers in time to get your data back. Hesitation essentially ensures that your transaction won’t be confirmed before the deadline. While many things paid for in cryptocurrencies don’t necessarily need to be settled immediately, the ticking clock that is ransomware puts pressure on the need for near-to-real-time transactions.

Disruption in the payment ecosystem means there’s in increased risk of disruption in the ransomware ecosystem.

What Can We Expect?

The only constant here is change. At the moment, ransomware authors have three main options:

  1. Extended Deadlines: It’s possible that ransomware authors collectively decide to give their victims 48 hours instead. However, if Bitcoin continues to grow in popularity as we have seen over the past year, transaction throughput will easily become a choke-point again. We think this approach is plausible but unlikely because extended time decreases the “impulse effect”. That is, victims are potentially less likely to pay the ransom because they have time to think about their decision (and potentially find copies of some of their data).
  2. Switching to Alt-Coins: Alternatively, ransomware authors could start using alt-coins (e.g., LiteCoin, Ethereum, Zcash, etc). This response is also risky, given the loss of both the surging price (although some others are also increasing) and loss of brand recognition.
  3. Raising Ransoms (via transaction fees): Finally, ransomware authors may simply raise their prices (if only via telling victims to pay transaction fees at an increasingly high rate) to ensure that their transactions are chosen more quickly in the Mempool. The risk here is that paying the ransom becomes entirely unreasonable in the eyes of victims, reducing the overall payout received by the bad guys.

We certainly don’t expect ransomware authors to quit simply because of volatility in their preferred payment platform. We also want to remind you that even when payments are handled swiftly that there paying a ransom provides no guarantee of getting your files back. However, we’ll be watching to see how they react.

Final Thoughts

Regardless of your opinions on the long-term success of cryptocurrencies, you have to pay attention to this space. Payment platforms are tremendous influencers of traditional businesses – think about how few people in the United States go into gas stations since the near universal deployment of pay-at-the-pump. There’s no reason to believe that cryptocurrencies won’t continue to impact how ransomware authors operate.

The best way to ensure that the rapidly fluctuating Bitcoin ecosystem doesn’t impact your decision or ability to pay ransom is to take steps to never have to pay it. Protect your data. Grab a free copy of CryptoDrop today, and consider using our Fast Recovery Edition to get your files back in seconds.

We Stop Ransomware


LockCrypt and the Attack on Mecklenburg County, NC

Some of you have heard about yesterday’s ransomware attack in Mecklenburg County, North Carolina (a municipality in the Southeastern United States). LockCrypt, a variant that is believed to have evolved out of the Satan ransomware, is responsible. You can read a more in the headlines here (International Business Times) and here (USA Today), but the attackers are demanding 2 Bitcoins for the files to be decrypted (which is approximately $26,000 at the time of this article). County administrators have not yet ruled out paying the ransom.

So why is this one worth writing about? LockCrypt is nasty, and quite sophisticated. This one is likely to continue doing damage for quite some time to come.

Let’s cover the standard set of technical details first. LockCrypt creates a unique AES-256 encryption/decryption key for every victim. This key is tracked by assigning a unique ID number. That means that even if you or a colleague pay to decrypt files on one machine, you can’t use those keys to decrypt files on another machine. Early strains of ransomware often did not take this step, which is how the community was able to make so many decryptors early on. The bad news here is that if find your files encrypted by LockCrypt, you’re unlikely to be able to get help cracking that encryption.

How do you get your files back if you pay? LockCrypt sends the AES-256 key associated with your ID to a server. If you decide to pay the ransom, you provide the ID and the attackers will allegedly give you back the right key and a means of using it (a “decryptor” program). Based on the IP address, the server appears to be located in Tehran, Iran; however, as we always caution our readers, that does not necessarily mean that the attackers are located there. Instead, they may simply have attacked and compromised a machine in that location, making it very difficult to determine who and where they actually are.

LockCrypt appears to spread largely via the Remote Desktop Protocol (RDP), which means that if you have one machine that is vulnerable, you likely have many. The attackers behind LockCrypt appear to be attempting to “brute force” their way into machines, which is just a technical term for “scan the entire Internet and see which unprotected machines let them execute their ransomware”. However, USA Today claims that this particular infection arrived via email, and a single user opening this malicious attachment appears to have been enough for LockCrypt to spread throughout the entire organization (~50 machines appear to have been infected).

LockCrypt is Nasty

All of this is bad enough, but it’s what comes next makes LockCrypt really nasty. LockCrypt attempts to attack your defenses. Running anti-virus software? LockCrypt tries to kill it. Only after LockCrypt has gutted your defenses does it try to encrypt your files. Here’s a copy of the ransom note victims receive (with the ID changed):

LockCrypt Ransom Note

Ok – so how did CryptoDrop fare against LockCrypt? Not a single file was encrypted. Why? While LockCrypt attempts to kill lots of non-Windows processes, we built extra defenses into CryptoDrop to make it difficult to turn off our software. While we did this in the early phases of our design process, it was done precisely for days like this. Even with administrative access, LockCrypt simply does nothing to your files if CryptoDrop is installed.

Task Manager

County operations in Mecklenburg, North Carolina are likely to be severely disrupted over the coming days. Even if the county managed not to lose any data, the cost of rebuilding their infrastructure will be significant in both time and dollars. What city or business has the time and resources to drop all of there regular tasks for an unplanned rebuilding their IT infrastructure?

It’s not enough to hope that the bad guys won’t hit you – LockCrypto is out there actively scanning for you. And it’s not the only one. The bad guys are writing increasingly sophisticated ransomware, and protecting yourself before they hit is absolutely critical.

CryptoDrop has stopped every sample of ransomware we’ve ever seen, and done so on the first time we’ve seen it. Our patent-pending approach is fundamentally different than what traditional anti-virus software provides. Best of all, you can try it for free. Help protect your data, and help our start-up bring game changing technology to the fight against ransomware.

We’re CryptoDrop. We Stop Ransomware.