Who Is Writing Ransomware?

In this post, we’re looking at why ransomware is being written and who is doing it. We think you’ll agree after reading this, you’ll see why it’s necessary to have CryptoDrop running on your computer as well.

Nation States

Perhaps the most newsworthy event regarding ransomware over the past few days was when President Trump’s administration declared that North Korea was behind the WannaCry ransomware attack. You might have been surprised to hear this, and you may be even more surprised to know that this was something that many in the security community had assumed to be the case for the past few months. In fact, an article in the New York Times looked at how North Korea has been using the Internet for criminal enterprises including writing ransomware. It is estimated that the amount of money per year made for the North Korean government ranges from hundreds of millions up to a billion dollars per year. This represents one-third of the value of all of North Korea’s exports. It’s clear that ransomware not only brings in money but funds the country’s military ambitions.

It also appears that North Korean hackers can be found in countries around the world. While physically stationed in India, Malaysia, and other location, these hackers use proxies around the world to obscure from where their traffic truly originates. What is particularly damaging about these reports is that the ransomware exploits being written have been in some cases built on top of cyber-weapons stolen from the National Security Agency.

Criminal Gangs

Ransomware isn’t just coming from national governments. International gangs of cyber criminals have partnered with botnet owners to launch ransomware attacks. Botnets, or a network of compromised machines controlled by an attacker, make many things difficult for defenders. For instance, the identity of the real attacker not immediately obvious because the source of attack traffic is likely a compromised desktop machine owned by someone else. Additionally, because some botnets contain millions of compromised hosts, shutting down one source does little to stop the overall campaign.

One particularly successful example is the Necurs botnet. While Necurs is years old at this point, it is regularly being used to distribute new ransomware variants, such as the GlobeImposter ransomware that we discussed a week ago.

Regular Programmers

Not every piece of ransomware that we’ve examined comes from a sophisticated attacker – some come from novice programmers.

As we showed in our analysis of Halloware, some pieces of ransomware are so badly written that a victim couldn’t pay a ransom if they decided to do so. In Halloware, the payment link to buy the decryption key was broken and a “Failed to execute script virus” message appeared on victim machines! It seems likely that the author, in identifying himself as a 17-year old college student, wasn’t lying. We’ll provide more information on this case soon.

However, Halloware proves the exception, rather than the rule. The days of malicious attacks being made solely by a teenage kid in their parent’s basement are over. Nowadays, ransomware is being written by  well funded attackers. From criminal gangs running sophisticated international operations, to attacks such as WannaCry that have the power of a nation-state behind them, ransomware is a global threat.

What can you do against such sophisticated attackers?

Protect Yourself

CryptoDrop stops not only WannaCry, but every other ransomware exploit we’ve tested against. But we can only help keep your machine safe if we are running before the attackers arrive. Save yourself the headache and cost of trying to get your data back – download our Free or Fast Recovery versions today!

Ransomware is a real and serious threat, but with CryptoDrop, you can rest easy. At CryptoDrop, We Stop Ransomware.

2 thoughts on “Who Is Writing Ransomware?”

  1. In the description of How It Works, I find the words “suspends the application” (point 3) a bit vague. By “application” is meant the malicious Ransomware code?

    1. Thanks for the question, Leon!

      You are correct – CryptoDrop suspends the ransomware code and also disallows it from accessing files in the future (if “Lockdown” is chosen). Thanks for using CryptoDrop!

Leave a Reply

Your email address will not be published. Required fields are marked *