Right when internet users have learned to be wary of malware that encrypts files and holds them for ransom, security experts are warning that digital extortionists are taking more aggressive steps to get paid.
"You’re seeing different techniques with the goal of improving the conversion rates of people actually paying," says Jerome Segura, lead malware intelligence analyst at the security firm Malwarebytes.
Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.
"This is a very recent change in the tactics they’re using," he says, noting that they've appeared only within the past few months.
Dunbar has yet to see malware make good on threats to leak data, and Ensey says that at least some variants appear to display fake progress bars purporting to show data transfers to attackers’ servers without actually uploading any files. Storing and leaking files is logistically more difficult than just encrypting them on victims’ own computers, experts say.
But Ensey predicts that by next year there will be actual data leaks attributed to ransomware, if only to motivate more attack victims to pay the ransom.
"I would not guess that we’re far off from public examples of that," he says.
Previously, security experts advised companies and individual users to make regular backups of important files so they’d be ready to restore them if they were encrypted or damaged by malware. But that’s of less help if malware creators instead threaten to distribute information, potentially exposing companies to liability, or individual users to embarrassment or risk of identity fraud, he says.
"My thinking now is that organizations really have to focus on: How do we isolate sensitive or private information from places where ransomware tends to find itself?" he says. "You have to make it so it’s incredibly hard for that ransomware to touch or gain access to any kind of sensitive data through a standard channel."
Preventing leaks by computers infected with malware is ultimately similar to protecting data against insider threats. That means that organizations shouldn’t simply have an unencrypted network drive with confidential materials like sensitive business plans or medical records, Ensey says.
Earlier versions of ransomware have already struck institutions with large troves of mission-critical, confidential information, such as hospitals, which could be motivation enough for entities to pay to keep patient records from falling into the wrong hands. But individual consumers represent the bulk of ransomware victims, according to a report released in April by the security firm Symantec. People could feel forced to pay to safeguard anything from financial and medical documents to explicit pictures, particularly if ransomware attacks on smartphones become more common.
"The variants that are out today are mostly Windows-based, so it’s desktop computing," Ensey says. "If they can adapt it to mobile, I think then you might have an audience for this that would in fact pay the ransom."
Ransomware creators have recently gotten more aggressive in other ways, too, according to Segura, sometimes actually permanently deleting files rather than leaving them encrypted if victims don’t quickly pay up. Some malware varieties have also focused their energies on particular classes of files likely to be of interest, such as spreadsheets, and future attackers may well use more sophisticated prices to determine how much ransom to charge.
"It’s a business decision. Like marketers, how do you [set] the price?" Segura says. "Finding the sweet spots where people are willing to pay is really important to the economics of the ransomware business." That might mean charging more when it comes to victims with more apparent business documents or photos, or adjusting ransom amounts for targets in certain geographical regions.
Users looking to stay safe should maintain multiple backups to minimize the risks from disk-encrypting malware and keep sensitive information encrypted or off networked machines altogether. Once files are leaked, it can be difficult or impossible to remove them from the internet.
"If the information is published in some server that’s out of U.S. jurisdiction, for example, then having that information taken down is going to be very, very difficult," Segura says. That applies equally to business data and sensitive personal files like texts and photos.
"If you think you don’t want your mother or grandmother to see that picture, think about putting it somewhere secure, because you don’t want it leaked," he says.