Scareware trends and expected developments
While malware such as viruses, worms and Trojans strives to remain hidden from view for as long as possible, scareware (rogueware and ransomware) aims to be as noticeable and intrusive as it can possibly be.
While rogueware (mostly fake AV solutions) does its utmost to scare and annoy, ransomware thrives on fear of loss of important data, criminal punishment and, most of all, public embarrassment or hostile judgement – especially when it comes to accusations that can negatively impact the remainder of the victims’ lives.
Looking at that difference from a psychological point of view, it’s obvious why ransomware has overtaken rogueware as cyber crooks’ preferred method of parting users with their hard-earned money.
“Until 2012, scareware described rogue antivirus or fake defragmentation utilities. Aided by the increasingly prominent Downadup / Conficker worm that would lay the groundwork for the rogue AV, or by the more active and popular Pushdo botnet, fake AV has thrived on the sentiment of fear induced in regular computer users. The partial decay of the Conficker botnet, paired with antivirus vendors’ programs to educate users on how to spot fakes, cut into the rogue AV business. Improved detection has also made it harder for samples to hit the computer and fetch their payload from the web,” Catalin Cosoi, Chief Security Researcher at Bitdefender, explains the circumstances of rogueware’s rise and fall.
“But, this prolific business with hundreds of millions of dollars per year in revenue has not died out. Rather, it shifted to a newer, more effective business model: ransomware.”
“Rogueware was a profitable way of extorting people, but it needed more work done by criminals as they had to create fake antiviruses,” points out Director of PandaLabs Pedro Ur?Âa. “Even if they didn’t detect anything they had to hire someone to create the different interfaces, etc. To pay them, they had to create websites that pretended to be legit in order to fool the users. However, ransomware is pretty simple, all the ‘look and feel’ relies on a static screenshot that is downloaded once you get infected.”
“Rogueware was hyped a lot, so it’s probable that most users heard about it and by now know what is the correct way to react. Also, the bad guys could ask only a modest price for the fake software. They had to stay within the price span that standard AVs go for, or risk raising the victims’ suspicions,” adds Jindrich Kubec, Threat Intelligence Director at Avast. “Lockers/ransomware does not have this problem.”
“Fake AV continues to look and act much the same as it did many years ago, whereas ransomware is being circulated across platforms such as Microsoft’s Skype IM and VoIP platform, displaying graphics for local police forces depending on the location of the victim and even experimenting with moneymaking models. It wasn’t too long ago that we saw ransomware using surveys as a hook to force the hand of a user instead of asking for a flat $200 fee to ‘unlock’ a compromised machine,” shares Christopher Boyd, Senior Threat Researcher at GFI Software.
“Over the past year, the number of traditional fake Antivirus applications we’ve seen in the wild has decreased, from a peak of 225 rogues in 2011 to 149 in 2012, with numbers flat lining towards the end of last year. From March to June 2012, rogue application totals went as high as 30 per month – by September to November, we were down to as few as one. Ransomware, however, shows no sign of slowing down and is definitely the current King of Scareware.”
Cosoi attributes cyber crooks’ preference for ransomware partly to smaller development costs, and partly to the way it affects users. “While some users can bear pop-ups and warning messages on their desktop, the frustration caused by the locked desktop – paired with fear of law enforcement punishment – results in higher ‘conversion rates’ than those for fake AV.”
He also points out that ransomware is extremely difficult to remove because a locked desktop means the victim can’t run removal utilities, access Windows Registry or Task Manager. The fact that the newly released Windows 8 does not have a Safe Mode option will only make the removal more difficult.
In a typical ransomware scenario, victims have the data on their machine encrypted and their desktop blocked, and are shown a message (usually impersonating the nation’s police) informing them that copyrighted / illegal content has been detected on the machine.
“When it comes to ransomware, cyber crooks leverage the publicity surrounding legal action against copyright infringement, for example, to lend credibility to the attack and make the victim more likely to pay,” points out Rik Ferguson, VP Security Research at Trend Micro. “We have seen versions localized into many different languages, even versions that incorporate a spoken component.”
“Of course criminals continue to adapt their tactics, resurrect old ideas (such as the very recent ‘Malwarebiter’ Fake AV) and invest in new techniques and technologies. As internet users continue to adopt mobile and social technologies as their primary means of engaging online, I fully expect these rogue software attacks to continue but to be based far more around those social, mobile and cloud-based platforms,” he concludes.